We recently started scanning a subdomain of our forest by using OU's.

When scanning the response is Error Code 201 - Network connection error.

I suspect it's only using the hostname rather than the FQDN.

The names are being resolved using the local subdomain's DNS suffix rather than the remote subdomain's DNS suffix.

For example:

Local domain is:

local.domain

Remote domain name is:

remote.domain

When scanning using the server in the local.domain.local domain host names are always resolved to host.local.domain

I'd like them to be resolved using the FQDN of the OU the hostnames are being pulled from - hostname.remote.domain

Is there a way to accomplish this?

Thanks!

Eric

Since upgrading to 9.1 whenever I do an "stscheduleview status" it always returns "no jobs found".  (with both builds 4334 & 4446).  Does this command still work with this version or is there something new that I'm missing?  I have tried uninstalling / reinstalling the scheduler on a couple of pcs but that did not change anything.  Any thoughts?

I have gone through multiple "tutorials" for how to do offline patching but still have some issues that I can't resolve.  The "missing" patches are related to an IE8 update and to Win2008 SP1 (SP1 makes up about 20 missing patches).  I have tried to manually install the exe files, but the OS comes back and says they are already installed.  Shavlik however, says they are missing and I'm unable to get a clean scan.  I'm not sure if there is just a way to update the SQL database manually to show the patches exist or what the proper methods should be, but I have 5 "offline" servers right now that I'm unable to put into Production because I can't resolve these issues.  Thanks for the help!

Hi,

I am in a strange situation with a customer.

We ship PCs to customers with few components of MS Office (eg. Word, Excel and Outlook), and customer is free to install other components of Office.

As a patching group, we are supplying patches to what we support (Word, Excel and Outlook) and customer is responsible for patching the extra components.

When customer scans his machine by selecting "Office" in the scan template, Protect shows up all the missing patches for all the components. (right now there is no option to select individual Office components).

One of the customers installed all the components of Office and is coming back to us and asking for all the missing patches, since Shavlik Protect shows them as missing.

He says that if we don't support then don't show them in the scan list.

Is there a way to select only required Office components while scanning?

Regards

Srikanth

The purpose of this document is to assist in locating the Agent Manager within Shavlik Protect version 9.

The Agent Manager has been removed. All functionality is available from within Machine View.

From: Shavlik Protect Release Notes

Within Machine View you can install an agent onto machines, you can assign a different policy to machines that already contain an agent, and you can uninstall agents from machines. It also provides a convenient place to determine which machines have Protect Agents installed. You can access Machine View by selecting View>Machines.

How to View Only Agents

In Machine View (View> Machines) set the Smart Filters to 'Has an Agent Policy'. This will filter the Machine View to only show those machines that have an Agent.

Shavlik Protect 9.x

Hi,

I'm trying to update the files on my Shavlik server in Argentina but I appear to be unable to contact the download server. The following messages appear;

Downloading the latest manifest...

Error: File not downloaded: protect.manifest.xml

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/manifest/protect.manifest.xml

Downloading latest engines and definitions...

Error: File not downloaded: PatchInstaller.msi

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/PatchInstaller.msi

Error: File not downloaded: AssetInstaller.msi

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/AssetInstaller.msi

Error: File not downloaded: ThreatInstaller.msi

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/ThreatInstaller.msi

Error: File not downloaded: STPlatformUpdater.exe

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/STPlatformUpdater.exe

Error: File not downloaded: cl5.exe

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/protect/v9/91/Protect/1048/cl5.exe

Error: File not downloaded: safereboot64.exe

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/SafeReboot64.exe

Error: File not downloaded: safereboot.exe

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/SafeReboot.exe

Error: File not downloaded: scriptcatalog.zip

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/scriptcatalog.zip

Error: File not downloaded: ST.Licensing.Data.dll

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/ST.Licensing.Data.dll

Error: File not downloaded: pd5.xml

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/pd5.xml

Error: File not downloaded: 7z.dll

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/7z.dll

Error: File not downloaded: STRemoteCommand.exe

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/STRemoteCommand.exe

Error: File not downloaded: DplyEvts.dll

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/DplyEvts.dll

Error: File not downloaded: StSchedEx.exe

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/STSchedEx.exe

Error: File not downloaded: ai_dpd.xml

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/ai_dpd.xml

Error: File not downloaded: assetinventory.xml

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/assetinventory.xml

Error: File not downloaded: hypervisors.xml

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/hypervisors.xml

Error: File not downloaded: hf7b.xml

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/hf7b.xml

Error: File not downloaded: stScheduleView.exe

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/STScheduleView.exe

Error: File not downloaded: iadata.xml

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/iadata.xml

All engines and definitions are up to date.

