We scan and deploy windows workstations with Shavlik Protect Standard 9.1 (Build 4511) based on a template at a certain time. The reboot after the deployment occurs at the log off of the user.
Some patches (e. g. hotfixes of Microsoft or updates of Adobe) enforce the reboot after the deployment immediately.
Do you know a work-a-round for this behavior?
Yesterday I installed the new update KB3040272 with Windows Update. (64-bit Windows 7) This gave me versions of crypt32.dll, cryptsvc.dll and wintrust.dll with version numbers higher than expected (definition version 2.0.1.3452) for the GDR branch. So now I get false positives for MSWU-1074, MSWU-772, MS13-S04, MS13-095, MSWU-629, MS12-024 and MS12-A07. Are there any prospects for Protect to better understand the GDR/LDR version numbers?
Problem
You receive the following error when attempting to publish content:
Publish: Exception occurred during publishing:
"Verification of file signature failed for file: \\<serverName>\UpdateServicesPackages\<AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d\a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab"
You may also see this error:
"Exception occurred during publishing: Verification of the signature failed for file" for each of the updates attempted.
Cause
The WSUS certificate added to Trusted Publishers Store and the Trusted Root Certification Authorities Store were not Code Signing certificates.
Resolution
1. Navigate to Start and type MMC in the run box, this will open Microsoft Management Console (MMC)
2. Click File and choose Add/Remove Snap-in, highlight Certificates and click Add. Select Computer account and then click Next
3. Expand Certificates, expand Trusted Root Certification Authorities, click on certificates
4. Find your certificate and double click on it
5. Click on the Details Tab then find "Enhanced Key Usage", it will show Code Signing
Example of Code Signing Certificate
Example of Non-Code Signing certificate
If your Certificate is does not state it is a Code Signing certificate you will need to either create one with Shavlik Patch or have your CA create one.
Please refer to the Shavlik Patch guide
http://rs.shavlik.com/documents/patch/ug_patch_2_1.pdf
If you are in fact using a Code Signing Certificate please refer to this document
Exception occurred during publishing: Verification of file signature failure
Affected Product(s)
Shavlik Patch
The purpose of this document is to show how to distribute an executable file out using the Custom Patch Editor and Custom Action deployment.
Adding Software to Shavlik Folder
1) You must manually copy the software to distribute to the Shavlik Protect Console patch download folder. To find this location, go to the download folder designated under Tools > Operations.
2) Navigate to that location using Windows Explorer, and copy all the software files here.
Creating the Patch XML file
1) Go to Tools > Custom Patch Editor in the Shavlik Console.
2) Within the Custom Patch Editor, click on the link to ‘Create a new custom XML file’.
3) Add a Display Name and Description. Don't click on 'Validate XML' just yet. This will be done on Step 16.
4) Create a Custom Bulletin by either right-clicking 'Custom Bulletins' in the left hand pane and select Add new Bulletin or by clicking the 'Add Bulletin' button in the toolbar.
5) In the right-pane add some information describing the software install.
6) Next, either right-click on the Custom Products and click on 'Add New Product' or click on the 'Add Product' button in the toolbar.
7) In the New Product page, add in the information on how Shavlik Protect will detect the product is installed. To find this, manually install the product and find it in the registry to populate this page. For this software, we are looking for the key NOT to exist on target machines so note that on the last line.
NOTE: Only use 64-bit registry strictly for installation of the patch on 64-bit machines. If you use a combination of 64-bit and non-64-bit machines, you can setup a second product with an update registry key (using the same procedure in Step 7) and uncheck 'Use 64-bit Registry'.
8) Right-click on Custom Patches and click on Add Custom Patch or click on the 'Add Patch' button in the toolbar.
9) In the Scan Information tab, add a Patch number, select the Bulletin created in Step 5. Under Patch Type, select ‘Custom Actions’ and set a Severity option to ‘None’. This Patch Type is important to match in Step .
10) Set the Registry Keys see if the custom patch is installed. for this example, use the Registry Key from Step 7. Click on the Registry Keys tab and click the Add button at the bottom to add a key.
11) Add the same information from Step 7. Click OK to save.
NOTE: Make sure the patch Bit Registry matches what you put in for the product in Step 7.
12) On the Targeting tab, select the products the install applies to. Click the arrow to move the selected target product from the lower left pane to the lower right pane. In this example, the product is being installed on different operating systems and the products affect different OS's in the bulletin.
Repeat Steps 9-12 for the 32-bit version install, if you have a machine that does not utilize 64-bit registry.
13) Next, switch to the Deployment Information tab at the top
14) Select the Language of the operating system the patch is being applied to and browse to the install file. Click the ellipses button to browse to the install file. Typically, it is a setup.exe. In this example, the ‘InstallWrapper.vbs’ file is used (third-party download and not supported by Shavlik). Add any switches for the command line of the install file (typically provided by the vendor of the patch install file)
NOTE:
15) Click the Save button at the top (blue diskette) and give the XML a name.
16) In the left-pane, click on your XML you created in Step 3. Click on the 'Validate XML' button. NOTE: You should validate the XML file anytime you make modifications to the XML file. Be sure to save the file before performing the validation to ensure that you are validating the most current file.
