Symptoms

This document explains how to perform a backup of your database with Shavlik Protect.

Scenario

You can use Shavlik Protect to perform a backup of the database thanks to the built-in Database Maintenance Tool.

To access it you need to navigate to Tools> Operations> Database Maintenance.

When you have accessed this window, at the bottom you will find the different options available in the SQL Server section.

You need to select Backup database and transaction log, then you choose the path where you want to store your backups.

The location could be local (on the same machine as Protect) or could be a UNC path (the account performing the backup needs access to that location).

Lastly, you have to press Run now and the task will run in the background. You can follow the operation by going to View> Event History :

Once it has completed, your backup will be created in the folder you chose earlier. Your backup will have the naming convention as :

Name of the DB - Backup - Timestamp, here is an example :

The account used to access the database and run the operation is the account set in the Database Setup Tool in the Services section. You can specifiy an account or leave it to match the account being used to connect to the database in the upper section.

The account needs db_owner rights to perform the backup.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provide a resolution when Active Protection alerts are not being emailed.

Symptoms

Alerts are configured to send emails to a number of recipients when a virus/infection is found on a machine. A virus/infection is found by the Antivirus but no alerts are sent out.

Resolution

The alerting function is configurable from Tools> Operations> Alerts.

In order to trigger an alert, the threat count must meet or exceed one of the two alert thresholds, and it must do so within the specified period of time. This means that when the threats are received is just as important as the number of threats that are received.

The Infection time window (hours) must be less than 24 hours, we would recommend to let 4 hours as configured by default.

Affected Product(s)

• Shavlik Protect 9.x

Purpose

The purpose of this document is to provide more information about the different patch types offered within Protect.

Description

There are 5 different patch types within Protect, they are as follows

• Security Patch
  • A Security patch addresses a specific security vulnerability. They are accompanied by a Security Bulletin.
    
• Non-Security Patch
  • This is a non-critical update released by vendors to enhance functionality and/or include minor changes to the application.
• Security Tools
  • Security tool patches are patches for Malware tools and Microsoft Security Advisories. Security Advisories are a way for Microsoft to communicate security information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin. Each advisory is accompanied by a Microsoft Knowledge Base Article to provide additional information about any changes or updates being delivered with the advisory’s release.
    
• Software Distribution
  • A software distribution patch is a full installer of an application. Only supported applications have a software distribution patch.
    
• Custom Action
  • Enables you to perform custom actions even if you are already fully patched. It does this by scanning for a specific QNumber and patch (QSK2745, MSST-001) that will always show as missing on any target system. The process uses the temporary file Nullpatch.exe, which was specifically designed by Shavlik to run without making any changes.

Additional Information

More information on custom actions can be found in the follow full video tutorial.

- Custom Action - How to perform a custom action complete tutorial

Affected Product(s)

Shavlik Protect 9.x

Purpose

Generating a report from Shavlik Protect can be an extremely useful tool in your organization. The Report functionality has a lot of capability and this guide will show you how to get the most out of this feature and to export it into the various file types already built-in to the Report Generator.  

Description

Whether it is a Licensing, Scanning, Patching, Threat, Asset or Power function, the Report generator can list a myriad of information to allow you to know what is being seen within your own organization. To utilize this, please follow the instructions below:

• Go to Tools and click on Create report. (Keyboard Shortcut: Ctrl+Shift+E)

• When the Reports box pops up, under Select a report to view, click on [Select a Report] and find the report that you wish to output.
• Under Pick Filter Options, you have two options:
  1. Keep View Current Status box checked. This will automatically place the Scan to report on [All Scans] and the report generated will compile all past scans information into it.
     
  2. You can select the scans that you recently ran to appear on the report.
     1. Uncheck View Current Status and in Scan to report on, navigate to the scan that you want the report to generate the information from.
• (Optional) If you wanted to use an advanced filter, you can click on the check box for Use Advanced Filter. This will pop up a second advanced filter box after you have clicked on Generate Report.
  1. With View Current Status checked, you can use some options in the Advanced Filter, if you want to select Patch Criticality or the Products to report on.
• Click on Generate report. Verify that all the machines you want in your report are there. If not, revise your filters.
• When the report is generated, click on Export in the upper toolbar.

• When the Export box pops up, under Export Format, click on the box for Export Format, and then select the format that you want the Report generated into.
  1. Shavlik Protect can export into these formats:
     • Portable Document Format (PDF)
     • Microsoft Excel Worksheet (XLS)
     • Tab Separated Values (TSV)
     • Comma Separated Values (CSV)
     • XML (XML).

• Select the options on how you want it to be exported to the format that you chose prior.
• Click on Export. Verify that all content was exported as desired.

Affected Product(s)

Shavlik Protect, All Versions

Purpose

This article provides a link to the Protect 9.1 Patch 3 download location and release notes.

The Shavlik Download Center provides links to:

• Product downloads
• Upgrade Guide
• Release Notes
• System Requirements
• Version History Log

Affected Product(s)

Shavlik Protect 9.1

Purpose

This article provides a link to the Protect 9.0 Patch 3 download location and release notes.

The Shavlik Download Center provides links to:

• Product downloads
• Upgrade Guide
• Release Notes
• System Requirements
• Version History Log

Affected Product(s)

Shavlik Protect 9.0

Purpose

The purpose of this article is to show how Shavlik Protect can schedule emails to be sent to selected recipients after a patch scan has been done.

Description

1. To utilize the scan on a schedule and then email automatically feature, you will have to setup a Patch Scan Template under New.

2. Name and filter out the patches that you want scanned under the Filtering tab.
3. Under the General tab you can select to scan for:

• Only missing patches.
• Both missing and installed patches, and an option to include effectively installed patches.

4. Under the Email tab select the report of your choosing that you would like to be sent to your selected recipients.
5. On the right-hand side either add the members you want to email the reports to by selecting the New Contact button.
6. If the individuals are already added, select the checkbox next to their name.
7. They will be added to the Recipients column on the left next to the Report you have selected to verify.

8. Click on Save to save the Template you have created.
9. Back at the Home view, select the targets you want to run the scan on.
10. Select the schedule that you will issue. (Note: If on a recurring schedule, every time the patch scan template is used, it will send an email to all recipients on that templates list for what type of patches you scanned for back in Step 3.)
11. Select the Patch Scan Template you setup from above that will generate the report and you can select whether or not you want the patches to be deployed or not.

12. Click Scan Now or Schedule. If on a schedule for a later time, the scan will be conducted at that designated time and results will only be emailed once the scan is complete. After the scan has finished, a report will be generated for the selected patch groups on the target machines selected and will be sent to each recipient on the email report lists that you have designated them for.

