Purpose

This document will provide details and a workaround for an issue where all Patch scan fail with an Error 235 after upgrading to Shavlik Protect 9.1.4511

Description

All patch scans fail with an Error 235 after upgrading to Shavlik Protect 9.1.4511.

Cause

Your domain or work-group name contains an invalid character and code change Shavlik Protect 9.1.4511 no longer ignores this.

The & has been a common character support has been seeing in the field.

Solution

You have two options:

• Remove the invalid character from the Domain or Work-Group name.
• Revert back to 9.1.4446 by uninstalling Shavlik Protect 9.1.4511 and installing Shavlik Protect 9.1.4446   Download Location
  

If you choose to revert, you must manually implement the fix for the issue Shavlik Protect 9.1.4511 corrected.

1. Open Shavlik Protect
2. Navigate to Tools > Console Alias Editor
3. Make no changes and click OK
4. Click Update
5. Click Continue

Affected Product(s)

Shavlik Protect 9.1.4511

We have database maintenance scheduled to run weekly, and to rebuild indexes. I just noticed that there's failure message as part of the index rebuild. The error is Generic data access layer exception.  SQL exception message: Cannot find the object "dbo.LinkEmailRecManagedMachines" because it does not exist or you do not have permissions. Can you tell me how to resolve the error?  I'm not a dba. thanks

Purpose

When scanning a non-discriminat group of machines, such as by ip range, or OU, Protect will try all machines that exist as part of the group. In some situations it may be desirable to exclude certain machines.
Example: Scanning an IP range that contains many machines that should be patched, and one machine that cannot be patched on the same schedule as the others.

This document outlines how to exclude one or more machines from during a scan.

Resolution

Open the machine group that you will be using to scan against.
The machine group will show your machines that are going to be scanned.

Example: In this machine group, Protect will scann an ip range of 5.5.5.1-5.5.5.255

Add the machine(s) that should be skipped. This can be done by IP, Netbios, FQDN. These will by default be added and Included in the scan.

Example: Added a machine called 'SkipThisMachine' and a machine with IP 5.5.5.100

After the machines to be excluded have been added into the machine group, right click each and choose 'Exclude'.

Note: Holding CTRL while selecting allows you to highlight multiple entries at once, at which point you can right click any and it applies the changes to all that are highlighted.
Note: Alternative to right clicking, you can click the 'When Scanning' box at in the machine group and choose 'Exclude'.

The machines should now show Exclude under the When Scanning column. This will prevent the machine from being scanned and showing up in the scan results.
Note: In version 9.0 the operations monitor during a scan will list machines that have been excluded (only for informational purposes - no scan results occur for that machine). In verisn 9.1 it will not list excluded machines in the operation monitor during a scan.

Additional Information

NOTE: However you add the Machines into the Machine Group is how you will need to list them to be excluded from the group (i.e. Machine Name, IP address, FQDN). You can place the machines to exclude in a text file and add it in by linking to the file and setting the file to exclude.

Affected Product(s)

Shavlik Protect All

Purpose

The purpose of this document is to provide instructions for creating a report within Shavlik Protect that will provide Internet Explorer version information from within your environment.

Resolution

Note: Prior to creating this report, please be sure that a recent patch scan has been completed within your environment.

1. Navigate to Tools>Create Report within the Shavlik Protect Console.

2. When prompted to select a report choose the 'Machine Inventory' report and check the 'Use Advanced Filter' option. Then hit 'Generate report'.

3. Within the Advanced Report Settings select the 'Scans & Deployments' folder on the left hand side of the window and then select 'View Current Status'. This selection will ensure the latest scan data is used to report on.

4. Next, select the 'Products' folder on the left hand side of the window and then Select the versions of Internet Explorer you wish to report on from the list on the right hand side of the window and hit 'OK'.

5. The report will generate. From this screen you will be able to save or email this report from the 'File' menu.

Description

How-to

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provides information about the Console Alias Editor within Shavlik Protect.