17) Exit the Custom Patch Editor. You will be prompted to Import your XML file. Click on ‘Import now’.
18) In the next window select the XML file check box before you click OK.
Add a Patch Group
1) To Add a Patch Group for Software Deployments, click the drop down menu under 'Home' and select Patch and SP Groups.
2) Click on the ‘New’ button and select Patch Group. Name the Patch Group.
3) Click on the ‘Add’ button and select the patch created in Step 9 from 'Creating the Patch XML file'. Click the 'Select' button at the bottom.
4) Click the Save button at the bottom to save and exit the Patch Group. Using this Patch Group we will ONLY be scanning for the custom patch.
Creating a Scan Template
1) Click the ‘New’ button and select ‘Patch Scan Template’.
2) Enter a name for the template. On the Filtering tab, uncheck all patches at the bottom under Patch Properties and only select ‘Custom Actions’ (Step 9 from 'Creating the Patch XML file').
3) Select the Patch Filter settings, click the ‘Scan Selected’ option. Under the Patch Groups window, click the ellipses button and select the patch group created in 'Add a Patch Group'.
4) Click ‘Save’ at the bottom to save the Patch Scan Template.
Creating a Deployment Template
1) Click New > Deployment Template.
2) Name your deployment template and set your options as necessary. Go to the Custom Actions tab. Select the install files required for your patch to be installed. This will include the .exe file and the .vbs (or some other batch file script/executable). Repeat this process for the other files.
3) After adding the files, the Shavlik Protect Console needs to know what to file to run. All files will be copied to the local ‘C:\Windows\ProPatches\Install’ folder. The variable is %PATHTOFIXES%, use it in the execute line as shown:
NOTE: Repeat Steps 2-3 for each patch you setup in Step 9 from 'Creating the Patch XML file'.
4) Save the Deployment Template.
Scanning and Deploying the Custom Patch
1) Click on 'Home'. Select a Machine Group. Select a schedule. Select the Scan template from 'Creating a Scan Template'. Select the Deployment template from 'Creating a Deployment Template'. Click 'Scan Now'. Custom patches should be detected as missing and Custom Action files should be pushed, deployed and executed. This completes the custom patch install.
Additional information about custom patch creation and use can be found in the following articles:
Special acknowledgement for Tony Barkdull of Sagamore Health Network for his contribution to this article.
Shavlik Protect 9.X
This document explains how to schedule a service pack deployment to multiple machines at a time using an Agent-Less Deployment model.
On the Protect Console, highlight multiple machines in the Machines view under View>Machines. Right click on one of the Service Packs Missing in the the pane Below. In the resulting menu, select Deploy>Service Pack and choose the desired level of Service Pack. It is not possible to select multiple Service Packs for deployment in one scheduled deployment.
For more information on the process for deploying service packs to agentless machines see Deploying_service_packs in the Shavlik Protect Online Help
This document describes the process for deploying service packs to multiple agentless machines. For information on deploying Service packs to agent-based machines, see Using a Service Pack Group
in the Shavlik Protect Online Help
Protect 9.X
Hi,
It is now possible to automate the patching of Hyper-v failover clusters in Server 2012 R2 with cluster aware updating (CAU).
Is it possible to use Shavlik with CAU, either as a source for patches or in the form of a plugin?
Thanks,
The purpose of this document is to provide additional information and troubleshooting steps on the '1783' patch install return code.
When deploying a patch the installer returns the status code '1783' or the patch install return code 1783 is seen within the CL5.log on the target machine. The CL5log file can be found by navigating to C:\Windows\ProPatches on the client machine.
Example:
1955-11-05T06:15:00.7034616Z 1104 I CommandLine.cpp:2638 Patch Install returned 1783: Windows6.0-KB960859-x64.msu
The 1783 return code translates to 'The stub received bad data'. This is typically indicative of an issue related to the Windows servicing store which can prevent the successful installation of OS patches, Service Packs, and additional software.
Typically this issue can be resolved by running the Windows System Update Readiness Tool on the machine experiencing this issue. Links to the tool by OS can be found below.
Note: The diagnostic and repair functionality in the System Update Readiness Tool is built into the Operating System within Windows 8 and Windows Server 2012 machines. For additional information on running this tool using the OSs, please see the following link:
https://support.microsoft.com/en-us/kb/947821
Shavlik Protect 9.x
Hi
We have jsut upgraded to 9.0 Patch 1 and would liekt start patching our ESX servers via Shavlik.
I have added our VC and can see all of the ESX hosts that are connected to it, although when I scan I get an error:
Complete with errors. Check the Hypervisor network configuration firewall settings
I can see the Scan complete successfuly on my VC console.
I have found a previous post adn followed the steps below prior to scanning.
The hypervisors (ESXi hosts) must allow http traffic over ports 80/443. You can verify and enable this using the vSphere client:
1. Select the hypervisor in the inventory.
2. Click on the Configuration tab.
3. Select ‘Security Profile’ in the Software grouping.
4. Click ‘Properties…’ at the top of the Firewall settings.
5. Verify or enable ‘httpClient’ in the list of firewall settings.
Thanks
What are Shavlik's plans for patching Windows 10? Will the current product patch? Will there be a new agent?