Affected Product(s)

Shavlik Protect, All Versions

Symptoms

Agent Machines are unable to check in after the Protect Console was migrated to a different Machine.

Cause

When a Protect Agent is deployed, it is installed utilizing certificates that are based from the current Shavlik Protect Console. If a Protect Console has been migrated to a different machine without using the Shavlik Protect Migration Tool, these certificates will become invalidated and Shavlik Agents will no longer communicate with the Console or vice versa.

Resolution

Discover and Re-install all Agents currently deployed from the newly migrated console. This will allow the newly installed console to create an association with the Agents.

or

Re-Migrate the Protect Console Using the Shavlik Protect Migration Tool http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/mtg-prt-9-1.pdf

Affected Product(s)

Protect 9.X

Symptoms

Shavlik Protect detects patch KB2532531 as missing but will not deploy

The HF.admin log shows;

2014 11 06T22:35:38.1703117Z 125c V PatchTest.cpp:707 Bulletin 'MS11 053', filecount = 1, regcount = 0.

2014 11 06T22:35:38.1703117Z 125c V FileInfo.cpp:276 CFileInfo::SetName failed for [\\X.X.X.2\C$\windows\WINSXS\AMD64_BTH.INF_31BF3856AD364E35_6.1.7601.21716_NONE_D0F668EFEB4C9175\FSQUIRT.EXE] with error [3]

2014 11 06T22:35:38.1703117Z 125c V PatchTest.cpp:1272 File '\\X.X.X.2\C$\windows\WINSXS\AMD64_BTH.INF_31BF3856AD364E35_6.1.7601.21716_NONE_D0F668EFEB4C9175\FSQUIRT.EXE' error: 1.

Cause

In order for this patch to not be offered, KB2552343 needs to be installed.  This is explained in the Microsoft Knowledge base article at http://support.microsoft.com/kb/2552343

Resolution

Install the KB2552343 patch or exclude a patch group containing Q2532531 in a patch scan template.

Affected Product(s)

Protect 9.X

Symptoms

Agent Installation fails with a copy failed error when attempting to install an agent on a remote machine using the machine view in the Protect Console.

ST.ServiceHost.managed.log file shows the following messages and errors:

MachineDeployment.cs:494|Copying critical file 'C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles\STRemoteCommand.exe' to '\\A1958\C$\Windows\TEMP\a56029841e1f424595baf81c08fe54c5\STRemoteCommand.exe'.

MachineDeployment.cs:996|Run Remote Task failed to create the remote command service. Error code - 0x[431]

DeploymentService.cs:348|Marked deployment 'c505512c-9d85-45de-b60b-b8da7efbf884' complete

AgentDeployment.cs:177|A1958: System.ComponentModel.Win32Exception (0x80004005): Failed to create service 'STRemoteCommand'

Shavlik Protect Operations Monitor shows the following under the Agent Installation tab

Cause

Run Remote Task on the Protect Console is unable to overwrite a previously installed "remote command service" STRemoteCommand.exe on the target machine

Resolution

Manually deleted the old remote command service on the target machine running the following command from the command line on the Protect Console

sc \\machinename delete stremotecommand

Affected Product(s)

Protect 9.X

Hello,

I have always run the Shavlik agent on my console.  I applied patch 3 today, and the agent was uninstalled during the patch process.

Is this expected behavior?

Purpose

This document is intended to provide best practices and guidance on scanning and deploying patches with Shavlik Protect. This will cover how to properly use many features of Protect so that you can successfully perform patching, automate patch tasks, and have a better understanding of the patching abilities of Protect.

Best Practices

The best practices have been broken into different sections. Follow the links below for each scenario/category.

Verifying Requirements and Initial Setup

Verifying and Updating Patch Definitions

Configuring Patch Scan Templates and Filtering Options

Configuring Patch Deployment Templates

Successfully Running Agentless Patch Scans & Deployments

Considerations

Patch Tuesday Survival Guide and Best Practices

Additional Information

There may be additional best practice information in the Best Practices Guide from our online documents.

Affected Product(s)

Shavlik Protect 9.x

Table of Contents

Verifying Requirements and Initial Setup

The first thing that should be done if you are initially setting up Protect, or even if you're a new user of Protect in your organization, is to verify that your environment is meeting requirements for agentless patch scanning and deployment and that all options/settings are configured correctly.

Resources for verifying requirements:

Shavlik Protect Requirements Guide

Shavlik Protect Online Help

Shavlik Protect Quick Start Guide

Shavlik Protect Installation & Setup Guide

Shavlik Protect Administration Guide

Ensure that your Shavlik Protect console is licensed:

How to activate or renew Shavlik Protect console - Licensing

Verify Settings within Tools > Options in the Protect Console

Within Protect there are many options and configurable settings. If you are a new Protect administrator it is a best practice to confirm that the settings are in place as you would like them to be and that the settings will allow Protect to work properly in your environment. If you just installed Protect, these settings should be defaulted to what Shavlik considers best practice, however, it is good to verify these settings and understand them if you are new to Protect.

Below are some of the important settings to verify:

From the top menu, go to Tools > Options.

Display tab (Below)

• Results
  • You can change some settings how scan results are displayed. These are all based on your preference.
  • Note that if you check the option 'Show only items created by me' you will no longer see any items created by other users of Protect.
  • If you uncheck 'Show informational items in patch scan results' you will no longer see informational items in scans.
• Language
  • Ensure the language settings for the Protect console are set how you want.

Notifications & Warnings tab (Below)

• Ensure that the notifications and warning messages that Protect can provide are set to your preference.

Patch Languages tab (Below)

• The default is only set to include English. Make sure to add any DEFAULT languages you want Protect to download patches in.

Scans tab (Below)

• You can change the default patch scan template that is used. This is set to the built-in 'Security Patch Scan' template by default, but you can set it to any scan template available.
• It is best practice to leave 'Use replacement patches' checked. This allows patch supersedence detection to be used when scanning.
  • If you want to be able to see patches considered effectively installed based on supersedence, you can enable effectively installed patches to be shown via a custom scan template.

Deployment tab (Below)

• You can change the default deployment template that is used. This is set to the built-in 'Standard' template by default, but you can set it to any deployment template available.
• Deployment Tracker address - This is good to verify, especially if the system where Protect is installed has multiple NICs. This address is where Protect's deployment tracker will attempt to send updates to. (Tracker provides status updates during patch deployment.)