Description

When an agent checks in with the Shavlik Protect console it must verify that the machine it contacted is a trusted machine. It does this using the trusted names and IP addresses contained in the certificate that is exchanged between the agent and the console. If you assign the console machine to a new domain or give it a new common name or IP address, any existing agents that recognize the console by its old name or address will no longer trust the console machine. To get around this issue you simply identify the old console names or addresses as trusted aliases. This is done using the Console Alias Editor tool.

The most common time to use this tool will be during an upgrade from an earlier version of Shavlik Protect.

Accidentally changing or deleting existing entries on the Console Alias Editor dialog may cause problems when your agents attempt to contact the console. Only qualified system administrators should modify existing names or IP addresses.

Assigning Aliases to the Console

1.Select Tools > Console alias editor.

The Console Alias Editor dialog is displayed. It will contain the names and IP addresses currently used to identify the console machine.

2.Type the name or IP address that you want to use as an alias for the console machine.

You can specify IP addresses using either an IPv4 or IPv6 format.

3.Click Update.

The Update dialog is displayed.

In order to update the console aliases the console service must be restarted and Shavlik Protect must be closed and then manually restarted.

The agents will not recognize a new alias until after they check-in with the restarted console. The check-in must be initiated by an agent either manually using the agent client program or via a scheduled check-in; a check-in command issued from the console to an agent will not update the console certificate. This includes when a console is migrated to a new console and the old console still has agents assigned to it. The agents will not check in with the new console unless the old console's service is turned off and a agent check in is performed from the agent. Another way to achieve the same effect is to uninstall the agents from the old console and then install the agents with the same policies from the new console.

Additional Information

The menu option for Tools > Console Alias Editor is not available to users assigned the Report Only role within Protect's Role Based Administration.

The console alias editor is not intended to be a mechanism of providing specific methods for the agent to contact the console for check-in or registration. As a requirement, the agent will still need to be able to resolve the console machine. (Example: If you have agents in a domain that is not trusted and cannot resolve the Protect console system, those agents will not specifically attempt using an IP address listed in the console alias editor. However, you could manually install the agent as a workaround.)

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document will explain how to view scheduled agent tasks by command line on client machines.

Resolution

1. Open a command prompt as an administrator and then navigate to one of these locations:

• 32bit OS: "C:\Program Files\LANDESK\Shavlik Protect Agent\
• 64bit OS: "C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\

2. Run this command to see all shceduled jobs for this agent.

• STAgentManagement.exe -schedule

Additional Commands

You may also find these switches for STAgentManagement.exe helpful too.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provides information on how to resolve the error "Found 0 identity certificates when only one was expected" when attempting to deploy patches

Symptoms

You receive the following error when trying to deploy patches

Also see the following error in the ST.TaskScheduler.Manged.log or the ST.Protect.Manged.log

ThreadPoolJob.cs:260|System.InvalidOperationException: Found 0 identity certificates when only one was expected at ST.CA.ConsoleCertificateManager.GetIssuingCertificate()

Cause

Shavlik Protect is not able to identify valid certificates to use.

Solution

  If you delete the console certificate any agents currently installed will need to be reinstalled or they will not be able to communicate with the console and will eventually uninstall themselves after not being able to check in after 45 days

Option 1:  Renew the certificates for Protect via the STMgmt.exe by following this document Shavlik Protect console certificates

Option 2:  If renewing the certificate doesn't work then you will need to uninstall Protect, delete the current console certificates and then reinstall Protect to create new certificates.

1.    Open a command prompt by clicking the Windows button and typing 'CMD'.

2.    Within the command prompt type in 'MMC'.

3.    Navigate to File>Add Remove Snap-in.

4.    Select Certificates from the Available snap-ins and click 'Add'.

5.    Choose Computer Account and click 'Next'.

6.    Choose Local Computer and click 'Finish'

7.    Click 'OK' within the Add or Remove Snap-ins dialog box. You should now see 'Certificates (Local Computer)' within the 'Selected snap-ins'.

