I've been building new Win2012R2 servers. The servers have SQL2014 on them. The first scan of the new machines shows all the updates needed. Normal so far. I install the updates, reboot and find one missing; MS14-018. I push it out and reboot, then re-scan. I then find all of the previous updates GONE! I have to re-install them to complete the build. This has happened three time now.
If this helps the first scan shows MS14-018 with reference to Q2936068. It's an IE security update. The second time around, when it's the only patch missing, it's referenced to Q2919355 and is a Windows RT 8.1, Windows 8.1 and Windows Server 2012 R2 update.
Next opportunity I have to update a Win2012 server I'll install the second update first. It will have to be a manual install because the patch scan does not show it. I'm curious to see if anyone else has experienced this. If so, have you found a way around it?
This document outlines how to run a DPDTrace. This may be necessary when troubleshooting detection issues.
Steps
DPD stands for Dynamic Product Detection. It’s the method our scan engine uses to determine what supported products are installed on the machine. This tool was created for troubleshooting patch scan issues where we need to know what is going on during the DPD process.
.Net Framework v4.0.30319 or newer needs to be installed for this to work
Download DPDTrace.zip (See attachment at bottom of this page) and extract the file into a folder on the root of C:\
Read Disclaimer.txt.
Open a Command Prompt and change directory to C:\DPDTrace
Enter the following command, replacing {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} and {PATCHTYPE} with corresponding values. ({MACHINE_NAME} has to be the Target machine that is having the detection problem
If you need to scan with a older scan engine, you may do so. Please add the VERSION number to the end. If no version is specified, it will use the 9.0.651 scan engine. Possible values:
6. When the scan has completed the command prompt window will say 'Test Complete Please zip up HFCLi folder and send it back to us'. Please verify that an XML document has been created in the HFCLI folder. If it has, please zip up the directory "C:\DPDTrace\HFCLI" and send it back for analysis.
Please include the following registry exports from the target machine. This will not only save time, it will also greatly increase our chances of determining the root cause of the detection issue and correcting it.
The purpose of this document is to provide more information about the different patch types offered within Protect.
Description
There are 5 different patch types within Protect, they are as follows
Security Patch
A Security patch addresses a specific security vulnerability. They are accompanied by a Security Bulletin.
Non-Security Patch
This is a non-critical update released by vendors to enhance functionality and/or include minor changes to the application.
Security Tools
Security tool patches are patches for Malware tools and Microsoft Security Advisories. Security Advisories are a way for Microsoft to communicate security information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin. Each advisory is accompanied by a Microsoft Knowledge Base Article to provide additional information about any changes or updates being delivered with the advisory’s release.
Software Distribution
A software distribution patch is a full installer of an application. Only supported applications have a software distribution patch.
Custom Action
Enables you to perform custom actions even if you are already fully patched. It does this by scanning for a specific QNumber and patch (QSK2745, MSST-001) that will always show as missing on any target system. The process uses the temporary file Nullpatch.exe, which was specifically designed by Shavlik to run without making any changes.
Back in the day, If i recall, when we went in and modified an agent policy we had an option to save, but not to push out those changes immediately. Currently if you go in and modify a policy, the save button automatically forces an update to all clients running that policy. We've found this to have a very bad effect on all of our servers which are VM's running the Shavlik Agent.
Here is what happens:
Edit an Agent Policy
Go into the patching section, change a patch task configured in the agent policy to use a different patch scan template. (We do this every month as we release our patches in packages which are defined by using different patch scan templates).
Click save.
Immediately this is forced out to all clients running this policy. On workstations this is no big deal but when it comes to virtual machines, it's causing issues. We recently set up Veeam ONE to monitor the performance of our systems and last night was the first time I made a change to a server policy in Shavlik since implementing Veeam ONE. As soon as I hit save, I started to get Datastore latency alarms for tons of VM's, too many to count. This latency was high as well, over thresholds by a large margin which will cause production issues to our end users (slowness). I think what is happening is that all of the VM's are receiving this update at the same time and either downloading something from the Shavlik server or processing something off of their own disk which is just too much at once to handle and keep performance up.