Thanks,
I am trying to execute a bat file which loads a powershell script. But its not working.
If you run the run.bat file it will install on the PC
As you can see by the image below it has pushed all the files and shavlik has created its own.
If you run the shavlik bat file that get created by shavlik, that script works but it just does not run on its own ?
I have used the custom action to install .exe and for other bat files with no problem, but do I have to do something different to run powershell in a bat file ?
Please help.
Thanks.
| Purpose |
|---|
| Resolution |
|---|
This table lists possible statuses and their descriptions:
| Status | Description |
| No status | Initial value set when the tracker record is created |
| Failed | Deployment failed for one of these reasons:
The message includes the reason. |
| Copied to machine | Files and data have been copied to the target machine. |
| Scheduled | Deployment has been scheduled on the target machine. |
| Executing | The patch file is executing. |
| Executed | Patch has executed and the deployment template specified no reboot. |
| Executed (pending reboot) | Patch has executed, and a reboot of the target machine is pending. This status is set after executing the patch file if the deployment template specifies/allows reboot. Always reboot the target after running a patch uninstall. |
| Reboot may be required / Installation failed | Rescan completed and found the specified patch is missing. |
| Successfully installed | Rescan completed and found the specified patch is not missing. |
| Unable to verify | Could not perform the rescan (that is, failed to connect to target machine) or the patch InstallState attribute is present but not missing or installed in the rescan results. |
| Canceled | Deployment was cancelled. |
| Install complete. Not verified | This status is no longer used. |
| Awaiting rescan | Rescanning the target machine. This status is set immediately prior to sending the rescan request to the scan engine. |
| Installed Success Inferred | Rescan did not report on the patch. It is neither missing nor installed, so tracker infers that the patch was successfully installed. This happens for patches that actually install newer versions of the product. Since the old product is no longer present on the target, the patch for the old product appears neither as missing nor as installed. |
| Additional Information |
|---|
You can find more information about the Deployment Tracker within Protect under Help> Contents> Agentless Patch Management Tasks> Using Deployment Tracker> About Deployment Tracker.
| Affected Products |
|---|
Shavlik Protect 9.x
Purpose
This document will show you how to run the Console IT Script to clean up your Patch Repository.
The default location of the Patch Repository is: C:\ProgramData\LANDesk\Shavlik Protect\Console\Patches but it can be changed by in Tools > Operations > Download.
Symptoms
You are running out of space on your computer and need to clean up old patches in Protect's patch repository.
Steps
Go to Manage > ITScripts, when it is done importing ITScripts close the pop up
Under Maintenance highlight "Console Clean Up" right click and approve
Then go to Tools > Run console ITScripts
The default patchAge is 180 days, if you would like to change that value double click on 'patchAge" and enter a new value
When finished press continue to schedule to run this ITScript and then click run
Affected Product(s)
Shavlik Protect: All Versions
I want to setup a workstation at site A and then move it to site B. Both site have different IP subnets.
Can I install the agent at site A or will there be issues when I chnage the IP to site B?
when we scan 1 subnet the application shavlik start scan all subnets
This article was created to answer the question: Can you use Custom Actions with Agents?
Custom Actions work when deploying directly from the console, however do not work when using agents.
Custom Actions are not supported when using agents.
When using Custom Actions ensure to deploy directly from the Protect console.
Shavlik Protect 9.x
The purpose of this document is to explain how to change the Protect Cloud account to a new user without losing any data or connection to existing agents.
Once completed you should be able to log into the Shavlik Protect Cloud portal with your newly created account and view the information for the console.
Shavlik Protect 9.x
The purpose on this document is to provide information and a possible workaround for deployment issues caused by including GoToMeeting Update GOTOM-001 (QGTM7182553) in your deployment.
The GoToMeeting download URL contains a '&' character in it. This causes an issue in the current versions of Protect when we pass the URL via XML to Protect to build the deployment files. This results in the entire patch deployment failing at the 'Building Deployment Files" which can be viewed in the Deployment Tracker.
This issue will only happen when using 'Use Vendor As Backup Source' is enabled in the Deployment Template used in the Deployment. Here are possible workarounds:
Protect 9.x
Hello,
I'm using Bladelogic Server automation for applying patches, crated online catalog and using below shavlik file, but still catalog not updating MS15-006 bulletins.
PD5.cab
hf7b.cab
MS15-001--002--003-004-005-007-008 are fine.
Thanks,
Namdeo
MS released MS15-009 to MS15-014 patches on Feb 10. 2015, Is shavlik updated the same?
Thanks,
Namdeo
Hello,
I have some questions:
1) Is it possible to schedule reboots from Shavlik?
2) Let's say I have a machine group that I scan where I scan 50 machines, but only 40 have missing patches for deployment. And then they're patched with a deployment template that reboots them before patches, which is great. But is there a way I can tell even the 10 ones that have no patches, to at least reboot at the scheduled deployment time?