8.    Expand 'Certificates', navigate to Personal>Certificates and click on the certificate issued by 'ST Root Authority and delete it

9.    Expand 'Certificates', navigate to Trusted Root Certification Authorities>Certificates and click on the certificate issued by 'ST Root Authority and delete it

Affected Products

Shavlik Protect All Versions

Purpose

The purpose of this document is to show how to distribute an executable file out using the Custom Patch Editor and Custom Action deployment.

Description

Adding Software to Shavlik Folder

1) You must manually copy the software to distribute to the Shavlik Protect Console patch download folder. To find this location, go to the download folder designated under Tools > Operations.

2) Navigate to that location using Windows Explorer, and copy all the software files here.

Creating the Patch XML file

1) Go to Tools > Custom Patch Editor in the Shavlik Console.

2) Within the Custom Patch Editor, click on the link to ‘Create a new custom XML file’.

3) Add a Display Name and Description. Don't click on 'Validate XML' just yet. This will be done on Step 16.

4) Create a Custom Bulletin by either right-clicking 'Custom Bulletins' in the left hand pane and select Add new Bulletin or by clicking the 'Add Bulletin' button in the toolbar.

5) In the right-pane add some information describing the software install.

6) Next, either right-click on the Custom Products and click on 'Add New Product' or click on the 'Add Product' button in the toolbar.

7) In the New Product page, add in the information on how Shavlik Protect will detect the product is installed. To find this, manually install the product and find it in the registry to populate this page. For this software, we are looking for the key NOT to exist on target machines so note that on the last line.

NOTE: Only use 64-bit registry strictly for installation of the patch on 64-bit machines. If you use a combination of 64-bit and non-64-bit machines, you can setup a second product with an update registry key (using the same procedure in Step 7) and uncheck 'Use 64-bit Registry'.

8) Right-click on Custom Patches and click on Add Custom Patch or click on the 'Add Patch' button in the toolbar.

9) In the Scan Information tab, add a Patch number, select the Bulletin created in Step 5. Under Patch Type, select ‘Custom Actions’ and set a Severity option to ‘None’. This Patch Type is important to match in Step .

10) Set the Registry Keys see if the custom patch is installed. for this example, use the Registry Key from Step 7. Click on the Registry Keys tab and click the Add button at the bottom to add a key.

11) Add the same information from Step 7. Click OK to save.

NOTE: Make sure the patch Bit Registry matches what you put in for the product in Step 7.

12) On the Targeting tab, select the products the install applies to. Click the arrow to move the selected target product from the lower left pane to the lower right pane. In this example, the product is being installed on different operating systems and the products affect different OS's in the bulletin.

Repeat Steps 9-12 for the 32-bit version install, if you have a machine that does not utilize 64-bit registry.

13) Next, switch to the Deployment Information tab at the top

14) Select the Language of the operating system the patch is being applied to and browse to the install file. Click the ellipses button to browse to the install file. Typically, it is a setup.exe. In this example, the ‘InstallWrapper.vbs’ file is used (third-party download and not supported by Shavlik). Add any switches for the command line of the install file (typically provided by the vendor of the patch install file)

NOTE:

• Targeting is not required, however if not specified the update will be offered for all systems that meet the scanning requirements.
• If you added a custom product it will show under targeting available products. You will first need to save the XML and import the custom XML before your custom product will appear in the list.

15) Click the Save button at the top (blue diskette) and give the XML a name.

16) In the left-pane, click on your XML you created in Step 3. Click on the 'Validate XML' button. NOTE: You should validate the XML file anytime you make modifications to the XML file. Be sure to save the file before performing the validation to ensure that you are validating the most current file.

17) Exit the Custom Patch Editor. You will be prompted to Import your XML file. Click on ‘Import now’.

18) In the next window select the XML file check box before you click OK.

Add a Patch Group

1) To Add a Patch Group for Software Deployments, click the drop down menu under 'Home' and select Patch and SP Groups.

