We have two freshly built Server 2012 R2 machines (Standard with GUI).  In both cases, we installed, ran Windows Update until it converged, then scanned with Protect and applied everything it wanted.  Protect says MS14-A07/Q2973351 is needed because:

The registry key 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2973351~31bf3856ad364e35~amd64~~6.3.1.0\CurrentState' does not exist. It is required for this patch to be considered installed.

but the install fails.  Windows tells me that 2973351 is installed and the patch says not applicable if I run it manually

The above registry entry does not exist, but there is an almost identical entry with 6.3.2.0 instead of 6.3.1.0.

If I uninstall 2973351, reboot, and install again with Protect, I get the registry entry you expect and a scan says I'm up-to-date.

Uninstall again, then reinstall with Windows Update and this time I get 6.3.1.0 (the value you expect).

Microsoft, what are you doing???

Purpose

The purpose of this article is to discuss how to clean up the Temp folder in the \\localdisk\Windows\Temp directory.

NOTE: This mainly happens when using the Shavlik Protect Agent Antivirus (Vipre) fills up the Temp folder with SBS files.(http://kwsupport.com/2015/01/vipre-creating-thousands-of-sbs_stdrl-temp-files/)

Description

To delete the files in the Temp folder:

1) Open up the Shavlik console that is attached to the Agent.

2) Go to Manage > ITScripts.

3)  Highlight the 'Remove Temp Files' script under the 'Maintenance' Category and then select 'Approve'.

4) Once the ITscript has been approved. Close out of the Manage ITScripts window and navigate to View > Machines.

5) Select the machine affected and then right-click and highlight 'ITScripts' and then click on 'Run script...'.

6) This will bring up the Run ITScripts window. Select the 'Remove Temp Files' script from the drop-down box (default if it is the only one approved) and click Continue.

7) Confirm the target machine affected and then select when you want the script to run and then click on Run.

Additional Information

ITScripts Requirements

If this in regards to Vipre filling up the Temp folder with SBS files, the suggested practice is to make sure that Shavlik Protect Agents have the latest Threat Definition data.

To enable this, follow the guide outlined in this article:How To Schedule Automatic Definition Downloads

Affected Product(s)

Shavlik Protect 9.x

I'm trying to track down what scheduled job a patch is coming from on a certain subset of machines.

We have a few java sensitive machines and java keeps getting updated on them however I cant seem to find a good way to see what Shavlik scheduled job is responsible. The jobs log on the actual machine is blank, I can see the patch entry in log.  The console for the patch is listed as the machine's name but like I said the jobs log is empty.  I looked in the agent interface but that just appears to show me the same log entries as the Scheduled Task Manager.

Is there anyway to track down what job is installing java every patch night?

Running Shavlik Protect advanced 9.1.0 build 4511

Thanks,

Eric

Shavlik Support and Training

http://www.shavlik.com/support/onlinehelp.aspx

Below is a list of the available resources online

Online Documentation

Current Versions

  Shavlik Protect 9.0

• Online Help (HTML)
• Installation Guide (PDF)
• Upgrade Guide (PDF)
• Administration Guide (PDF)
• Protect Quick Start Guide (PDF)
• Agent Quick Start Guide (PDF)
• Virtual Machine Quick Start Guide (PDF)
• Best Practices Guide (PDF)
• Guidelines for Creating Customer ITScripts (PDF)
• Language Support for Patch Data (PDF)
• Supported Products (HTML)

  VMware vCenter Protect Essentials Plus - Configuration Management v4.3

• Online Help
• Installation Guide (PDF)
• Upgrade Guide (PDF)
• Administration Guide (PDF)
• Quick Start Guide (PDF)

  Shavlik SCUPdates

• Shavlik SCUPdates Quick Start Guide for SCUP 2011 (PDF)
• Shavlik SCUPdates Quick Start Guide for SCUP 4.5 (PDF)
• Language Support for Patch Data (PDF)
• Google Chrome Update Guide (PDF)
• Supported Products (HTML)