My suggestions:
Bring back the Save but don't update button and allow the update to go out the next time the machine running the modified policy checks in.
Build in some form of stagger so that hundreds of machines aren't hit with the update at the same time causing massive disk IO operations at once.
We are currently testing the Shavlik Protect 9.1 software. We have setup machine groups based on Active Directory, however we were curious what the default behavior is for a machine that is deleted or removed from the OU? Is the machine removed from the Machine group? Is it removed from the console? Does the behavior change if an Agent is installed?
Is there a definitive article that outlines all the exclusions hat should be in place for anti-virus for both the clients as well as the server that is hosting the protect console? I did find the document entitled Protect Console and Agent Services Information and have applied those in the exclusion listed in the document and set the path to where there are on my server. Even with the exclusions in place , the server will freeze and no longer respond during scans or deployments or at times will be very sluggish in response and scan performance. If I uninstall (unloading makes no difference) the problem goes away. I am thinking I am missing some exclusions that need to be in place. The anti-virus is trend-micro officescan 10.6 sp3. The sql express (2014) and database is running local and is also excluded from the anti-virus scans
As I mentioned previously, we are currently running a POC of the Shavlik Protect product and hoping to wrap up in the next week or two. I have seen in a few discussions where some of the Shavlik team members have mentioned some of the new features of Protect 9.2. I was wondering if there has been any information released that list out some of the new features of the 9.2 product. I would hate to make a decision based on 9.1 and find out 9.2 contained fixes for any issues we saw with the product.
I'm having issues getting 2 patches to install or stop showing as needed in Shavlik. Q2965289 & Q2918614. I've tried manually installing the patches by downloading from Microsoft and installing locally but then get the following messages upon attempting to install:
KB2965289 (Sercurity Update for Word Viewer): This update has already been applied or is included in an update that has already been applied.
KB2918614: This Update is not applicable to your computer
All machines are Win Server 2008R2 x64. I have checked the 'Installed Updates' on the machines and neither of these patches show as installed, nor does using powershell's 'Get-Hotfix' with these KB's return results on the machines. Yet Shavlik reports both these as missing.
Looking for advice on the best method of patching an Exchange 2010 DAG. Up to now we've been doing it manually, given the complexities of the environment. Any advice on automating patching with Shavlik would be appreciated.
The purpose of this document is how to create a patch group to and to exclude those patches from your scans. This is sometimes necessary when scanning for patches but you do not want specific patches to be installed.
Steps
To scan or exclude specific patches, begin by assigning the desired patches to a Patch Group. In Protect, open Patch View.
Locate the specific patch by searching or filtering.
Right click the patch, choose Add to Patch Group, then choose New Patch Group.
In the Patch Group window, enter a Name and Description to identify what the Patch Group will be used for, then click Save.
Next create a new Patch Scan Template.
In the Patch Scan Template window, enter a Name and Description to identify the scan template. Under Patch type filter settings select Scan All. Under Patch filter settings select Skip Selected, then click the Patch group(s) browse button
In the Select Patch Groups window, add a checkmark to the Patch Group(s) that contain the specific patch to be scanned for, then click Select
The selected Patch Group should now show as selected in the Patch Group(s) list. Click Save.
Scan using the Scan Template created. Results will only show those patches included in the Patch Group.
I am seeing the result of Shavlik Scans showing DirectX 9.0c as being End of Life 7/14/2015 on Windows 7 and Windows 2008 R2 systems. What I don't see is any method to remove or update DirectX 9.0c on these systems. It seems this component is baked into the OS. I haven't been able to find any Microsoft documentation on how to deal with this, though there are plenty of third party sites that have information on removing it (with varying degrees of success). Microsoft offers KB2670838 (Platform Update) which possibly installs newer versions of DirectX, but my systems already show that as being installed (MSWU-716) Any suggestions on how to mitigate this issue?
This issue occurs if there is a network or configuration issue which prevents Protect from connecting remotely to the target machine's registry.
Resolution
To resolve this issue:
Ensure that the Remote Registry service is started on the target machine(s).
If you are able to log in to the machine from which you are running the scan as a user with administrative rights to a target machine, test the remote registry access.
To test the remote registry access:
Click Start> Run, type regedit, and click OK. The Registry Editor window opens.
