How does Shavlik distinguish between server and workstation?  I have two machines in the same OU in AD.

One is an XP and the other is Win7.  Both are workstations.

The machine group I have setup, scans multiple containers just for Servers, and it is marked that way.

But the XP machine is reported as a server.

I have other examples as well, including thin devices with Windows Embedded OS that are scanned as a server as well.

Why would this be?

Is there a attribute I can set, to make sure these machines are skipped?

I would also like to know the difference between a W/S and Server license? Where in the registry is this info found?

Our company ran into an issue where our patch agents were not able to read the policy or license zip files due to our encryption system.

We've since rolled out a fix, which is to decrypt those 2 files. It's corrected our problems on a lot of the systems but our check in numbers remained very low compared to the number of systems we have out there.

After digging in a little further, it looks like a ton of systems ran an automatic uninstall of the agent as seen in the STagentupdater.log:

Hi there,

Just noticing that on a number of our SharePoint servers, Q2880516 shows as missing.  But when I run the patch on the server manually, the installer says it's already installed.  Shavlik does not indicate that it's been superseded.

I see that Shavlik is checking for presence of registry key 'SOFTWARE\Classes\Installer\Patches\CBDDAFC89662E564EADC56787E54A6B6\SourceList\PackageName', and indeed this key doesn't exist.

However, the Microsoft KB article for this patch doesn't specify that key for determining if the patch is installed.  Instead, it lists a number of files and their versions for detecting whether it's installed or not.  I checked a few of them, and in fact I have the required versions or newer. 

In googling this issue, I see that there have been other SharePoint patches in the past that contained files that were also included in different patches.  So perhaps this is the case here too - the files are present on the system because they are part of other SharePoint patches that have been installed.  Perhaps Q2880516 needs to check file versions in order to determine if it's missing or not.

Same is happening with SharePoint patches Q2553298/MS13-100 and Q2553408/MS13-067, but I thought I'd focus on just one of the three to raise the issue.

Could we adjust the patch detection so they stop showing as missing?  Please let me know if you need more info like a list of patches already installed on this server, etc., and I can provide.

Thanks,

Sandra

Hello,

Is there someone who can help me debugging the shavlik probleme i meet:

I make regularly Windows security patching for our society. I meet some problems every time for which here is the summary below.

Thank you please for your help.

1/ - Shavlik has some limitation for the patching of tomcat or java.
Shavlik first uninstalls tomcat or java then it installs the new version but in the default installation path.
In our case on the “Remedy” servers, tomcat and java are installed in a specific patch on the D drive.
For tomcat the problem is clearly identified: shavlik uninstalls tomcat from the D drive;

the customized configuration files still remain on the D drive after the uninstallation.
After that, shavlik installs tomcat on the C drive and when the tomcat is started, the configuration files are not found and the tomcat starts with an empty configuration.
QUESTION : Why Shavlik doesn’t install (upgrade) in the same path were it makes the uninstallation??

2/ after patch installation on some SLQ servers there are some services which don't work. When we restart them, we have a Time Out.
- Some time, the applications don't work correctly after windows patching.
Please have a look at this and help me resolving the problems
=============================
3/ There are two times then i rollback the patches installation on SQL server. After patches

installation, there are some services which don't work. The last tweek i patch some servers and

at monday morning we have many problems to restart the reporting service. We think that the patch

2800095 has a relation with the issue but we are not sure.
I need someone speaking french to debug this, if not let’s go in english

=============================================================

4/ Other message post patching

The application-specific permission settings do not grant Local Launch permission for the COM

Server application with CLSID
{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}
and APPID
{B292921D-AF50-400C-9B75-0C57A7F29BA1}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This

security permission can be modified using the Component Services administrative tool.

Description

• After deploying patches, one or more patches still show as missing.
• While deploying, the deployment tracker lists an error.

Cause

The cause of a failed deployment can vary greatly. This document will serve as a way to troubleshoot and identify common issues that can cause a failed deployment.

• Do Patches Download?
• Did Patches Copy to Target?
• Did Batch File Run?
• Errors in the CL5.Log?
• Error Running Patch Manually?

Do Patches Download?

When initiating a deployment, Shavlik Protect will initiate the deployment process by downloading the Patches from the vendor to a local repository.

To identify if the patch was downloaded, examine the Patch Download column within the scan results.