Previous Versions

  VMware vCenter Protect Standard/Advanced 8.0.1 and 8.0.2

• Online Help
• Installation Guide (PDF)
• Upgrade Guide (PDF)
• Administration Guide (PDF)
• Protect Quick Start Guide (PDF)
• Agent Quick Start Guide (PDF)
• Virtual Machine Quick Start Guide (PDF)
• Best Practices Guide (PDF)
• Guidelines for Creating Custom ITScripts (PDF)
• Language Support for Patch Data (PDF)
• Supported Products (HTML)

  VMware vCenter Protect Essentials/Essentials Plus 8.0

• Online Help
• Installation Guide (PDF)
• Upgrade Guide (PDF)
• Administration Guide (PDF)
• Agent Quick Start Guide (PDF)
• Virtual Machine Quick Start Guide (PDF)
• Best Practices Guide (PDF)
• Guidelines for Creating Custom ITScripts (PDF)
• Language Support for Patch Data (PDF)

  Shavlik NetChk Configure 4.2

• Online Help
• Installation Guide (PDF)
• Upgrade Guide (PDF)
• Administration Guide (PDF)
• Quick Start Guide (PDF)

  Shavlik NetChk Configure 4.1

• Installation Guide (PDF)
• Upgrade Guide (PDF)
• Administration Guide (PDF)

The Windows Microsoft Security Advisory: Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2 bulletin ID MS15-A02 KB3033929 fails.  Is this a known issue with MS?  

Symptom

STAgentUpdater.log

WinTrustVerifier.cpp:195 Certificate verification failed with error : -2146762748

Cause

The OS is unable to verify the digital signature. The specific error is -2146762748 which is a Mircosoft error that translates to "The subject is not trusted for the specified action"

Resolution

1) Update the Root Certificate on the client machine. You can update it manually or run a scan with Security Tools enabled against it. It's going to be MSRC-001 or MSRC-002.

2) It's possible the System Account (used to run the agent services) is having issues on the machine. You could attempt to run the agent services as a domain account as a test.

Symptoms

When deploying patches, the deployment tracker shows 'Scheduled' or 'Executed' but never updates with a new status.

Cause

These are two of the most common causes for this issue:

• Port 3121 is blocked and Track traffic is not making to the Protect Console.
• The deployment failed to start..

Resolution

Verify that communication from the Target to the Console is open on port 3121.

Using Telnet to test ports

Port requirements for Shavlik Protect

When initiating a deployment, the patches and deployment files are copied to the target, then a job is created in the scheduler, which sets the Deployment status to 'Scheduled'. Once the deployment is running, it will send status updates to the console over port 3121. If that port is blocking traffic, the status will stay at 'Scheduled'.

If traffic is able to go through port 3121 from the target to the Console, the batch file may be failing to initiate and run. This can be caused by Anti Virus, or locked down security features on a machine.

The ProPatches folder also might be full on the target machine and clearing out the old files may allow space for the patches to execute.

Affected Product(s)

Protect 9.X

I  have a question concerning distribution server   synchronization with the  console server.  If new files are added to the protect server console  they get synchronized and show up on the distribution shares at the  50 +  remote location where I have a local distribution share for the local  agent based clients.  What does not happen is  if I remove files from the server protect console server  the change does not replicate during the synchronization process. Is there a way to  also delete files during the synchronization or  will I have to  manually do this at 50 +  distribution shares?

How  do others of you using distribution shares   clean out old not longer needed files?  I do not have the luxury  of lots of free space on the remote servers that have the distribution shares and need to clean these   to prevent t running out of space especially now that   shavlik protect is now patching all our workstations as well.