Updating database with new definitions...

Checking for definition changes...

Updating the database with the latest definitions...

Downloading latest IT scripts...

Error: File not downloaded: scriptcatalog.zip

Error reason: Unable to connect to the remote server: http://xml.shavlik.com/data/scriptcatalog.zip

All engines and definitions are up to date.

Downloading PowerShell modules...

Importing ITScripts...

Process complete.

I've rebooted the server (Windows Server 2003), tried with the AV disabled also.

I checked on a different server (Windows 7)  that I have in the UK and everything downloads OK there. I can access the web from the server and I also tried re-activating the license key - but that failed as it couldn't connect to the shavlik.com server.

Thanks,

Steve

Hello All, I have a mixed environment of both online and offline 9.1 console servers experiencing the same issue. When I scan a group of servers, the results are a mix of mostly error 452 and some successfully scanned devices. The mix of successfully scanned devices and 452 varies on each attempt but generally is more 452 than success. I tried all the suggestions from multiple posts about the 452 error, but the issue persists. I recently did a test and had the following results:

1. Opened the custom patch scan template and changed the simultaneous machines scanned value from its default of 64 to 2. The results changed to mostly successful device scans and only a couple 452's.

2. Changed the # machines scanned from 2 to 1 and it had successful device scans for all items in the group.

Is there an option in the GUI or an item in one of the config files that will allow me to change the timeout value for these scans such that I can still scan multiple devices at the same time?

Thanks!

Rob

We just had a security audit.

Auditing company told us we were at risk because we were missing a bunch of "patches."

Upon inspection of the patches we are missing and they all seem to be considered Non-Security Patches or Security Tools. This makes sense because we only apply Security Patches (as categorized by Shalivk) right now.

So, what do you guys do right now? Are you patching just for Security Patches or doing Non-Security Patches and Security Tools as well? Did you pass an audit like that?

Purpose

We have identified a defect in Protect 9.0 (Gold and Patch 1) where agent patch scan results cause the Shavlik Protect Console service to crash.  You can identify the issue by the following method:

• Agents are being used for patch management and the Shavlik Protect Console service is crashing frequently.
• Enable ‘All’ logging in the Protect Tools – Options – Logging menu and capture the service crash.
• Navigate to the \Logs folder and open the ST.ServiceHost.managed.log file.

Windows 2003/XP: C:\Documents & Settings\All Users\Application Data\Shavlik Protect\Logs

Windows 7, 8, 2008, & 2012: C:\ProgramData\LANDesk\Shavlik Protect\Logs

• Search for FK and verify you see the following error:

FOREIGN KEY constraint "FK_ScanItems_ItemTypes". The conflict occurred in database "Protect", table "dbo.ItemTypes", column 'itKey'. The statement has been terminated..

Cause

This is due to a Service Pack mapping failure which causes and unknown ‘ItemType’ to be used. The crash occurs when the Shavlik Protect Console service attempts to insert that unknown ‘ItemType’ into the ‘scanItems’ table in the Protect database. 

Resolution

Backup the Protect database: You can do this manually or you can use the Database Maintenance in Protect.

Remove the foreign key restraints in the database by executing the following script against the Protect database:

IFEXISTS(SELECT*FROMsys.foreign_keysWHEREobject_id=OBJECT_ID(N'[dbo].[FK_ScanItems_ItemTypes]')AND parent_object_id =OBJECT_ID(N'[dbo].[ScanItems]'))

ALTERTABLE [dbo].[ScanItems] DROPCONSTRAINT [FK_ScanItems_ItemTypes]

Purpose

The purpose of this document outlines the process of using Protect to install Internet Explorer.  You can also view Software Distribution Best Practices and Informational Guide or more information about using the Software Distribution feature.