• If the icon is a Green Arrow that says 'Yes', it indicates it is currently downloaded and saved in your patch repository.
• If the icon is a Gray Arrow and says 'No', this indicates the patch is not downloaded.
• If there is no icon, this indicates the patch is not available to be downloaded through Protect and is only available for reporting purposes.
  • Related Document - Patch Download Status and Corresponding Icons

If you are in an offline environment (i.e. the Protect console has no internet connectivity), and your patch is in the Patch Repository, but the download icon is Gray and says 'No', it may need to be renamed to the Shavlik Name.

Related Document: Patches' Shavlik Name

YES - Patches Did Download

NO - Patches Did Not Download / Patch is not in repository

Troubleshooting Possible Download Issues

• Firewall, proxy, or anti-virus settings prohibiting downloads

• No Internet connectivity

• Downloads are set to a Distribution Server/Share that does not have the file available

When viewing the download entry in the ST.Protect.Managed...Log it lists the source as a local/network share. If your download source is set to a Distribution Server, the patch must exist on the specified Distribution Server to be able to download from it. If it does not exist on that share, there will be nothing to download, and it will fail.

Example:
2013-12-18T22:08:56.5798742Z 0001 V SingleFileDownload.cs:563|Download Error 'file://nevans-pc/DistributionServer/7z920.msi'.
2013-12-18T22:08:56.5803742Z 0001 V DownloadItem.DownloadFileCompleted|7z920.msi not downloaded: Connection lost: Could not find file '\\nevans-pc\DistributionServer\7z920.msi'.

To correct this, download the patch to the share, or change the download source to the vendor.
You can switch the download source by going to Tools> Operations> Downloads> Patch and Service Pack download source> select Vendor web sites to download the patches directly from the vendor.

• Vendor removed the patch from the specific url

Did Patches Copy To The Target?

After the patches are downloaded, they are copied to the target machine to the directory C:\Windows\ProPatches\Patches\

YES - Patches Did Copy to C:\Windows\ProPatches\Patches\

NO - Patches Did Not Copy to C:\Windows\ProPatches\Patches\

Troubleshooting Possible Copy Issues

• Does the Target have Anti Virus Software?
  • Anti Virus software may delete patches that get copied to the target based on their settings. Try disabling any Anti Virus on the target to see if the patches will copy to the target machine for installation.
• Is the Deployment Template using a Distribution Server?
  • This can be verified by opening the Deployment Template and going into the Distribution Server tab. If 'Use Distribution Server by IP Range' is selected, verify the patch exists on the appropriate DS.
  • Alternatively, choose to use 'Console Push'. This will cause Protect to copy the patch from the Console itself, as opposed to having the target initiate a copy form the Distribution Server.

Did The Batch File Run?

After the patches are Copied to the Target machine, a batch file that contains the necessary installation switches is also copied to the target. This file is located under C:\Windows\ProPatches\Install\. The last thing the Batch file will do after it runs, is rename itself from a .BAT extension to a .HIS extension. If the extension has changed, that indicates the patches should have all been executed (thought not necessarily successfully).

YES - Batch File Ran and Has .HIS Extension

NO - Batch File Did Not Run and Has .BAT Extension

• One of the patches is still running.
  • If a patch is still in the process of running, the batch file will not have received the return information to rename itself. This can be caused by a patch taking a long time to install (which is may not actually be a failed install, but may still be in progress). It is also possible for a patch to get hung up if the machines resources are being heavily utilized, or if the patch has received incorrect silent switches. To troubleshoot these:
    • Patch is still installing- Look for the patch in the list of active processes. End the process if found to continue to the next patch in the deployment.
      • Alternatively reboot the target, and re-deploy.
    • Patch is frozen while installing - Look for the patch in the list of active processes. End the process if found to continue to the next patch in the deployment. If the patch continues to have this behavior it may have an incorrect switch being passed to it. Ensure you are on the latest xml data by performing a Help > Refresh Files, and try deploying again. If the issue persists, contact Technical Support with the Q# of the patch, your Assessment Version and Deployment Version (located under Help > About > Version Info) and the OS of the target machine.

Are There Errors In The CL5.log?

When patches are executed on the target machine, they log their exit codes in the file: C:\Windows\ProPatches\Cl5.log

Open the Cl5.log file and search for the patches name. There should be an entry that looks similar to this:
2013-12-19T17:20:57.4472656Z 0e88 I CommandLine.cpp:2157 Patch Install returned 0: Patchname.exe

If the patch is installed successfully, it returns '0'.
If the patch requires a reboot, it returns '3010'.
If the patch returns any other code, it is an error and the code needs to be troubleshot. The error will typically be searchable online for what it corresponds with. Alternatively, trying to run the patch manually should give you a prompt indicating the error.