Scheduling tab (Below)

• Ensure that the scheduling method you prefer is chosen. By default this is set to the Shavlik Scheduler.
• Scheduler lifetime allows you to choose what happens with the Shavlik Remote Scheduler service on client machines when deployments finish. The default is to leave the service running.

Proxy tab (Below)

• If you require the use of an authenticated proxy to access the internet, Protect will require this as well. Make sure to check the box and add credentials if needed.
  • Protect will be unable to download patch definitions or patch files if you fail to set this when needed.

Verifying Settings within Tools > Operations in the Protect Console

From the top menu, go to Tools > Operations.

Downloads tab (Above)

• Make sure to verify these settings especially if a different Admin was running Protect before you. If patches or definition files are failing to download there may be a mis-configuration here.
• General patch download options - Patch download directory
  • Default directory is in C:\ProgramData\LANDESK\Shavlik Protect\Console\Patches\
  • You can change this to a directory on any local drive or UNC share. Note: You cannot use a mapped drive.
  • This is the location where patch/update files are downloaded on the Protect console system.
• Definition download source
  • These settings are concerning the download of the patch definitions (XML content) that Protect uses for scanning and deployment logic.
  • Auto-update definitions (before scans)
    • Checked by default. This allows Protect go check for new patch definitions at the time any scan is run. Uncheck this if you are in a disconnected network or plan to manually update patch definitions.
  • The default setting for definition download source is 'Default (http://xml.shavlik.com).
  • You should NOT change this unless you are planning to use a configuration such as described in the following document:
    Configuring consoles within an offline environment to obtain definitions & patches from a distribution server share
• Patch and Service Pack download source
  • Default setting is for patches to be download from 'Vendor web sites', meaning Protect will download the patches from a publicly available URL from each product vendor.
  • Just as with Definition download source, the best practice is to NOT change this setting unless your network configuration requires it.
• Schedule automatic downloads
  • Here you can set up a schedule so that definitions can be automatically downloaded.
  • Unless you are in a disconnected network, it is best practice to implement this.
  • In the drop-down, there are two options:
    • Core engines/definitions - The patch definitions used for scan and deployment logic.
    • Threat engines/definitions - The definitions used by clients where the Protect agent is installed with the Threat protection component enabled.
  • To add a scheduled automatic download:
    
    • Choose the definition type from the drop down menu.
    • Click 'Add'.
    • You will be prompted with the Schedule Download window.
    • Set to 'Recurring', and set the time and days that you want the automatic download to take place.
    • Click 'Save'.
• For more information about configuring the download operations, see the Help Article.

Distribution Servers tab (Above)

• Distribution servers are basically a Windows share used to store patch files, definitions, and other files for deployment and and use with agents.
• If you are taking over admin duties of Protect from another admin, you should verify if a distribution server is configured and in use.
• If you want more information about why you might use a distribution server, see the Help Document - Why Use a Distribution Server?
• Some things that you should verify if setting up or using distribution servers:
  • Ensure that the paths are valid
  • Ensure the credentials set are valid
  • Consider setting up scheduled automatic synchronization of distribution servers.
• More information about how to set up and configure distribution servers can be found in the Help Document - Configuring a New or Existing Distribution Server

Database Maintenance tab (Above)

• It is considered best practice to set up some form of database maintenance, whether via SQL or via Protect's built-in operation.
• Read more about how to configure and use database maintenance within Protect via the Help Document - Database Maintenance.
• The following document may be helpful as well: SQL Database Maintenance Recommendations for Protect

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)

Table of Contents

Verifying and Updating Patch Definitions

How to Verify the Patch Definitions are Up-To-Date

• From the top menu of Protect, go to Help > About Shavlik Protect.

• In the About Shavlik Protect window, you'll initially see the main app version information.
• You can quickly check that the patch definitions are current by looking for the check-boxes under the 'Data Versions'.
  • Both Patch assessment and Patch deployment versions should be up-to-date to ensure your scan and deployment is using the latest logic.
  • If a red "X" is displayed it's indicating that Protect is see the patch definitions as outdated.
• Click on the 'Version Info' button to get more in-depth version information.

• After clicking 'Version Info' you will see a more detailed list of file versions. For the Patch Definitions you will see the following:
  • The version corresponds to the version of each file used for assessment and deployment logic.
    • Assessment logic comes from HF7b.xml
    • Deployment logic comes from PD5.xml
  • The following values are obtained as listed below:

• (expected)
  • Latest version listed in the local protect.manifest.xml
• (latest from vendor)
  • Latest version available on xml.shavlik.com, queried at the time of loading the Help > About window.
• (file on disk)
  • Actual version of the file on disk (either HF7b.xml or PD5.xml). The version comes from within the file itself, not file details.

• You can check http://protect7.shavlik.com/ to see the latest information about patch data available for Protect.
  • You can use this as a way to verify the most current definition version available
  • This shows additions and revisions in the patch data.
  • This also may show informational tidbits from the Shavlik content team to help keep you up to date on any changes.

    Example:

• You can also stay on top of new patch data using the resources here:
  How To Know When XML Updates (patch definitions) Are Released And How To Receive Notifications
  
  

Updating Patch Definitions

• Generally if you have default settings (auto-update definitions enabled), Protect will attempt to update patch definitions automatically whenever a scan is run from the console.
• If you need to manually run the definitions update, from the main menu, go to Help > Refresh Files.

• You'll see the 'Refresh Files' window pop up.
  • This shows all the files that Protect attempts to download/update as part of its own data files.
  • If you see any failures in downloading files, you may need to allow traffic to xml.shavlik.com.
  • Check the box 'Close when finished' if you want the window to automatically close when the update process finishes.

• Scheduled Automatic Definition Download
  • Refer to this document for more information: How to Schedule Automatic Definition Downloads
• Offline or Disconnected Consoles
  • Refer to the following guides:
    • How To: Manually updating patch data files for Shavlik Protect
    • How to manage Shavlik in an offline network

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)

Table of Contents

Configuring Patch Scan Templates and Filtering Options

One of the main features of Protect is the ability to set up filtering for exactly what you want Protect to scan. There are many different ways you can set up the filtering to include only specific products, specific criticality or severity levels, or even specific updates. All filtering starts with the patch scan that is run, so the patch scan template that you use will determine what Protect will scan for. Below are steps on how to use and configure patch scan templates and other filtering options.

Viewing and Editing Existing Patch Scan Templates

1) From the main drop-down menu, choose 'Templates'.

2) Within the Templates list, you will see two groupings for Patch Scan Templates.