Steps

To install IE with Protect you will need to use the Software Distribution to do this.

First you will need to create a scan template to detect the version of IE you will want to install.

The first step for this is to create a patch group that contains the installer patch for IE. To do this go to view patches then in the search you will input MSIE-010 (This is for IE10, IE11 would be MSIE-011). Then you will see the QNumber QIE1061N right click on this and create new patch group.

Now you will name and save your patch group.

Next Step is to create the scan template.

Go to New\Patch Scan Template

Under the filtering tab you will need to select the “Scan Selected” under Patch Filter Settings and select your patch group.

Now on the General tab of the scan template you will want to check the box “include effectively installed patches  and leave “Both missing and installed
patches” selected

Now on the Software Distribution tab you will need to check the box “Software Distribution” so the scan template will show results for Software Distribution patches

Now you can scan the machine you want to install IE on and it should either show you the IE version is either missing so you can deploy it or it is effectively installed

Additional Information

Prerequisite updates for Internet Explorer 11

Prerequisite updates for Internet Explorer 11

Recently upgraded to Protect 9.1.0 v4446 and have lost email service. Any fix other than reinstalling????                        

Purpose

The purpose of this document shows you how to view agent results using View - Machines in Protect 9.0 and above.

Machine View

You will always want to refresh the view when looking at Machine View to see the most current information.

In Machine view you will be able to determine what is happening with your Agent. The Machine View is an extremely powerful and flexible tool. It enables you to display current information about every machine in your network that has been previously scanned and whose information resides in the database. It organizes all of the scanned machines so they are displayed in one comprehensive view, regardless of when the machines were scanned. Machine View provides an easier method to both view and manage the current security state— across both agent-based and agentless systems. Machine View differs from Scan View, which requires you to first locate the scan in which the machine was assessed before drilling down to view the machine’s scan summary.

You will see the current patch status of the client machine which includes missing or installed patches, Patch Definitions used in latest scan, latest Patch Scan Date, Agent Policy, Agent Version, Latest Check In along with other information at the top of your screen.

Purpose

This document is meant to show how to use the features within Shavlik Protect to dynamically manage systems found within Active Directory or a domain.

Description

Within Protect it is possible to dynamically perform scan and deployment on machines managed via Active Directory or within a domain. To set up a machine group that can be used for this, follow the below steps:

Adding an Active Directory OU to a group

1) Create a new machine group by going to the 'New' Menu > Machine Group...

2) Name the group, click the 'Organization Unit' tab, then either type in the specific OU name if you know it, or the easier method is generally to click 'Browse Active Directory'.

3) Expand the containers as necessary, then check the box next to 'Computers' for any domain computers you want to be included in your scans.

4) Click 'Add checked items'.

5) You will now see the OU listed in the machine group.

     Ensure to set credentials that will have admin access to all the machines.

     To do this, right click on the OU listed, then choose Set Credentials > Set admin credentials.

6) Choose the proper credential to use, then click 'Assign'.

7) You should now see the OU listed with Admin Credentials set. Click 'Save' to save your machine group.

8) Try running a scan on the group to test. As you can see in the example below, it should automatically pick up any machines that are part of the OU selected.

This function is dynamic when you check the box to include all computers of a domain. If you later add or remove machines from the OU in active directory, the machine group will automatically pick up on this when being used to run new scans in Protect.

Adding an entire Domain to the machine group

1) In the machine group, go to the 'Domain Name' tab.

2) Type in the domain name, then click 'Add'.

3) Ensure to set admin credentials.

This feature will work dynamically as well. Whenever you use a machine group with a domain specified the scan will only discover machines currently part of the domain records.

Additional Information

1) If you set up a group as shown as the example above (containing a domain name and OU that would contain the same machines), Protect will be able to determine the same machine is being discovered/scanned twice and will only display one scan result for the machine.

2) You can add multiple domains and active directory OUs within a single machine group.