Example:
This is a successful install of the patch 7z920-x64.msi
2013-12-19T17:20:57.4472656Z 0e88 I CommandLine.cpp:2157 Patch Install returned 0: 7z920-x64.msi

NO - CL5.Log Has No Errors

Yes - CL5.Log Has Errors

Do You See Errors When Installing The Patches Manually?

When a patch finishes executing it will return an 'exit code' that is logged into the file C:\Windows\ProPatches\Cl5.log (covered in previous section).

If the Cl5.log shows an exit code other than 0 or 3010, this typically indicates an error occurred. If searching online does not yield an answer to what the exit code means, running the patch manually will usually provide an error message to troubleshoot from.
To run the patch manually, on the target machine navigate to C:\Windows\ProPatches\Patches\ and find the patch to be tested. Double click the file to run it. Often times the error will be immediate upon running, where some patches require clicking through several steps before the error occurs.

Note:If the patch does not return an error, the may install successfully. If this occurs, in order to troubleshoot why it failed to install from Protect, the patch must first be uninstalled so a reinstall of the patch via Protect can occur for testing purposes.

YES - Running the Patch Manually Returns Error/Fails

NO - Running the Patch Manually Installs Without Issue

Most patch install failures will meet one of the listed criteria. If you are not finding this to be true in your situation, it is recommended to open a ticket with Technical Support. When opening the ticket please provide the Q# of the affected patch, the Operating System of the target machine, the Patch Assessment and Patch Deployment versions located under help > about > version info, the logs from the console, and the logs from the target machine.

Related Document: Gathering Console, Client Side (agentless), and Agent logs for Protect

Products

Shavlik Protect 9.x

Is this possible? I see how to export a machine group to the xml file. I don't want that. I want it in a .txt file so I can import it as a .txt file into an existing group.

I want our Shavlik server to pull machines from multiple domains. Is this possible? Obviously, a server can only be "on" one domain at a time. Is it possible though, through AD trusts, that Shavlik will pull from all the domains that my primary domain can see? Right now that does not seem to be happening. I can't figure out if it's possible to add more than one domain to the "my domain" group. If I select Manage -> scheduled tasks it actually lists the other 3 domains under "Enterprise." I would think since it sees the other domains it would pull form them but it's not.

Any ideas?

When on our network, which is not conected to the internet, Shavlik does not install Windows or IE patches.  I have been in the propatches\install directory and there are a lot of batch files that if one looks over indicates the batch failed because it was not renamed.  How can I tell what is causing the batch file to suddenly quit and not install Windows or IE patches??  The .bat files seems to test the .msu patches before it actually installs it.  In the file I see "%pathtofixes%patches\Windows6.1-KB2900986-x64.msu 657" ... what does the 657 do in this batch?  Where is %LASTERR% located at?  And is something tracking the batch file incase it does not finish...I was wondering if there are logs I can look over to see why the Windows and IE patches do not get installed?

thank you,

SQ

Is me or has Shavlik changed the way the users download the patches before deploying them to the clients?  What I means is that when scanning and deploy, I right click on the missing patches for the scanned client, and select 'Download'.  It give me a pop up message "Download Selected Files, All of the selected patches have previously been downloaded. OK"

But, when I deploy the missing patches to the client, it prompts me to "Download Selected Files, The required disk space is XX GB. Currently, You have xx GB free on your hard drive.  Would you like to continue?  Download"  or Cancel.

I use to be able to download the client and deploy the missing patches without shavlik asking to download the missing patches before deploying.  Once downloaded, it never prompts me to download when deploying.

Anyone else is seeing this?  I'm not sure if this is on the current version 9.1.0 Build 4446.  But, I don't remember seeing this on earlier version 9.0.

Having problems talking to my client.  Shavlik will be able to tell me what patches are installed and what's missing. But if I attempt to run a Patch Scan it gives me Error 201.

Now I've been looking at this for the past hour and I have narrowed down the fact that if I RDP (through the Shavlik console) to the client I can do this by IP address.  But it will error out if I attempt to try this using simple machine name.

Unless I can make the machine name show up as the FQDN (machine.sub.domain) this doesn't work with RDP.

So... when I run a patch scan it appears my only option is by the simple machine name and it doesn't fully work.

Is there a way to change this within Shavlik?  I bet if I can get it to scan using the FQDN or IP...  I bet it'll work just fine.