2) Click on the ‘New’ button and select Patch Group. Name the Patch Group.

3) Click on the ‘Add’ button and select the patch created in Step 9 from 'Creating the Patch XML file'. Click the 'Select' button at the bottom.

4) Click the Save button at the bottom to save and exit the Patch Group. Using this Patch Group we will ONLY be scanning for the custom patch.

Creating a Scan Template

1) Click the ‘New’ button and select ‘Patch Scan Template’.

2) Enter a name for the template. On the Filtering tab, uncheck all patches at the bottom under Patch Properties and only select ‘Custom Actions’ (Step 9 from 'Creating the Patch XML file').

3) Select the Patch Filter settings, click the ‘Scan Selected’ option.  Under the Patch Groups window, click the ellipses button and select the patch group created in 'Add a Patch Group'.

4) Click ‘Save’ at the bottom to save the Patch Scan Template.

Creating a Deployment Template

1) Click New > Deployment Template.

2) Name your deployment template and set your options as necessary. Go to the Custom Actions tab. Select the install files required for your patch to be installed. This will include the .exe file and the .vbs (or some other batch file script/executable). Repeat this process for the other files.

3) After adding the files, the Shavlik Protect Console needs to know what to file to run. All files will be copied to the local ‘C:\Windows\ProPatches\Install’ folder. The variable is %PATHTOFIXES%, use it in the execute line as shown:

NOTE: Repeat Steps 2-3 for each patch you setup in Step 9 from 'Creating the Patch XML file'.

4) Save the Deployment Template.

Scanning and Deploying the Custom Patch

1) Click on 'Home'. Select a Machine Group. Select a schedule. Select the Scan template from 'Creating a Scan Template'. Select the Deployment template from 'Creating a Deployment Template'. Click 'Scan Now'. Custom patches should be detected as missing and Custom Action files should be pushed, deployed and executed. This completes the custom patch install.

Additional Information

Additional information about custom patch creation and use can be found in the following articles:

• Shavlik Help - Overview of the Custom Patch XML Process.
• How to Create a Custom Patch

Affected Product(s)

Shavlik Protect 9.X

Purpose

The purpose of this document is to outline how to alter the location of the Pro Patches folder on the machines being deployed to. This is useful in event of size limitations on the C: drive.

Resolution

1. Navigate to Machine View (View>Machines) within the Shavlik Protect Console.

2. Within the list of machines select the machine(s) you wish to alter the location of the ProPatches folder on. Right click and select 'Machine Properties'.

3. Within the Manage Machine Properties window input the path or alternate drive letter you wish for the ProPatches folder to be deployed to (Ex: D:\, C:\Patches, etc.)

Additional Information

Provide additional information concerning the document within this section, especially any links to Microsoft or other vendor knowledge base articles that provide extra information pertaining to the document you are writing.

Affected Product(s)

Shavlik Protect 9.x

Hi There,

My company is using Shavlik Protect Standard 9.1.0 Build: 4472. We have a concern about Leap Second June 30, 2015. Do you expect any problems on or around June 30, 2015 related to the "Leap Second" clock adjustment on the Shavlik Protect system?

Can anyone of you please comfirm?

Thanks,

Ming

Purpose

This document will show you how to perform a threat scan (AV scan) on specific files, folders or drives from a machine that has a Shavlik Protect agent with AV installed on it.

Solution

If Shavlik Protect agent is configured with a threat task or if Active Protection is enabled, the user of the machine can initiate an antivirus scan on a specific file, folder, or drive on the machine. This is done by right-clicking the desired item within Windows Explorer and then selecting Scan with Shavlik Protect.

Affected Product(s)

Shavlik Protect 9.x

Is there a way to configure a missed scheduled scan/deploy task not to automatically execute when it missed it's scheduled date/time?

For example, I have scheduled a monthly scan and automatically deploy missing patches to a machine group on 2nd Sunday at 3am of each month.  The Shavlik server froze over the weekend and missing it's scheduled scan deployment.  I reboot the box Monday morning at 9:00am.  Shavlik automatically runs the missed 9:00am scheduled task resulting a patch deployment and reboot in the middle of the day ---- not good.