3) When first setting this up, it's likely you will run into some scanning errors (machines not scanned). Generally these happen due to some configuration or environmental problem. Refer to this document on how to fix such scan errors: Troubleshooting Shavlik Protect patch scan error messages

Affected Product(s)

Shavlik Protect, All Versions

Purpose

This document includes instructions on how to increase the deployment timeout for offline hosted virtual machines.  Performing the steps in this document will be required when a deployment to an offline hosted virtual machine requires more than 120 minutes to complete.  The typical cause would include a deployment of a large number of patches to a single machine. 

Symptoms

You will see the following error message in the Deployment Tracker approximately 120 minutes into the deployment process.

A subsequent scan of the target offline hosted virtual machine will show fewer patches missing indicating some of the patches installed within that 120 time-frame.

Resolution

Manually increase the deployment timeout by editing the STEnvironment.config.

1.  Close Protect.

2.  Stop the Shavlik Protect Console Service.

3.  Navigate to the Protect installation folder. (C:\Program Files\LANDesk\Shavlik Protect by default)

4.  Make a backup STEnvironment.config.

5.  Edit the STEnvironment.config.

6.  Add the following text AFTER: threatDataDirectory="C:\ProgramData\LANDesk\Shavlik Protect\Console\ThreatData"

virtualDeploymentTimeout="4"

This is what it will look like after your change:

tempReportsDirectory="C:\ProgramData\LANDesk\Shavlik Protect\Console\TempReports"

threatDataDirectory="C:\ProgramData\LANDesk\Shavlik Protect\Console\ThreatData"

virtualDeploymentTimeout="4" >

7. Close and save the STEnvironment.config file.

8.  Start the Shavlik Protect Console Service.

9.  Launch Shavlik Protect and test.

Affected Products

Shavlik Protect 9.x

Purpose

Following upgrading to Shavlik Protect version 9.1.4446 some users may encounter an error "The e-mail service is currently not available", and some users may find that their automated email reports are not sending. The purpose of this document is to provide a workaround for those who may encounter this issue and for those affected help restore proper function of automated email reports in Protect.

Symptoms

Following the installation of the Patch upgrade for Protect that takes the application from version 9.1.4334 to 9.1.4446, some users after completing a scan or initiating a deployment may receive a dialog box popup in the application containing the following error:

"The e-mail service is currently not available."

The Protect.Managed log should show the following exception:

2014-XX-XXTXX:XX:XXXXXXX E EmailRecipientSelector.cs:205|ST.UI.UserViewableException: The e-mail service is currently not available. ---> System.ServiceModel.ProtocolException: The .Net Framing mode being used is not supported by 'net.pipe://localhost/ST/Console/Messaging/ResultsNotification'. See the server logs for more details.

   at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)

   at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)

   at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)

   at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass2.<CreateTask>b__1(IAsyncResult asyncResult)

   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at ST.UI.Controllers.Configuration.MailController.<SendNotificationEmailAsync>d__d.MoveNext()

   --- End of inner exception stack trace ---

   at ST.UI.Controllers.Configuration.MailController.<SendNotificationEmailAsync>d__d.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()

   at ST.Protect.Forms.Email.EmailRecipientSelector.<SendEmailClickAsync>d__13.MoveNext()

Cause

Users should only see this error message after upgrading using the patch, not the full 9.1.4446 install. It appears that during the patch upgrade process, some of the necessary components may not upgrade successfully in some environments.

Resolution

We are working on the upgrade issue, and this will be fixed in an upcoming patch release. In the meantime, to correct the issue uninstall Shavlik Protect, download and re-install Protect using the full 9.1.4446 installer. Note: Uninstalling and re-installing Protect will not lose any user data or configuration, as this data is all contained within the database. Before re-installing Protect, to help ensure the product can point back to the database it would be a good idea to open the Database Setup Tool and verify the path to the SQL database and the credentials used. These will need to be entered after re-installation is completed.

The full installation package can be downloaded from the following link:

http://rs.shavlik.com/downloads/ShavlikProtect_9.1.4446.exe

Affected Product(s)

Shavlik Protect 9.1.4446

If I chose to add OUs to my scan range and unclick the checkbox "Include child OUs" it still includes all child objects in all child OUs.