• Default Patch Scan Templates
  • These are the available built-in scan templates that are always available and cannot be renamed or deleted.
• My Patch Scan Templates
  • These are the available custom scan templates that you or another admin have created.

3) To get an idea of what the default settings are within a scan template, try clicking on the Security Patch Scan or WUscan template.

• It will pop up the Patch Scan Template window where you can see the settings of the selected template. For the Default Patch Scan Templates everything is grayed out because these templates cannot be modified.
• Below you can see, for example, what the Security Patch Scan template Filtering settings look like.
• If you intend to just scan for all Security patches, using the built-in Security Patch Scan template may be all you need.
  • Likewise, if you intend to scan for all Security and Non-Security patches the WUscan may be all that you need.
• Before creating a new template, check to see if one already exists that meets your needs.
• When you click on a template from 'My Patch Scan Templates' you can edit the template settings. See the steps below on how to edit the settings as it is just the same as creating a new patch scan template.

Creating New Patch Scan Templates and Using Filtering Options

1) From the main menu of Protect, go to New > Patch Scan Template.

2) Make sure to name your template. You'll be prompted when trying to save the template if you fail to do so.

Filtering Tab

The Filtering tab of the Patch Scan Template is where you will set up all filtering of scan results.

It is not required to make any changes to filtering. However, it can be very useful when attempting to set up automation of patching.

Patch Type and Vendor Severity

1) The most common change that you might be considering is what patches to scan for, based on patch type and vendor severity.

• These are found under "Patch Properties - Detect only these patch types or severities:"
• There are four main patch types available here:
  • Security Patches
    • Security bulletin related patches
      • Generally includes Microsoft major bulletins as well as Adobe, Java, and other vendor's security bulletins.
    • For any purposes of truly patching systems, these updates should be included.
  • Security Tools
    • Updates for security tools, cert updates, and other hotfixes for known security risks that are not yet part of an actual security bulletin.
    • Some updates listed as security tools will always show up missing.
    • Consider referring to the following documents prior to using Security Tools:
      • Best Practice & Q/A - Using Security Tools
      • Patches That Always Show Missing In Results - Install/Uninstall Loops
  • Non-security Patches
    • Vendor patches that fix known software problems that are not security issues
  • Custom Actions
    • Enables you to perform custom actions even if you are already fully patched.
    • It does this by scanning for a specific QNumber and patch (QSK2745, MSST-001) that will never be found. The process uses the temporary file Nullpatch.exe.
    • It is generally best practice to not include this in your template, unless you intend to have a custom action run.
    • More information about custom actions can be found in this document:
      • Custom Action - How to perform a custom action complete tutorial
• To select which patch types and severities you want to include, just use the check boxes next to each.
  • It is possible to include only a certain vendor severity of each patch type if you wish.
    • In the example below you can see we would only be scanning for Security and Non-security patches with a vendor severity marked as 'Critical'.

• You see the Vendor Severity of any patch by looking at the patch information found either within a scan result or View > Patches.
  • Note that you may need to add the Vendor Severity column or drag it over in the window to view it.

User Criticalities

2) It is also possible to filter based on User Criticalities.

• The default and best practice is to leave these unchecked.
• To include certain user criticalities just check the box for those you wish to include in the scan.

We often see this confused with the Vendor Severity, but be aware that these are custom user criticality settings and are completely separate from the vendor severity settings.

The user criticalities must be set by the Protect admin before this filter will work properly.

• User criticalities can be hard to manage - you will need to continually update the criticality of new patches as they come out for the filter to work properly.

• You can see the User Criticality that is set for any patches by viewing the 'User Criticality' column in a scan result or View > Patches.

• To set the user criticality of any patch, right click on the patch, then go to Set Criticality > Choose criticality.

• Once you have set the criticality, you will see the value indicated as seen below. (When viewing in a scan result or View > Patches)

Product Filters

3) Product Filters can be used to filter based on the product which updates apply to.

• Default is 'Scan all' (no product filtering).
• This filter takes precedence over all other filters, meaning this filter will work along with any other filtering that is configured in the template.
• Product filter set to 'Scan selected' will allow only the selected products to be scanned for.

• Product filter set to 'Skip selected' will exclude the selected products from the scan.

• Product filters are generalized, meaning many specific products are grouped into a generalized product option for the product filter.
• However, to get an idea of product filter would associate to a specific patch, you can go into a scan result or View > Patches and view the 'Product name' that corresponds to any given patch.

• In this case we can see the listed patches are associated with the specific product of Microsoft Office Professional 2010 (x64).
• This would fall under the 'Microsoft Office' option from the list of available product filters within a scan template.
  • Any other flavors and versions of Microsoft office would also fall into the 'Microsoft Office' product filter.

Patch filter settings

4) Patch filter settings allow you to use a file or patch group to include or exclude specific updates from the scan.

Using a file to include or exclude specific patches from a scan

• In the Patch filter settings, you can either choose scan selected to include or skip selected to exclude.
• Next to the 'File:' box you can either click 'New' to create a new text file for use with this, or you can click the '...' button to browse for an existing file.
  It is best practice to use a .txt or .csv file. The file browser will allow you to link to any file type, but your scan will come back with no patches missing or installed if using an invalid file type with this filtering option. It will not warn you of an invalid file type.

• When creating a text file containing the list of patches, they must be listed as the Qnumber of the patch from Protect, and the Qnumbers should listed one per line. Example below:

• If you don't know the Qnumber for a specific patch, you can refer to the Qnumber column found within a scan result or View > Patches to find this.
• One method that may help in building a text file more quickly is to do the following:

1. From the main menu of Protect, go to View > Patches.
2. Highlight all patches that you wish to add to a file, then right click in the highlighted area, and choose 'Export selected patches to CSV...'.
   
3. Once you have the CSV file, open it with a spreadsheet application such as Excel where the Qnumbers are lined up.
   Then you can highlight and copy/paste them into a .txt file.
   
4. If everything works OK you should easily get a text file formatted correctly that can be used for the purpose of patch filtering.
   
   

Using Patch Groups to include or exclude patches in a scan

• To use a patch group within your scan template you will first need to create a patch group to use.
• From the main drop-down menu, choose 'Patch and SP Groups' if you want to view or edit existing templates.

Steps for Creating a new Patch Group:

1. From the main menu, go to New > Patch Group...
   
2. Make sure to name the patch group.
3. Click the 'Add...' button to add patches to the group.
   
4. After clicking 'Add...' you'll be presented with the 'Select Patches' window. From this window, you need to place a check in the 'Include' box next to each patch that you want included in the patch group. Click on the 'Select' button when done.
   
