Patch Scanning & Deployment Best Practices - Verifying Requirements and Initial Setup

Table of Contents

Verifying Requirements and Initial Setup

The first thing that should be done if you are initially setting up Protect, or even if you're a new user of Protect in your organization, is to verify that your environment is meeting requirements for agentless patch scanning and deployment and that all options/settings are configured correctly.

Resources for verifying requirements:

Shavlik Protect Requirements Guide

Shavlik Protect Online Help

Shavlik Protect Quick Start Guide

Shavlik Protect Installation & Setup Guide

Shavlik Protect Administration Guide

Ensure that your Shavlik Protect console is licensed:

How to activate or renew Shavlik Protect console - Licensing

Verify Settings within Tools > Options in the Protect Console

Within Protect there are many options and configurable settings. If you are a new Protect administrator it is a best practice to confirm that the settings are in place as you would like them to be and that the settings will allow Protect to work properly in your environment. If you just installed Protect, these settings should be defaulted to what Shavlik considers best practice, however, it is good to verify these settings and understand them if you are new to Protect.

Below are some of the important settings to verify:

From the top menu, go to Tools > Options.

Display tab (Below)

• Results
  • You can change some settings how scan results are displayed. These are all based on your preference.
  • Note that if you check the option 'Show only items created by me' you will no longer see any items created by other users of Protect.
  • If you uncheck 'Show informational items in patch scan results' you will no longer see informational items in scans.
• Language
  • Ensure the language settings for the Protect console are set how you want.

Notifications & Warnings tab (Below)

• Ensure that the notifications and warning messages that Protect can provide are set to your preference.

Patch Languages tab (Below)

• The default is only set to include English. Make sure to add any DEFAULT languages you want Protect to download patches in.

Scans tab (Below)

• You can change the default patch scan template that is used. This is set to the built-in 'Security Patch Scan' template by default, but you can set it to any scan template available.
• It is best practice to leave 'Use replacement patches' checked. This allows patch supersedence detection to be used when scanning.
  • If you want to be able to see patches considered effectively installed based on supersedence, you can enable effectively installed patches to be shown via a custom scan template.

Deployment tab (Below)

• You can change the default deployment template that is used. This is set to the built-in 'Standard' template by default, but you can set it to any deployment template available.
• Deployment Tracker address - This is good to verify, especially if the system where Protect is installed has multiple NICs. This address is where Protect's deployment tracker will attempt to send updates to. (Tracker provides status updates during patch deployment.)

Scheduling tab (Below)

• Ensure that the scheduling method you prefer is chosen. By default this is set to the Shavlik Scheduler.
• Scheduler lifetime allows you to choose what happens with the Shavlik Remote Scheduler service on client machines when deployments finish. The default is to leave the service running.

Proxy tab (Below)

• If you require the use of an authenticated proxy to access the internet, Protect will require this as well. Make sure to check the box and add credentials if needed.
  • Protect will be unable to download patch definitions or patch files if you fail to set this when needed.

Verifying Settings within Tools > Operations in the Protect Console

From the top menu, go to Tools > Operations.

Downloads tab (Above)

• Make sure to verify these settings especially if a different Admin was running Protect before you. If patches or definition files are failing to download there may be a mis-configuration here.
• General patch download options - Patch download directory
  • Default directory is in C:\ProgramData\LANDESK\Shavlik Protect\Console\Patches\
  • You can change this to a directory on any local drive or UNC share. Note: You cannot use a mapped drive.
  • This is the location where patch/update files are downloaded on the Protect console system.
• Definition download source
  • These settings are concerning the download of the patch definitions (XML content) that Protect uses for scanning and deployment logic.
  • Auto-update definitions (before scans)
    • Checked by default. This allows Protect go check for new patch definitions at the time any scan is run. Uncheck this if you are in a disconnected network or plan to manually update patch definitions.
  • The default setting for definition download source is 'Default (http://xml.shavlik.com).
  • You should NOT change this unless you are planning to use a configuration such as described in the following document:
    Configuring consoles within an offline environment to obtain definitions & patches from a distribution server share
• Patch and Service Pack download source
  • Default setting is for patches to be download from 'Vendor web sites', meaning Protect will download the patches from a publicly available URL from each product vendor.
  • Just as with Definition download source, the best practice is to NOT change this setting unless your network configuration requires it.
• Schedule automatic downloads
  • Here you can set up a schedule so that definitions can be automatically downloaded.
  • Unless you are in a disconnected network, it is best practice to implement this.
  • In the drop-down, there are two options:
    • Core engines/definitions - The patch definitions used for scan and deployment logic.
    • Threat engines/definitions - The definitions used by clients where the Protect agent is installed with the Threat protection component enabled.
  • To add a scheduled automatic download:
    
    • Choose the definition type from the drop down menu.
    • Click 'Add'.
    • You will be prompted with the Schedule Download window.
    • Set to 'Recurring', and set the time and days that you want the automatic download to take place.
    • Click 'Save'.
• For more information about configuring the download operations, see the Help Article.

Distribution Servers tab (Above)

• Distribution servers are basically a Windows share used to store patch files, definitions, and other files for deployment and and use with agents.
• If you are taking over admin duties of Protect from another admin, you should verify if a distribution server is configured and in use.
• If you want more information about why you might use a distribution server, see the Help Document - Why Use a Distribution Server?
• Some things that you should verify if setting up or using distribution servers:
  • Ensure that the paths are valid
  • Ensure the credentials set are valid
  • Consider setting up scheduled automatic synchronization of distribution servers.
• More information about how to set up and configure distribution servers can be found in the Help Document - Configuring a New or Existing Distribution Server

Database Maintenance tab (Above)

• It is considered best practice to set up some form of database maintenance, whether via SQL or via Protect's built-in operation.
• Read more about how to configure and use database maintenance within Protect via the Help Document - Database Maintenance.
• The following document may be helpful as well: SQL Database Maintenance Recommendations for Protect

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)