I just want to scan the computers at the root of that OU and none of the child OUs. Is this possible without statically adding each machine to a machine group?

I recently had an issue which got resolved, but that has cause a new problem.

Original problem: Scanning by OU without including child OUs doesn't work

Second problem: E-mail service is currently not available after installing Patch 1

The fix for the new problem is to uninstall Shavlik Protect and reinstall.

I'm getting the following error when attempting to uninstall Shavlik Protect.

Greetings,    

I am trying to understand the patching process a little more.  When I do a WUScan of my machine (Windows 8.1 Enterprise) it returns with zero patches missing.  When I go out to Windows Updates, I have 21 important updates listed, 14 of which are office products, and 7 are listed under windows 8.1.  When I look at each individual update and compare the KB number with the Qnumber within Protect, most of them are not listed.  The ones that are listed are showing they are over a year old.  All of the updates listed on the Windows Update page are showing as published Yesterday.  Does this mean that the Shavlik team has not released these as of this moment?  I have confirmed I have the latest definitions 2.0.0.8978 and I am on Protect Standard version 9.1.0 Build 4446.

Here is a screenshot of the updates in question, along with a screenshot showing no patches listed for KB2977292.  Is it possible these updates are not included in either the WUScan or my custom scans?

Thanks,

Mike

Purpose

Microsoft patches fail to deploy on the following operating systems:

-Windows Vista

-Windows 2008

-Windows 7

-Windows 2008R2

-Windows 8

-Windows Server 2012

When attempting to manually run a patch file copied to a target machine in C:\Windows\Propatches\Patches you receive an error that the Windows Update service was not able to start or is not started.

Resolution

The Windows Update service must not be set to 'Disabled'. It does not explicitly need to be started, but it must be enabled - it can be set to 'Manual', 'Automatic-Delayed Start', or 'Automatic'.

Windows Vista/2008 changed patching behavior. Windows Vista and later patches are of a file type .MSU and this file type requires the Windows Update Service to be enabled to execute. The Windows update application is not required, but the standalone service handles extraction and execution of MSU patches and must remain enabled. For more details regarding this change go to  http://support.microsoft.com/kb/934307/en-us

Windows update can be disabled as long as the Windows Update Service remains enabled. You can configure this using GPOE under Computer Configuration\Administrator Templates\Windows Components\Windows Update.

From the workstation the automatic updates setting can be set to "Never check for updates" under Control Panel\All Control Panel Items\Windows Update\Change settings

The Window Update Security message can be turned off using  by unchecking "Windows Update" Control Panel\All Control Panel Items\Action Center\Change Action Center settings

Affected Products

Shavlik Protect 9.x

Purpose

This document is meant to provide a full overview of how credentials are entered, used, and work within the Shavlik Protect product.

Description

Credential Precedence for Physical Machines and Online Virtual Machines

Initiating actions from the home page, from a machine group, or from a favorite

The home page, machine groups and favorites can be used to initiate actions, patch scans, asset scans, power management, and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:

1.   If one or more of the following are available,  the credential with the highest precedence will be used. The precedence order is as follows: 

      a. Machine-level credentials

      b. Group-level credentials

      c. Integrated Authentication (Kerberos)

Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials.

2.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

If neither of these credentials work, the scans and the power management tasks will fail.

One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.

Initiating an agent installation from a machine group

When using a machine group to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using machine-level, group-level, default, or explicitly supplied credentials.

Initiating actions from Machine View or Scan View

When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using a variety of credentials and will do so using the following strategy:

1.   If one or more of the following are available, the Protect console will try to authenticate using the credential with the highest precedence, where the precedence order is as follows: 

   1. Any manually or automatically assigned managed machine credentials (see the To Individual Machines in a Machine Group section in Supply Credentials for Machines (used if the scan credentials are invalid or missing, for example, if an agent performed the scan rather than the console)

2.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.

If neither of these credentials work then the action will fail.