Purpose

This document outlines how to Link Files to a Machine Group. Shavlik Protect provides a dynamic mechanism to keep a machine group current. This is especially useful if your machine list changes from time to time and you want an easy way to update it. If you add machines to, and delete machines from a linked file between scans, any new machines added to the file will be scanned. While any machines removed from the list will not be scanned. When defining a machine group you can link to files containing machine names, domains, IP addresses , and virtual machines.  The following table describes how to create each particular link file..

Steps

Step 1

Use a text editor to create a text file using the following instructions for each type of file

Step 2

Select "Link to file" under to the appropriate Tab for the type of file that you created.

The path to the linked file will show in the Machines List

Save the machine group.

Affected Product(s)

Shavlik Protect 9.x

Hi,

Do I still need my WSUS & vSphere Update Manager servers after a successful implementation of Shavlik Protect?

Thanks,

CDB

Symptoms

After logging in on a Windows 8 or 8.1 system and removing Windows "Metro" or Store Apps you notice Shavlik Protect detecting missing updates for the Windows Apps (such as MSWU-1006 or MSWU-1007).

Cause

Windows Metro/Store Apps are installed along with the OS. If you are still seeing updates listed missing when scanning with Protect it's because the Apps have only been removed for a certain user or users on the system, but the apps technically still exist on the system.

Resolution

If you want to exclude these updates from coming up within scans, you can do so using the steps in this document:

How to Include or Exclude Specific Patches in Scan Results

We're not currently aware of a definite way to completely remove Windows Store Apps, however, it may be possible to completely disable Windows Store Apps via additional configuration. The following documentation from Microsoft provides more information about the Windows Store and Apps:

Manage Client Access to the Windows Store

Win8: App: Store related group policy settings

Affected Product(s)

Shavlik Protect 9.x

Hi,

it seems there is an issue with XML 2.0.0.9458.

I have several W2K8 R2 servers were KB3003743 was installed successfully, but a scan afterwards detects it as missing.

Regards,

Steff

Purpose

How to schedule the automatic sychronization of Patch Defintions, Patch install files, and Threat engines and defintions to a Distribution Server

Steps for Completion

Highlight the target Distribution Server in the Distribution Server pane.  In the drop down box above the pane select what kind of files that need to be synced  and click  "Add scheduled sync:" A dialog box with scheduling information should appear.  After selecting Save, the scheduled sync should appear in the scheduler automatic synchronization pane with the type of files being synchronized.   If you select "All engines, definitions, and patch downloads", there will be a separate entry created in the middle "Scheduled automatic synchronization" pane for each relevant component.

If you want to force a synchronization  select one or more scheduled synchronization entries in the Scheduled automatic synchronization pane and click Run now

       Note: To synchronize all data, all three synchronization tasks must be selcted. This will immediately copy all appropriate files from the console to the specified distribution server(s).

The scheduled Synchronization process runs in the background of Protect. You may check the status by viewing the event history atView > Event History.

Affected Product(s)

Shavlik Protect 9.X

Purpose

This document provides steps on how to obtain a verbose logging output from any .msi package which may assist in troubleshooting installation failures.

Symptoms

This may be useful when patches failing to install throw a generic 1603 return code.

Description

To obtain verbose logging from the .msi package:

On the system where the update is failing to install:

1) Open command prompt.

2) Change directories to the location of the .msi file.

3) Use the following command (replacing Example.msi with your msi file name):

msiexec /i Example.msi /L*vx "C:\folder\ExampleLogFilename.txt"

Or to run this without user interaction:

msiexec /i Example.msi /quiet /L*vx "C:\folder\ExampleLogFilename.txt"

The log file will be generated with the name specified within the folder specified. Review this log or send to support.

Note: This command will also run with .EXE and .MSU packages, however, it will not provide the same level of output.

Additional Information

For more information about MSIEXEC command line options, see the following Microsoft KB article:

Msiexec (command-line options)

Affected Product(s)

Shavlik Protect 9.x

Hello

We are having some problems in bring some of our systems up to date. We have 2 security products, Nessus and Shavlik. When we scan with Nessus it shows that we need to install some apache patches but when we scan with shavlik it does not show the apache patches as missing.

Does anyone know why this might happen?

Thanks

Regards

Roy

Hi all,

I can't seem to find a solution to "Error on machine 'Win-Server': Failed to schedule patch deployment: '{0}'".  This is displayed when it fails to schedule a patch deployment.

Has anyone seen this error before and know a solution?

TIA

I can't figure out how to prevent my deployments from pushing shortcuts to my workstation desktops via the GUI in Shavlik Standard Protect.  Is there an easy way to do this or do I have to create a custom xml file/script? thanks.