I don't see any way of configuring a scheduled scan to wait for the next 2nd Sunday of the following month to run the scheduled task.

Thanks in advance....

The past week or so when I run a scan, the operations monitor reports that the patch progress is "0 of" whatever and the status is building deployment files.  When you look below at each machine the state is "file downloaded" for each machine.  It never moves past this point.  I have done the obvious; rebooted the server, refreshed the files, confirmed everything is up to date, and synced the distribution servers.  I do not know what is up with this.  Any thoughts or advice?

Purpose

The purpose of this document is to show how to clean out your Patch Download Directory on the Shavlik Protect Console machine. It is good practice to clean or reduce the number of files in the Patch Download Directory to conserve hard drive space and to reduce database utilization when accessing the patch database during deployment package creation and selecting  View > Patches.

Description

The Shavlik Protect Console Patch Downloads folder is configurable.  To  Locate the Patch Download Location on Protect Console select Tools > Options > Downloads and edit the Patch Download Directory field.  The Protect Console uses one location as a patch repository.  If the path is changed the old directory is not used as a patch repository and can be deleted. Patch files can be deleted directly from the Patch Downloads Folder using any kind of file system delete or using an IT Script.  The execution of the IT script can be scheduled to create a periodic purge of the patch Download directory.

Manual Method

Access the patch download Patch Download Location on Protect Console using windows explorer or some other file management tool and delete the contents of the folder.

IT Script Method

1) Open up the Shavlik console that you want to clean up.

2) Go to Manage > ITScripts.

3)  Highlight the 'Console Clean Up' script under the 'Maintenance' Category and then select 'Approve'.

NOTE: This script deletes patches and deployment files that are older than the specified ages (default 180 days) since they were created or downloaded.

4) Once the ITScript has been approved. Close out of the 'Manage ITScripts' window and navigate to Tools > Run Console ITScripts.

5) This will bring up the Run ITScripts window. Select the 'Console Clean Up' script from the drop-down box (default if it is the only one approved) and click Continue.

NOTE: There are two different parameters with this ITScript.

• deploymentAge (removes files from the DataFiles\Installs directory that are older than the number of days specified)
• patchAge (removes files from the Patches directory (as specified in Tools > Downloads > Patch Download directory that are older than the number of days specified))   

          If you want to change the 180 day parameters for either the deploymentAge or the patchAge:

               1) Select the parameter.

               2) Click the 'Edit' button.

               3) Select the value to remove files from the specified directory that are older than the number of days. (This is for the number of days that the file has been sitting in the specified directory NOT how old the patch is.)

6) Confirm the target machine affected and then select when you want the script to run and then click on Run.

7) Once the job has completed, verify that patches have been cleaned up based on the parameters specified above within the Patches directory (Default: C:\Windows\ProPatches\Patches or as specified in Tools > Downloads > Patch Download directory)

Affected Product(s)

Shavlik Protect 9.x

What is the best way to attempt multiple credentials when deploying patches? If I have a machine group based on a subnet, but a subset of these machines might use one local administrator password, and a different subset uses a different local administrator password. I want to start a scan and deployment where Shavlik Protect will attempt multiple credentials and use the credential that is successful. From what I know, this is not possible natively within Shavlik Protect. It seems I either need to use multiple machine groups or use machine credentials. I really don't like either of these options, because I don't always know which credential will work. Is there another solution?

Scott M.

Purpose

This document provides steps to perform an offline or 'manual' activation of the Shavlik Protect.