Initiating an agent installation from Machine View or Scan View

When using Machine View or Scan View to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as immediately above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using managed machine credentials, default credentials, or explicitly supplied credentials.

Credential Precedence for Offline Hosted Virtual Machines

Initiating actions from the home page, from a machine group, or from a favorite

The home page, machine groups and favorites can be used to initiate patch scans, asset scans, and power management actions and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each offline hosted virtual machine using the browse credentials.

Initiating actions from Machine View or Scan View

When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the credentials that will be used to authenticate to an offline virtual machine depends on the power state of the machine when it was initially scanned.

If a machine was originally scanned in offline mode

The program will attempt to authenticate using the browse credentials.

If a machine was originally scanned in online mode

The program will attempt to authenticate using a variety of credentials and will do so using the following strategy:

1.   Try using any manually or automatically assigned managed machine credentials

2. If the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:

   1. The administrator credential from the machine group. If the administrator credential exists but fails, the default credentials will not be tried.

   2. Default Credentials (used if the scan credentials are invalid or missing (for example, if an agent performed the scan rather than the console))

3.   If the credentials used above do not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.

If none of these credentials work then the action will fail.

Defining Credentials

The Define Credential dialog can be accessed anywhere a credential is used within the Shavlik Protect interface (for example, from a machine group, from the Credentials Manager, etc.). It is used to specify a new user name and password pair that collectively define one credential. The credential is stored with strong encryption techniques. Only the administrator that creates the credential will be able to decrypt the credential and access it from within the program. If you elect to share the credential, however, it will be made available to other administrators as well as to Shavlik Protect service components.

Note: Credentials may be automatically defined for you during a product upgrade or when importing a machine group. Any credentials that are found during these processes are preserved and will be assigned friendly names according to their usage. The term Discovery filter is the friendly name assigned by the program to a machine group credential that it identifies during an upgrade or import process. Feel free to change the name to something that more closely reflects the usage of the credential in your organization.

Supplying Scan Credentials for Target Machines

Note: Browse credentials are slightly different from the scan credentials described in this section. Browse credentials are used by servers, domains, and organizational units to enumerate machines but do not actually authenticate to the individual machines.

This section provides information on how to define new scan credentials and how to assign the credentials to target machines. Credentials consist of a user name and password pair used to authenticate the program to specified target machines. One credential can be associated with any number of operations or entities. The credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them.

The scan credentials you supply will be used to access remote machines, perform any scans, and push any necessary files. The supplied credentials will NOT be used to:

•   Authenticate to the local (console) machine

Rather, the program uses the credentials of the currently logged on user to authenticate to resources on the local machine. Therefore, in order to perform tasks on the local machine, make sure you log on using an account that has administrator and local machine access rights.

•   Perform a patch deployment

The machine credentials that you supply are used to provide access to the remote machine and to push the necessary patch deployment files. The actual deployment, however, will be run under the remote machine's Local System account.

You use a machine group to initially assign scan credentials to target machines. You can assign credentials to individual machines, to all machines in a machine group, or both. After a machine has been scanned and is contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials if desired.

Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

Assigning Credentials to Individual Machines in a Machine Group

To assign credentials to one or more machines in a machine group, in the bottom pane select the machines and then select Credentials > Set Admin Credentials.

On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

When credentials are applied to the selected machines, the icon in the Admin Credentials column will become active. In addition, the name of the assigned credential is displayed next to the icon.

Assigning Credentials to All Machines in a Machine Group

To assign credentials to all machines in a machine group, in the top pane select Credentials > Set Credentials.

On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

When credentials are assigned the icon will contain a check mark:

In addition, the button name will change to the name of the assigned credential.

Assigning Credentials to Virtual Machines

There are several different tabs that can be used to add virtual machines to a machine group. The credentials that will be used to scan and/or deploy patches to these machines depends on how the machines are defined to the group and on the current power state of each machine.

• Hosted Virtual Machines tab: Used to add virtual machines that are hosted by a server. The credentials used to scan each machine depends on the current power state of the machine.

  • A hosted virtual machine that is offline at the time of a scan will be accessed using the server's browse credentials. Any individual credentials supplied for the machine are ignored.