5. You will see the patches added into the list under 'Patch Group Members'.
   
6. An alternate and often easier method to use is to to add patches from a scan result or View > Patches. This allows you to highlight multiple patches, right click in the highlighted area, then choose Add to Patch Group > GROUPNAME.
   
7. Once you have your patch group created or edited how you like, you need to add it to your scan template.
   1. For Patch filter settings choose whether to 'Scan selected' (include) or 'Skip selected' (exclude).
   2. Next to 'Patch group(s)', click the '...' button to bring up the 'Select Patch Groups' window.
   3. Select any patch groups you intend to use for this scan template. Then click the 'Select' button.
   4. You will see the selected patch groups added into the list area.
8. Make sure to save the changes to your template.
   

Combining Multiple Filters

• Below is an example of what it might look like when combining multiple filters for the Patch Scan Template.
• This is what will happen based on these filtering settings:
  • Only Security and Non-security patch types will be scanned.
    • Of that, only Critical, Important, and Moderate severity patches will be scanned.
  • The scan will only include the selected products in the product filter.
  • The scan will skip (exclude) the specific patches listed in the patch group 'Test Group'.

General Tab

• On the General tab of the scan template, you can choose if Protect should report results of only missing patches or also installed and even effectively installed patches.
  • Only missing patches - Scan results when using this template will only show missing patches (and service packs).
  • Both missing and installed patches - Scan results using this template will show both missing and explicitly installed patches.
    • Explicitly installed patches are those where Protect was able to detect that both the registry key exist and the affected files are at the correct version.
  • Checkbox to 'Include effectively installed patches'.
    • If checked, you will also see effectively installed patches in your scan results and reports when using this scan template.
    • Effectively installed patches are those where the file version is at or above the required version for the patch to be considered installed. Often this happens with superseded updates.

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)

Table of Contents

Configuring Patch Deployment Templates

The deployment template in Protect is used to determine what actions will take place during patch deployment. This allows you to define the behavior of patch deployment and reboot functions.

Viewing and Editing Existing Deployment Templates

1) From the main drop-down menu, choose 'Templates'.

2) Within the Templates list, you will see two groupings for Deployment Templates.

• Default Deployment Templates
  • These are the available built-in deployment templates that are always available and cannot be renamed or deleted.
• My Deployment Templates
  • These are the available custom deployment templates that you or another admin have created.

3) To get an idea of what the default settings are within a scan template, try clicking on the 'Standard' deployment template.

• It will pop up the Deployment Template window where you can see the settings of the selected template. For the built-in Deployment Templates everything is grayed out because these templates cannot be modified.
• Below you can see, for example, what the Standard deployment template General settings look like.
• You might find that one of these templates will work fine for what you are trying to accomplish during patch deployment
  • Consider all the settings of the deployment template before going ahead with it - especially reboot settings.
  • All of the built-in deployment templates include the 'Always reboot after deployment' rule.
• Before creating a new template, check to see if one already exists that meets your needs.
• When you click on a template from 'My Deployment Templates' you can edit the template settings. See the steps below on how to edit the settings as it is just the same as creating a new patch scan template.

Creating a New Deployment Template

1) From the main menu of Protect, go to New > Deployment Template.

2) Make sure to name your template. You'll be prompted when trying to save the template if you fail to do so.

3) Editing Settings of the Template

General Tab

The General tab of the Deployment Template is where you will set up general rules for patch deployment.

• General Settings
  • Copy speed
    • Allows you to change how fast Protect will try to force updates to be copied to target machines. If you are attempting to save bandwidth it can help to drag this to the 'Slow' side of the bar.
  • Seconds to wait before retrying - If a patch copy fails, you can specify how long to wait between retries.  Valid values are from 0 to 100 seconds.
  • Hours until post deployment emails are sent - You can specify how long to wait for patches to finish installation before automatic email reports are sent. This forces the e-mail messages to be sent even if the console cannot determine that all the machine deployments completed.
• Deployment Actions
  • Before
    • Shut down SQL Server
  • Shut down IIS Server
    • These services will be automatically shutdown when an SQL or IIS patch (respectively) is applied to a remote machine regardless of this setting. Use this setting to shutdown these services when installing OS or similar hotfixes, particularly if you are planning to reboot the machine after installation.
  • During - These options are all enabled by default and it is best practice to leave them enabled.
    • Backup files for uninstall
      • Files will be backed up for any files that are modified in order to perform an uninstall if something goes wrong.
        
    • Quiet mode
      • Run the updates in quiet mode (no user interaction). If unchecked the user will see updates prompt them for interaction.
        
    • Send Tracker status
      • Deployment is set to send tracker status messages to the Protect console during deployment. The only time you should uncheck this is if you know machines being patched will not be able to communicate with the Protect console at the time of the deployment.
        
  • After
    • Remove temp files
      • Checking this box will set the deployment to automatically delete patch files that were copied to the target system as part of this deployment after installation has completed.
        
• Remote Dialog
  This does not work with agents.
  
  • Show dialog on remote machine during execution - You can have a pop up box show up to notify users with a custom message.
    • Title
      • Set the title of the custom remote dialog pop up.
        
    • Caption
      • Set the caption of the custom remote dialog pop up.

          Above: An example of how the remote dialog message will appear to a user.

Office Tab

The Office tab allows you a method to point to original installation media (for older versions of office that require this).

• Office 2007 and newer shouldn't require any change here.
• More information can be found in the Help Article.

Pre-Deployment Reboot

The Pre-Deployment Reboot tab has all the same functions available as Post-Deploy Reboot, but this tab is to be used if you want a reboot prior to installation of patches.

• This can be beneficial to use in cases where you think software that needs updating might still be running.
• A pre-deployment reboot could help to ensure successful installation of patches.
• Refer to information below in 'Post-Deployment Reboot' for details about the different functions.
  

Post-Deployment Reboot

The Post-Deployment Reboot tab will be configure more often. There are many patches that require a reboot for a fully successful installation. It is best practice to configure a post-deployment reboot of some sort whenever deploying updates to the machine.

The functions configured for reboot will go in this order:

    Main reboot rule -> 'Schedule reboot' rule -> What power action? -> 'If a user is logged on' rules ('User may' rules)

• The available main functions:
  • Never reboot after deployment
    • After patches have run their installation, no reboot will be called. If some patches require reboot to complete installation they may show up missing again in Protect until a reboot has been performed.
      
  • Always reboot after deployment
    • After patches have run installation a reboot will be called regardless if it's required or not.
      
  • Reboot when needed
    • After patches have run installation, a reboot may be called based upon return codes from patch installation.
      