Thank you

I have read the best practice guide as well as the admin guide  but  I am wanting to know what is the best method  that works for an environment  that consists of 50 + locations many of which have  easily taxed  connections (hence why agents). I have the majority of the agents installed via console pushes but shill have  another 20%.  What method works best other than console push to install the agent remotely and  assign the correct policy (one for desktops and one for laptops). I would like any desktop or laptop that is part of the network to automatically install the agent  and assign the correct policy if it does not already have  the agent. Would a GPO  be able to do this and install the correct agent?  I have also read one could  create a patch scan that deploys the agent if the scan detects it is not installed but could not find details on how to create this custom scan/ patch to complete the task . Any suggestions  are welcome.

Hello

I would remove the vCenter from Virtual Inventory in Shavlik Protect 9.1. When I use the delete function, I receive the error "ST.Protect has stopped working", and Shavlik Protect crashes. In the ST.Protect.log I see the following:

2015-04-23T13:55:29.3830187Z 0001 C Launcher.cs:74|System.InvalidOperationException: Crash from main UI thread ---> System.FormatException: Input string was not in a correct format.

   at System.Text.StringBuilder.AppendFormat(IFormatProvider provider, String format, Object[] args)

   at System.String.Format(IFormatProvider provider, String format, Object[] args)

   at ST.Protect.Forms.UserPrompt.PromptToDeleteVirtualServer(IWin32Window owner, IList`1 referencingGroups, CancelEventArgs e)

   at ST.Protect.Forms.Navigator.RemoveVirtualServer[TVirtualServer](Action`1 deleteVirtualServer, TVirtualServer virtualServer, String typeName, NamedItem namedItem, Int32 id)

   at ST.Protect.Forms.Navigator.MiVirtualRemoveClick(Object sender, EventArgs e)

   at System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)

   at System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)

   at System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)

   at System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)

   at System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)

   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)

   at System.Windows.Forms.Control.WndProc(Message& m)

   at System.Windows.Forms.ToolStrip.WndProc(Message& m)

   at System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)

   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

   --- End of inner exception stack trace ---

Does anybody have an idee for me?

Kind Regards

Mario

Overview

This document outlines how to use a Custom Action to remove the ProPatches folder.  A Custom Actionmay include executing a specific command or invoking a custom batch file at specified time(s) during the deployment process. You can specify custom files and actions that occur during every deployment that uses the template, or only for those deployments that install a specific patch or service pack.

Configuration Setup

A Custom Action will only run if a deployment occurs. If there are no missing patches selected to deploy to a target machine, the Custom Action will NOT occur.

1. Create a New Scan Template; enter a Name for the Template, and Save it.
   1. Alternatively - open an existing Scan Template you wish to modify.
   2. Select CustomActions under the Patch Properties tab.
   3. Save and close.

2.  Create a new Deployment Template.

     -     Give it a Name

     -     Uncheck Send Tacker Status

3.     Go to the Post-Deploy Reboot tab and choose "Never Reboot After Deployment".

4.     Go to the Custom Action tab and click New.

        -    Step 1 - Leave default

        -    Step 3 - Change to 'After all Patches"

        -    Step 4 - Enter the following: rmdir /s /q %pathtofixes

        -    Click Ok

5.     Save and close the Deployment Template.

6.     Use the new Scan Template to scan all your machines

7.     Use the new Deployment Template to deploy the QSK2745 MSST-001 patch. This patch is used for Custom Actions.

Related Documents

• NullPatch.exe/Noop.exe Information
• Null.exe or Noop.exe False-Positive
• Custom Action - Remove the Remote Scheduler for Protect version 9
• Custom Action - Delete Specific File
• Custom Action - Uninstall a Program
• Delete Patches from Target After Deployment

Products

Protect Version: All

I have a Win 7 (32-bit) machine that had an agent installed on it.  The console certificate expired and it was renewed automatically however one machine is giving me problems.  It would not check in and did not have a policy assigned to it.  I tried to manually have it check in from the agent machine but it would fail every time and not be associated with a console.  I then decided to uninstall the agent from the agent machine, reboot and reinstall it, pushing it from the console.  I now get an "Interactive Services Detection" window on the agent machine asking if I want to connect to the console through the cloud or have a direct connection to the console.  I have tried both and both fail. I put in the proper hostname, verified the port, and entered the correct credentials but it cannot get the list of policies.  The files are copied fine but the operation monitor hangs at 50%.   Other agents are reporting to this console without any issues.