• A hosted virtual machine that is online at the time of a scan will be accessed using scan credentials for that machine. See Assigning Credentials to Individual Machines in a Machine Group, above.

• Workstation Virtual Machines tab: Used to add offline virtual machines that reside on individual workstations. You should assign individual machine credentials for each virtual machine defined using this tab. If appropriate, credentials can also be assigned at the machine group level. The credentials are used during the mounting process and provide permission for Shavlik Protect to access the virtual machine files on the workstation. See Assigning Credentials to Individual Machines in a Machine Group, above.

• Machine Name tab, Domain Name tab, or IP Address/Range tab: Used to add virtual machines that reside on individual workstations and that are online at the time of a scan. See Assigning Credentials to Individual Machines in a Machine Group, above.

Assigning New Credentials to Machines After They Have Been Scanned

After one or more machines have been scanned and are contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials or to remove credentials.

There may be several reasons for providing different credentials to machines after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

Managing Credentials

Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

The Credentials Manager is used to manage all credentials used within the program. It is also used to set the default credential for the program.

Although you can supply new credentials from several different areas of the program, all of the credentials can be edited and deleted from this single location. This greatly simplifies the credentials management process. For example, if a password that is used to authenticate a specific group of machines changes, you simply use the Credentials Manager to update the associated credential. All items assigned to that credential are automatically updated with the new password.

To manage the credentials used by the program, select Manage > Credentials.

Managing Individual Machine Properties (Explicitly supplied credentials)

You can set explicit credentials for machines via View > Machines > Right Click a machine > Machine Properties.

Credential: Specifies the credential used when authenticating Shavlik Protect to the machine. The credential you supply here will override credentials specified in other areas of the program. If you select None you effectively remove the credential currently assigned to the machine.

There may be several reasons for providing different credentials to a machine after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

How Shavlik Protect Manages Multiple Administrators

Shavlik Protect contains a number of built-in checks to guard against simultaneous and conflicting commands from different administrators. For example:

• The program will not allow duplicate group names or template names

• The program will not allow simultaneous updates to any groups, templates, distribution servers, or agent policies by different administrators. If this situation should occur the second administrator will receive a warning message similar to the following:

• Only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of that task before the program will allow the administrator to continue.
  • Note: The 'Take Ownership' button is only displayed if you have two or more consoles that share one database. If your organization uses multiple Shavlik Protect consoles that share the same database, only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of the task before the program will allow the administrator to continue. Any existing maintenance tasks will be allowed to complete before ownership is transferred to another administrator.

Best Practices When Using Multiple Administrators

Recommendations

• You should upgrade your hardware platform by increasing the number of processors and the amount of installed memory on the console machine. This will increase performance in those instances when two or more administrators are logged on at the same time and performing tasks.

  • Minimum suggested hardware requirements for two administrators: 2 processor cores and 4 GB RAM

  • For each additional administrator, add 1 processor core and 1 GB RAM

  • For a high performance system, use 16 processor cores and 32 GB RAM

• When two administrators log on to the same console they must use different accounts. The same account can be used only when logging on to different consoles.

• If you edit a group that is typically used by another administrator you should notify that person about the change.

• Each administrator should create their own credentials and assign them to machines.

• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate problems that may occur if the administrator forgets to assign machine credentials.

Potential Issues When Using Multiple Administrators

Usage Issues

You must take a few common sense precautions when using multiple administrators.  Even though Shavlik Protect contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:

•   If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.

The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.

•   If two or more administrators try to deploy patches or bulletins to the same machine at the same time.

The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.

Credential Issue

When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Shavlik Protect, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.

One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.

Recommendations:

• Each administrator should create their own credentials and assign them to machines

• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.

Virtual Inventory Consideration

Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Shavlik Protect. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.

Additional Information

More information concerning credentials usage in Protect and possible known issues can be found in the following community documents:

Shavlik Protect Encryption Q&A

How-To troubleshoot Error 5 - Access is denied

Change Machine Credentials on Multiple Machines at Once

Account Lockout - Scheduler Service using Credentials

Affected Products

Shavlik Protect 9.x