• Schedule reboot:
  • Immediately after installation
    • Using this option will force the reboot to take place right after patch installation is done running. Then moves into 'If a user is logged on rules.
      
  • On the next occurrence of specified time
    • Using this option will force the reboot to take place at the next occurrence of the time listed. Then moves into 'If a user is logged on rules.
  • On the next occurrence of specified date and time
    • Using this option will force the reboot to take place at the next occurrence of the date/time listed.. Then moves into 'If a user is logged on rules.
• Power action:
  • You have a few options to choose from for what 'Power action' will be taken. Consider the impact of each of these and which one is best during the time-frame the power action will take place. One of these options must be chosen unless the main rule is set to never reboot. The default is 'Restart'.
    • Restart
    • Restart, then sleep if possible
    • Restart, then hibernate if possible
    • Restart, then shut down
    • Shut down only, do not restart
• If a user is logged on:
  • Alert user, perform action when user logs off
    • Lets the user know a reboot will be performed when they log off
      
  • Force action after (minutes)
    • Lets the user know a reboot is needed and will be performed. Forces the reboot after the number of minutes specified.
      
  • Force action on:
    • Forces the reboot to take place at an exact date and time.
      
  • Show:
    • Countdown time-out (minutes)
      • Allows you to set the countdown timer that the user will see.
      • You can set the language as well.
      • See image below for an example of what the user will see. You can click 'Show sample countdown' in the template to see how yours will look.
        
  • User may:
    • Extend time-out up to the scheduled action time (increment in minutes)
      • Allows the user to postpone the reboot for x number of minutes but will still force the reboot based on the main rule.
    • Cancel time-out (perform action when user logs off)
      • Allows the user to cancel the reboot for the time that they stay logged in on the system. Once they log off, the power action is forced.
    • Cancel action (patch installation will complete at next reboot)
      • Allows the user to cancel the power action altogether. If some patches require reboot to complete installation they may show up missing again in Protect until a reboot has been performed.
        

          Above: Example of the countdown message a user will see when a reboot will take place after Protect deploys patches.

Email Tab

The Email tab allows you set automatic email reports to be sent out during or after deployment (depending on which report is chosen).

• More information can be found in the Help Article.

Custom Actions

Custom Actions give you the ability to push additional files and run scripts along with your patch deployment.

• More information about how to configure and use custom actions can be found in these resources:
  • Help Article
  • Custom Action - How to perform a custom action complete tutorial
  • Custom Action - Using The Null Patch
  • Custom Action - How To Work With Batch Files

Distribution Servers

You can specify in a deployment template if a distribution server should be used for the distribution of patches.

The default option is 'Console push'. Here is a break down of the options available here:

• Console Push (default)
  • The default method of copying patch files to target systems is for the console to "push" the files to each target system.
• Use Distribution Server by IP Range
  • Allows you to have the deployment use a distribution server hosting patch files so target machines will copy any needed files from the associated distribution server rather than having the files pushed to each target machine from the console system.
    • This requires that you have a distribution server and IP ranges for distribution servers configured in Tools > Operations.
    • More information about working with distribution servers can be found in this Help Article.
  • Use backup server - Allows you to choose a specific distribution server as a backup in case one associated by IP range is unavailable.
  • Use vendor as backup source - If a distribution server is unavailable this allows the target machine to try to download needed patches from vendor websites.
  • Distribute scheduled start times (in minutes) - Staggers the amount of target machines attempting to connect to distribution servers and download patches simultaneously.
  • If a patch is not on the Distribution Server, retry:
    • These are the options you can set for target machines to take if a patch was not on the distribution server at the time of deployment.
      • Never
      • After machine Reboots
      • After machine reboots and every 4,8, 12, 24, and 48 hours afterwards.

Hosted VMs/Templates

This tab has functions that are intended only to work with VMware virtual machines and templates hosted by ESXi and vCenter.

To use these features - the systems MUST be added to a machine group via the 'Hosted Virtual Machines' tab.

Here's the break down of the options available:

• Take pre-deployment snapshots
  • If this is checked the deployment process will call for the VMware host to take a snapshot of any VMs being patched, prior to running the deployment.
• Take post-deployment snapshots
  • If this is checked the deployment process will call for the VMware hsot to take a snapshot of any VMs after patch deployment has completed.
• Maximum snapshots Shavlik Protect will manage
  • Sets the maximum number of snapshots that Protect manage, for each VM.
• Delete old snapshots created by Shavlik Protect (age in days)
  • Allows you to set how long to keep snapshots
    Protect does not automatically delete the snapshot on its own after the amount of days is reached. Old snapshots will only be deleted at the next time a deployment occurs using template settings to take snapshots. Because of this it is important to note that once you reach the "Maximum snapshots Shavlik Protect will manage", there will always be that number of snapshots for each VM unless you delete those snapshots outside of Protect's functionality.

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)

Table of Contents

Successfully Running Agentless Patch Scans & Deployments

The main function of Shavlik Protect is to scan machines for updates that are needed, and to be able to install those updates. This section should help provide you some resources to make sure you can successfully perform and understand these tasks.

Patch Scanning

Overview of Patch Scan Process

An agentless scan in Protect works by doing the following:

1. [As long as console is not set in disconnected mode] Performs a check for new patch definitions, then downloads and imports new definitions if needed.
2. Resolves the machines that have been selected to scan. If the machine cannot be found or resolved, the scan will fail.
3. Once a machine has been resolved, Protect will connect to the machine with the provided credentials. If no credentials have been provided for the machine or machine group Protect will attempt to use the currently logged on credentials to gain access. If no valid credentials are provided, the scan will fail.
4. Protect will connect to the remote machine's registry and file system, and it will read the values of files and registry keys based upon detection logic defined within Protect's patch definitions. This is how Protect will determine the products that are installed on a machine and what updates are considered missing, installed, and effectively installed.
   • It is worth noting that Protect will make a separate connection for each check that is performed. Because of this, high latency and slow connections can cause the scan to take an exponentially long amount of time to complete. More information here.
   • If Protect cannot gain access to read the remote machine's registry or file system, the scan will fail.
5. A scan result file is created within one of the sub-directories under C:\ProgramData\LANDESK\Shavlik Protect\Console\Arrivals.
6. The information of the scan result is then imported to the Protect database, and the temporary file from "Arrivals" is deleted.
   [File is not deleted if 'Keep imported files' is enabled in Tools > Options]
7. Scan results are then view-able within the Protect console, can be used for deployment, or can have reports run against them.