Any ideas?

Thanks,
Ron

Symptoms

When performing a scan or deployment an error occurs: GetMachineData failed.

Example of Error in ST.Protect.Native log located in the C:\ProgramData\LANDesk\Shavlik Protect\Logs folder :

2013-12-19T16:15:14.3055087Z 0330 E Deploy.cpp:1958 DeployMachine exception - class STCore::CInvalidOperationException at Deploy.cpp:1408: GetMachineData failed.

Cause       

This is caused by environmental factors, and is most commonly seen when scanning/deploying across a WAN.

Possible       

Because this issue is caused by environmental factors, the cause/solution will not always be the same. Here is a list of solutions that have been seen to help/fix the issue.

Note: These are suggestions based on previous customer feedback, and may or might not work for you. All suggestions are made without warranty; users assume all liability when modifying any network settings and/or devices.

• Remote Procedure Call (RPC) Service Is Off
  • Verify that the target has the Remote Procedure CAll (RPC) service started.

• Using a WAN Optimizer / Riverbed Device

  • In situations where a WAN Optimizer / Riverbed device are in use, these components have been seen to cause this issue.
• Things to Try
  • Disable the device and try scanning/deploying.
  • Set the device to pass-through / by-pass mode.
  • Disable Latency Optimization in the device.
  • Ensure the device's firmware is up-to-date and restarted.
  • Reboot the device.

• Target is Part of Domain
  • If the target is part of a domain, removing the machine from the Domain and re-adding it to the domain has been seen in some instances to correct the issue.

Related Article:HOW TO: Troubleshoot RPC Errors

Affected Product(s)

Shavlik Protect 9.x

Symptoms

After applying MS15-A02 KB3033929, the superseded patch MS12-001 KB2644615 is showing as missing

Cause

The introduction of MS15-A02 in March 2015 opened up a security hole that is addressed by the installation of MS12-001 KB2644615 or MS13-063  KB2859537. Although MS13-077 supersedes both of those patches, it does not take care of the vulnerability opened up by MS15-A02.

Resolution

Deploy MS12-001 KB2644615 based on the scan results from Shavlik Protect or download the install file for MS13-063 KB2859537 and manually run the file on the target machine

Affected Product(s)

Protect 9.X

Multiple browsers, computers, etc.  Any thoughts?  I am mainly talking about the Registered Consoles and Agent Keys tabs...

I have turned on  role based administration and have setup the users. Now as I want to allow access  I am not finding a way for access to the console other than allowing the users to log onto the server  on which the console is installed. This would create an issue as   we would need to give  help desk users  access to the server.  I want the help desk users to be able to   run reports as well as see any failed  installs so that they can  address the issues. How are others handling such functionalities and how can I give access to the console without  access to the server itself?

The Windows Microsoft Security Advisory: Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2 bulletin ID MS15-A02 KB3033929 fails.  Is this a known issue with MS?  

Purpose

The purpose of this article is to troubleshoot an error when the Shavlik Console Service fails to launch.

Symptoms

The console service fails to launch and you will receive the following error:
"The service responsible for importing scan and agent results is not running"

You will also see in the ST.ServiceHost.managed.log file the following errors:

YYYY-MM-DDTHH:MM:SS.7690850Z 0005 C Program.cs:26|System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (65536) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (65536) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.