Click File> Connect Network Registry.
Enter the name of the target machine as the object name and verify if you can connect and navigate to the remote registry of that machine.
In the target machine(s), navigate to the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg registry key, add \"LOCAL SERVICE\" to the key, and give it the READ access.
Make sure File and Print Sharing Services are enabled and started.
If the preceding steps do not resolve the issue, it is possible that the policy setting is limiting access to the remote registry of the target machine(s). To resolve this issue, contact your network administrator.
Additional Information
For more information on managing remote access to the registry, see the Microsoft Knowledge Base article 314837.
The purpose of this document is to provide details on how to manually configure a remote SQL Server to accept machine account credentials.
Description
If you are using Integrated Windows Authentication to access a remote SQL Server, in order for Shavlik Protect to interact properly with the server you must configure the server to accept machine account credentials. The best time to do this is immediately after you have installed Shavlik Protect but before you actually start the program. You can, however, perform these steps after starting the program. Any scans you initiate prior to this that require interaction with a remote SQL Server database will probably fail.
This section describes how to configure a remote SQL Server to accept Windows authentication (machine account) credentials from the Shavlik Protect console. For security purposes, Shavlik recommends using Windows authentication where possible. Microsoft SQL Server Management Studio is used as the editor in the following examples but you can use a different tool if you prefer. The Shavlik Protect console and SQL Server must be joined to the same domain or reside in different domains that have a trusted relationship. This is so the console and the server can compare credentials and establish a secure connection. Once you have gained access to the SQL Server, create a new login account for Shavlik Protect to use by using the process outlined below. Note: You must have securityadmin privileges in order to create an account.
1. Within the Security node, right-click Logins and select New Login. Type the login name using a SAM-compatible format (domain\machine name). The machine account is your console's machine name and must contain a trailing $. Make sure Windows Authentication is selected and the Default database box specifies the Shavlik Protect database.
Note: Do not use the Search option. You must manually type the name because it is a special name.
2. For the Shavlik Protect database, create a new user login using the console machine account. In order to complete this right-click on the 'Users' folder, select 'New User'. Then browse to find the Login name and paste the name in the User name box. Assign the user the db_datareader,db_datawriter, STCatalogUpdate, and STExec role memberships.
You can use the SQL Server activity monitor to determine if connection attempts are successful when performing a patch scan.
If you ran Shavlik Protect before creating the SQL Server user account, some services may fail to connect to SQL Server. You should select Control Panel > Administrative Tools > Services and try restarting the services.
If the connection attempts are failing you can view the messages in the SQL Server logs to determine why the failures are occurring.
Note: If you are utilizing the Role Based Administration feature within Shavlik Protect, please continue to the steps below.
If you wish to allow other users access to the program, you may need to configure SQL Server so that those users have the necessary database permissions. Specifically, when using Windows integrated authentication, users without administrative rights on the database machine must be granted read and write permission to all tables and views. They must also be granted execute permission to all stored procedures in the Shavlik Protect application database. They may not otherwise be able to start Shavlik Protect.
One way to grant these permissions is to assign your users the db_owner role. For security reasons, however, this may not be the best solution. A safer alternative is to grant execute permission at the database level. You do this by assigning the users in question to the STExec role.
I want to make sure I understand the process. In a patch group, new patches are available to add to the patch group as soon as they're available to Shavlik, correct?
Then they must be downloaded to Shavlik, so that Shavlik can push them to the target machines, is that correct? Is that true for all patches, including Windows patches?
When are they downloaded? When they are deployed?
I know they can be manually downloaded. Right now, I am trying to download Windows6.1-KB3065987-x64.msu but I keep getting the error "The remote server returned an error: (404) Not Found." How do I fix this? And what is the remote server? Is that a Microsoft server? A Shavlik server?
It seems like the last update or two has lead me to have some detection issues with certain patches. KB3038701, KB2878252, KB3004365, and KB3018238. These look to be older patches (over 6 months old) but all of the sudden they show up as being needed. They fail when I try to deploy then. I even tried to manually run the stand-alone package on the servers themselves and it tells me the patches are not needed. Has anybody else seen this?