Requirements for Agentless Patch Scanning

The requirements to be able to successfully perform patch scans can be found here:

• Protect 9.0, Scanning Requirements
• Protect 9.1, Scanning Requirements

Running a Patch Scan

All patch scans are performed as background tasks using the services of the Operations Monitor. This means you can initiate a scan and then move on to other concurrent work within Shavlik Protect without having to wait for the scan to complete. This also means you can have multiple patch scans active at the same time.

There are a few methods to initiate a patch scan:

• From the Home page of Protect
• From a Machine Group
• From a Favorite
• From Machine View

For full details on how to initiate patch scans, see the Protect Help Article - How to Initiate a Patch Scan.

Troubleshooting Patch Scan Failures

If Protect is unable to scan a machine it will be placed in the 'Machines not scanned' section of a scan result, and there should be an error code and brief message provided. Generally an error indicates that one or more of the scanning requirements is not met, however, a full listing of the error codes and how to troubleshoot and fix each error is listed in this document:

Troubleshooting Shavlik Protect patch scan error messages

Patch Deployment

Overview of Patch Deployment Process

An agentless deployment in Protect works by doing the following:

1. List of patches to deploy is either automatically generated (scan & auto-deploy) or manually generated based on choice of patches to deploy from a scan result.
2. The patch installer files are downloaded, and the digital signatures of those files are verified.
3. Deployment files are created for each machine (.bat & .cfg files), based on what patches are chosen to install as well as the settings in the chosen deployment template.
4. Deployment files and patch installer files are pushed to target machines, copied into C:\Windows\Propatches and sub-directories by default.
5. Scheduling is set up for patch installation.
   These actions take place for scheduling with the default (Shavlik Scheduler):
   1. Install scheduler if it's not present or re-install scheduler if in need of an update or other issue detected.
   2. The deployment job is scheduled to take place based on the time specified by the admin who set up deployment.
      1. If "Deploy now" was chose, the scheduler immediately runs the deployment job.
      2. If a later time is set, the scheduler waits until the specified date/time occurs on the target machine, and then runs the deployment job.
   3. Once run, it's actually the commands within the .bat file created for deployment that calls for patch installation and performs the deployment of patches based upon settings that were chosen within the deployment template. By default, deployment tracker results will be sent to the console throughout the patch deployment process.
   4. If set to do so, a reboot will occur. The .bat file running deployment renames itself to a .HIS after completion.
   5. An automatic re-scan will be performed to verify successful installation of patches.
   6. Deployment of patches will be reported back to the console as 'Successfully installed'.

Patch Deployment Prerequisites

The prerequisites to be able to successfully deploy patches to remote machines can be found here:

• Shavlik Protect Help - Patch Deployment Prerequisites

Running Patch Deployment

All patch deployments are performed as background tasks, regardless of how they are initiated. In other words, the deployment is launched as its own separate Windows task. This means you can initiate a patch deployment and then move on to other concurrent work within Shavlik Protect without having to wait for the deployment to complete. This also means you can have multiple patch deployments active at the same time.

These Help articles cover certain aspects of how to deploy patches:

• Deploying One or More Patches to a Machine
• Deploying All Missing Patches to a Machine
• Deploying Patches to Multiple Machines

Deploying Service Packs

It is generally considered best practice to deploy service packs prior to deploying patches. This is because service packs often include fixes of many patches, and once a service pack is applied there may be new updates that are required only when that service pack is installed. In the long run you are saving time by deploying the service packs first, although, they can generally be a bit more of a pain to deal with initially.

The information referenced here should help make deploying service packs understandable and easier to manage:

• Best Practice - Order In Which To Apply Updates And Service Packs For Agentless Patch Acanning And Deployment
• Shavlik Protect agentless service pack deployment guidelines
• Shavlik Help - Deploying Service Packs
• How to Deploy a Service Pack to Multiple Machines or Machine Groups using Shavlik Protect

Deploying to Hosted Virtual Machines and Templates

The process of how deploying to Hosted VMs and Templates works off the same basic functionality as the above described process for patch deployment, however, there are additional steps taking place as well as additional requirements.

Refer to the following pieces of information to help with requirements for deploying to hosted VMs & Templates:

• Shavlik Help - Deploying Patches to Virtual Machines and to Virtual Machine Templates
• Virtual Machine Template Patching Requirements & Informational Document
• How Patch Deployment Works For Hosted Virtual Machines And Templates

Troubleshooting Deployment Failures

Troubleshooting deployment failures can be quite a bit more in-depth than troubleshooting a scan failure. Consider these questions:

• Is there an immediate failure?
• What is the error message, if any is given?
• If the failure is only with a certain patch or specific group of patches - what is the correlation between them if any?
• Often the problem starts with the scan if patches are failing to install. Is the scan using the latest patch definitions? What scan template was used to run the scan?
• Refer to the following resources for any self-help with deployment failures:
  • Search on https://community.shavlik.com/
  • Shavlik Protect Online Help
  • How to Troubleshoot A Failed Patch Install
• If you can't figure out a resolution, contact support with any of the above information as well as any program logs you can provide.

Automation of Patch Scanning and Deployment

Protect can automate patch scanning and deployment by using the scheduling features that are built in. This is where filtering set up within the patch scan template that you use can become a big factor. If you plan to automate scan and deployment you need to consider what updates you intend to allow (filtering), what time you can accomplish the installation of patches, and what the best method for you to accomplish this might be. With Protect there can be variations of how you can automate your patch scanning and deployment.

Here are a few options:

• Recurring scheduled scan with auto-deployment
  • Less control, but this is the fully automated.
• Recurring scheduled scan, manual scheduling of deployment.
  • Still somewhat automated, but you will need to look at scan results and schedule deployments after scans have already completed.
• Recurring scheduled scan, auto-deploy enabled with 'Copy Patches only' feature. Manual scheduling of actual deployment.
  • Allows you to perform scans and have patches automatically downloaded and copied to target systems. You will need to look at scan results and schedule another deployment later that will actually run the installation of the patches. This option could help if you want to make sure you have everything ready to go for a maintenance window that limits how much time is available for the whole process to take place.

An example of a fully automated scheduling of patch scanning and deployment:

If you ever need to delete a scheduled scan of any kind (even with auto-deploy) just go into Manage > Scheduled Tasks and locate your console system in the list. The job will be listed under the console system's scheduled jobs and can be deleted from here. Note that if you are using the Microsoft Task Scheduler, you would need to check the Microsoft Task scheduler list for this instead.