Cause

There could be a lot of causes for the issue:

1) The Protect license record/activation key has become corrupted. To resolve, follow this article: Launch Interface - Error - Initialize License Fails

2) The SQL database needs to be restored. To resolve, follow this article: Restore Shavlik Database From Backup Using SQL Server Management Studio

3) The <netNamedPipeBinding> does not have a maximum size built within STServicesBindings.config. To resolve, follow the steps below:

Resolution

1) Backup the Protect database. (How to Backup a Database)

2) Stop Protect and the Shavlik Protect Console Service

3) Extract DeleteRefreshLicenseScheduledJobs.zip (attached to the bottom of this article)

4) Open SQL Server Management Studio

5) Connect to the database that contains the Protect database

6 ) Open DeleteRefreshLicenseScheduledJobs.sql into a query window

7) Read disclaimer at the top

8) Select the Protect database

9) Execute the script

10) Start the Shavlik Protect Console Service

Does the service still crash?

If no, stop. You do not have to go any further.

If yes, perform the following:

11) Stop Protect and the Shavlik Protect Console Service

12) Backup STServicesBindings.config (LocalDisk:\Program Files\LANDESK\Shavlik Protect)

13) Open STServicesBindings.config

14) Go to first binding under <netNamedPipeBinding>

15) Add maxReceivedMessageSize="5000000" maxBufferPoolSize="5000000"

Example:

Before:

<netNamedPipeBinding>

<binding>

<security mode="Transport" />

</binding>

After:

<netNamedPipeBinding>

<binding maxReceivedMessageSize="5000000" maxBufferPoolSize="5000000">

<security mode="Transport" />

</binding>

16) Start the Shavlik Protect Console Service.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provides steps on how to enable client/target side verbose logging for troubleshooting agentless deployment issues.

Description

How to enable Client (Target) Side Logging via ITscript:

These logs are automatically generated on the client (target) system during an agentless patch deployment under the folder C:\Windows\Propatches and its subfolders. However, you can enable verbose logging of these logs for a system by doing the following:

1. In the Protect console, go to Manage > ITScripts.

2. Under the 'Configuration' section, locate and select the script named "Set Target Machine Verbose Logging".

3. Click the 'Approve' button at the top, or right click on the script and choose 'Approve'.

4. Go to the machine group containing the system(s) you wish to enable this for, and click Run Operation.

5. For "4. Select/confirm operation:", choose ITScript from the dropdown, and then select "Set Target Machine Verbose Logging" from the second dropdown.

6. Click Run.

7. When the operation is complete you should see the status change to "Complete: Verbose logging was successfully enabled."

Alternate Method - Manually adding config files

You can enable target-side logging by adding the config files into the correct directories on the target system. See the attached zip "Logging.Config.zip" to obtain the files.

The files should be placed into the following folders (on the client/target system) accordingly:

• C:\Windows\Propatches
  • cl5.exe.config
  • SafeReboot.exe.config
  • SafeReboot64.exe.config
• C:\Windows\Propatches\Scheduler
  • stschedex.exe.config
  • stSched.exe.config

Additional Information

See the following document for more information about the above mentioned ITScript:

http://community.shavlik.com/docs/DOC-20385

Affected Product(s)

Shavlik Protect 9.x

Symptoms

A patch scan fails with the error:

Error 501 - Remote registry access denied 

Cause

This issue occurs if there is a network or configuration issue which prevents Protect from connecting remotely to the target machine's registry.

Resolution  

To resolve this issue:

1. Ensure that the Remote Registry service is started on the target machine(s). 
2. If you are able to log in to the machine from which you are running the scan as a user with administrative rights to a target machine, test the remote registry access.
   
   To test the remote registry access:
   1. Click Start> Run, type regedit, and click OK. The Registry Editor window opens. 
   2. Click File> Connect Network Registry. 
   3. Enter the name of the target machine as the object name and verify if you can connect and navigate to the remote registry of that machine.
3. In the target machine(s), navigate to the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg registry key, add \"LOCAL SERVICE\" to the key, and give it the READ access.

If the preceding steps do not resolve the issue, it is possible that the policy setting is limiting access to the remote registry of the target machine(s). To resolve this issue, contact your network administrator.

Additional Information

For more information on managing remote access to the registry, see the Microsoft Knowledge Base article 314837.

Affected Product(s)

Shavlik Protect 9.x