Description

If you are unable to activate Shavlik Protect over an internet connection for any reason, you have to option to choose the 'Manual Activation' function. Use the steps below to perform a  manual (or offline) activation of Shavlik Protect.  If file transport from the secure offline network to an online network is not allowed, follow instructions to use the DisconnectedLicenseInfo.txt file:

Steps to create a license activation file

1. Select an activation mode (either Product or bundle license or Trial mode).
2. Paste or type your key into the Enter your activation key(s) box.
3. Select Manual activation.
4. Click Create request.
5. Files named LicenseInfo.xml and DisconnectedLicenseInfo.txt are generated and saved to the desktop of your console computer. These files contain the information needed to make an offline activation request.
6. Move the LicenseInfo.xml file to a computer with Internet access. If file transport from the secure offline network is not allowed, follow instructions under "If Secure to Non Secure network file transfer is not allowed" to use the information in DisconnectedLicenseInfo.txt .
7. On the Internet-connected computer, open a browser and go to https://license.shavlik.com/OfflineActivation.
8. Upload the LicenseInfo.xml file
9. Within Shavlik Protect if the Activation dialog does not automatically pop up upon launching the console, select Help > Enter/refresh license key.
10. Download the processed license file and move it to the offline console computer.
11. Import the processed license file to the console by selecting Help->Enter/refresh license key and then click 'Import offline license'

If Secure to Non Secure network file transfer is not allowed

Go to https://license.shavlik.com/OfflineActivation to enter this data

• The web portal will process the license information and generate a license file
• Download the processed license file and move it back over to the offline console computer.
• Import the processed license file to the console by selecting Help->Enter/refresh license key and  click 'Import offline license'

If for some reason you are unable to activate using the offline activation portal mentioned above, please open a case with support and send your manual activation file in using the support portal: https://www.support.shavlik.com.

Please see this article if you need assistance registering: http://community.shavlik.com/docs/DOC-2265

Further details about activating the program can be found in the following Help document within Shavlik Protect:

Help > Contents > Installation and Setup > Getting Started > Activating the Program

Affected Product(s)

Shavlik Protect 9.x

I have a descrepency between the number of Windows 7 critical security updates that a scan performed with the default Security Patch Scan and a custom Patch Scan Template which I create based upon the results of the Security Patch Scan...

Security Patch Scan lists 37 Windows 7 critical security updates, whilst the custom patch scan template lists 52.

When creating the custom Patch Scan Template for critical security updates, I select OS and critical.

Why the discrepency?

Using Shavlik Protect, how can I generate a report listing what version of Internet Explorer is installed for each machine?

Overview

This document outlines how to use a Custom Action to remove the ProPatches folder.  A Custom Actionmay include executing a specific command or invoking a custom batch file at specified time(s) during the deployment process. You can specify custom files and actions that occur during every deployment that uses the template, or only for those deployments that install a specific patch or service pack.

Configuration Setup

A Custom Action will only run if a deployment occurs. If there are no missing patches selected to deploy to a target machine, the Custom Action will NOT occur.

1. Create a New Scan Template; enter a Name for the Template, and Save it.
   1. Alternatively - open an existing Scan Template you wish to modify.
   2. Select CustomActions under the Patch Properties tab.
   3. Save and close.

2.  Create a new Deployment Template.

     -     Give it a Name

     -     Uncheck Send Tacker Status

3.     Go to the Post-Deploy Reboot tab and choose "Never Reboot After Deployment".

4.     Go to the Custom Action tab and click New.

        -    Step 1 - Leave default

        -    Step 3 - Change to 'After all Patches"

        -    Step 4 - Enter the following: rmdir /s /q %pathtofixes%

        -    Click Ok

5.     Save and close the Deployment Template.

6.     Use the new Scan Template to scan all your machines

7.     Use the new Deployment Template to deploy the QSK2745 MSST-001 patch. This patch is used for Custom Actions.

Related Documents

• NullPatch.exe/Noop.exe Information
• Null.exe or Noop.exe False-Positive
• Custom Action - Remove the Remote Scheduler for Protect version 9
• Custom Action - Delete Specific File
• Custom Action - Uninstall a Program
• Delete Patches from Target After Deployment

Products

Protect Version: All

how can I deploy kb2852386 with protect? Is it already part of an install?