Additional Information about setting up scheduled scans, deployments, and automated tasks can be found in these resources:

• Shavlik Help - Scheduling Patch Scans Using the Run Operation Dialog
• Shavlik Help - Scheduling and Configuring a Deployment

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)

Additional Considerations for Patch Scanning & Deployment

Testing Patches

It is best practice to test installing patches in a staging/test environment before patching your production systems. This can be especially important for updating servers and if you have custom software running in your environment. By testing installation of of patches first you can avoid a lot of headaches in case an update changes the compatibility of some component or application that might affect software running in your environment.

You should factor testing into your estimated time that it will take to get new updates pushed out.

Bandwidth and Timing Considerations

Scanning will not use a lot of bandwidth, however, if the speed of connection is very slow and has high latency it will cause agent-less scans to take a very long time to finish. You can read more about this and plausible workarounds here: Troubleshooting Slow Patch Scans In Shavlik Protect

Deploying patches is where bandwidth considerations come into play.

As an example, let's say you're deploying an average of 20 new patches each month to 100 systems. The average patch size is around 30MB with some much smaller and some much larger. If you use regular agent-less deployment, these 20 patches will be pushed to all 100 systems.

20 x 100 x 30 = 600000 MB (600 GB) of traffic that will go over your network.

Deploying these patches in your environment is going to have a big hit on bandwidth. Take these things into account-

• Consider the limitations of your network.
• Will deploying during peak (operational) hours cause slowness of other more important traffic?
• Where are all the systems located? Those going over WAN will have much slower connection and patches may fail to copy or take longer than the maintenance period to copy.

Timing is another thing to consider.

You might have a maintenance window of only a few hours during the middle of the night. This is where the scheduling options in Protect are very helpful, however, another thing to consider is just how much time the patch files will take to get copied to all of your target machines. Will that amount of time plus the time it takes for installation to complete fit into your maintenance window?

Options to Minimize Impact:

There are a couple things you can do to try to minimize the impact of agent-less deployment of patches with Protect:

1. Copy patch files ahead of time - There is an option to only copy patch files rather than copy and run installation. This allows you to copy files at a different time than when you plan to actually deploy patches.
   
2. Use a distribution server - This is especially helpful if you are using agent-less deployment to machines in remote locations. You can have a 'Distribution Server', essentially a windows share hosting the patch files, located at each remote site so that the files are more easily accessible for those systems when deploying.
   • More information about configuring and using distribution servers can be found in these resources:
     • Determining How Many Distribution Servers to Use
     • Configuring a New or Existing Distribution Server
     • Synchronizing Distribution Servers
     • Assigning IP Addresses to Distribution Servers
     • Video: Using Distribution Servers

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)

Table of Contents

Patch Tuesday Survival Guide and Best Practices

In the world of Windows systems, Patch Tuesday (generally the second Tuesday of each month) is the day that patching is planned around since new updates are released by Microsoft on that day. Below are a list of things to consider when preparing for Patch Tuesday and stay successful in getting your updates applied in a timely fashion using Shavlik Protect.

Stay Up-To-Date on When Updates Are Released in Shavlik Patch Definitions

Microsoft has been pretty good about getting most main bulletins and security fixes released on Patch Tuesday each month. Keep in mind that it will take some time for the Shavlik Content Team to properly build detection and deployment logic as well as test the updates before releasing new patch definitions. Generally Shavlik will have the new updates added to Protect's patch definitions within 24 hours of release from Microsoft on Patch Tuesday.

You can get notifications and follow when the new patch definitions are released by Shavlik using the resources cited in this document:

How To Know When XML Updates (patch definitions) Are Released And How To Receive Notifications

Patch Tuesday is not the only time you may be wondering when an update will be added to Protect. The Shavlik Content team generally releases new patch definitions every Tuesday and Thursday evening. If there are any out of band critical updates released by vendors, the Shavlik Content Team will generally release new content as soon as possible.

If there is an update you consider critical and do not see added to Shavlik's patch definitions, please contact support to verify when the update will be added.

Most importantly - make sure you actually have the latest patch definitions in Protect once they're released.

Patch Scanning & Deployment Best Practices - Verifying and Updating Patch Definitions

Make Sure to Test Patches

Read more in Patch Scanning & Deployment Best Practices - Considerations

The one place Microsoft's Patch Tuesday is negatively known for is the effect that some patches can have in your environment if you don't test them first! Microsoft often released a revised version of an update due to problems that are initially seen with the bulletin being deployed in customer sites. Avoid these problems by testing patches first.

Consider Best Practices in Applying Updates

Microsoft has some official documentation on what they recommend as best practices.

Best Practices for Applying Service Packs, Hotfixes and Security Patches

Other vendors may have additional best practices and things to consider when deploying those updates. Consider researching this prior to deploying updates.

Here are some additional guides on best practices from Shavlik:

• Patch Scanning & Deployment Best Practices - Successfully Running Agentless Patch Scans & Deployments
• Best Practice - Order In Which To Apply Updates And Service Packs For Agentless Patch Acanning And Deployment
• Best Practice & Q/A - Using Security Tools
• Best Practices for Deploying Java in your Environment
• Information about the behavior of patching Adobe and Mozilla products with Protect

Prioritize Updates to Deploy

Often you may be limited by a maintenance window as to how many updates you will have time to deploy. If this happens you will need to prioritize what updates to deploy.

• You should first consider - of the updates that are not applied in your environment, which ones are the most critical? (both based on vendor and based on what you believe to be critical in your environment)
  • Microsoft has a site that may help with this as well: Exploitability Index | Prioritize Deployment of Security Updates
• Are your systems at the latest service pack? Unless you have applications running that require an older service pack and will not work on the latest - you should consider it a priority to get the latest service packs applied, especially for the operating system.
• Are there updates that you know will break something in your environment? Or updates you know are not necessary in your environment? Make sure to exclude those updates.
  • How to Include or Exclude Specific Patches in Scan Results
• When will you be able to deploy the non-critical updates? Even though you obviously want to get critical updates out first and foremost, you should still try to plan a time to get the current non-critical updates deployed sometime before next Patch Tuesday hits. Otherwise you will start to fall behind on getting all updates applied to your systems.

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)

Hey Everyone!

We have been running an Agentless deployment for a couple years now however we now have 40% of our machines on VPN, which is becoming a nightmare to scan and patch. Most users disconnect from VPN during the day, or shut down, etc - and since scanning takes so long we end up not catching these machines in time to patch them.

Does it make sense in this scenario to start using Agents? From what I understand, scanning time is almost instantaneous with Agents. Can anyone using Agents provide some better insight?

Thanks!

AC