Shavlik Protect: An actual quick start guide

I had a hell of a time navigating the completely unconventional UI of Shavlik Protect, and was barely able to follow the quick start guide for the product.

As the SE stated, Shavlik does two things: scans for applications, pushes updates for those applications (okay, there’s also a hardware and software scanner, and a threat detection engine, and roaming agents that phone home… but you get the idea).

So, I set out to document an actual quick start guide to make it extremely easy and fast to get Shavlik Proect running within your network very quickly.

Download and install

1) Download Shavlik Protect (yep). I think you must register to get a demo license key. When you sign up, your regional sales rep and a few more folks internal to Shavlik will get an email immediately with your contact info.

2) Install Shavlik Protect, accepting most defaults. If you use SQL Express, it’s fine. One of the support guys stated that SQL Express license only supports one CPU socket and advised to reduce this on the VM I’m running my console on. I don’t think that matters at all as it was running without issue previously; so after I’m done with the case I’m working on, back to 2/2 configuration.

boring: DB maintenance

Backups should take place whenever you feel.
1) Open the Shavlik Protect console.

2) Tools> Operations> Database Maintenance table
– delete stuff after 90 days and backup the DB to a local folder.

3) Any scheduled tasks including this one will actually be made available in the Windows Task Scheduler. Meaning, you might want daily backups of the DB, so go to the Task Scheduler and make your adjustments.

boring: Automatic patch downloads

1) Open the Shavlik Protect console.

2) Tools> Operations> Downlaods

3) schedule automatic downloads

Create an automated deployment of patches for workstations
I. Create a machine group

A machine group is a logical group of computers that will be targeted by scans, downloads and deployments.
* A scan always takes please. You can push detected missing patches after a scan, and you can deploy a install

1) Open shavlik protect

2) click New> Machine Group on the top bar

3) Here you can target machines by various things, like an OU, which will update it’s members when a scan is issued.

II. Create a Patch Group containing patch exclusions

In order to exclude specific patches (let’s say you hear an MSFT KB is crashing Outlook), you can create a patch group for exclusions.

1) Open the Shavlik Protect console.

2) in the drop down on the left-pane (right above the left-pane), select Patch and SP Groups.

3) On the top menu, New> Patch Grouop

4) Name it Exclusions or something

5) Double click on the Patch Group on the left pane and type in the MSFT KB number to find the patch (for instance try 3097877)

6) right click on the patch> Add to Patch Group> Exclusions

7) See “Create a patch scan template” number 5 right below.

III. Create a Patch Scan Template

This will include all patches you wish to deploy, excluding patches you wish to not deploy.

1) Open the Shavlik Protect console.

2) in the drop down on the left-pane (right above the left-pane), select templates

3) On the top menu, New> Patch Scan Template

4) Here is what you should set:
– Name: All Patches- Windows and Third Party
– Check All under “Scan for these:”
– under “Explicitly exclude these:” check the software you wish to not update.
– In the lower right corner pane “Baseline or Exceptions – Applies to Agents”, bullet Exceptions and check the patch group “Exclusions”. (you will do this for every patch scan template)

IV. Create a Deployment Template

1) Open the Shavlik Protect console.

2) in the drop down on the left-pane (right above the left-pane), select templates

3) On the top menu, New> Deployment Template

4) Here is what you should set:
Name: Deployment – No Reboot
Post-deploy Reboot:
– Reboot when needed.
– Schedule reboot: Immediately after installation.
– Power action: Restart.
– If a user is logged on: Alert user, perform action when user logs off.

V. Scheduling a scan

*** The credentials must be in the local administrator group on the console machine as well as the client machines.

1) you can apply a scheduled scan for a machine group via Home (on the top menu bar), clicking on a machine group on the left-pane, and selecting a schedule.
or
you can open a machine group, and click Run operation, then schedule a scan within this window.

2) You want to use a Patch Scan Template you created.

3) Select the deployment template you just made and select Install immediately.

4) When you click Schedule, it will prompt you to use credentials… Create a user and assign it to local administrators group on the target machine.

5) You can review/run-on-demand scheduled scans/deployments via Manage>Scheduled Console Tasks on the top menu or live in View>Deployment Track on the top menu…

Due to the terrible UI design, in order to remove any “pending” or historic scan/deployment results (why does a scan/deployment I’ve cancelled still say deploying here? anyone? anyone?), you must go to View>Results and deelete the previous scan results.

VI. Verifying Scheduled Scan results

1) Open the Shavlik Protect console.

2) in the top menu, go to View> Event History to verify success or failure

3) with success, you can review results in View> Results

Create an scan and copy schedule for patches to servers

1) create machine group that includes servers (as above)

2) create a patch scan template, or use the same patch scan template created for workstations.

3) create a deployment template, you probably want to set it up as:
Post-deploy Reboot:
– Reboot when needed
– Immediately after installation
– If a user is logged on:
— force action after minutes: 1
– Show:
— countdown time-out minutes: 2

4) Schedule a scan and download (only)
a) you can apply a scheduled scan for a machine group via Home (on the top menu bar), clicking on a machine group on the left-pane, and selecting a schedule.
or you can open a machine group, and click Run operation, then schedule a scan within this window.
b) You want to use a Patch Scan template you created.
c) Select the deployment template you just made and select Copy patches only (no automatic execution).
d) When you click Schedule, it will prompt you to use credentials… Create a user and assign it to a group that has Run as Batch privileges (SeBatchLogonRight) on the target machines.
e) You can review/run-on-demand scheduled scans/deployments via Manage>Scheduled Console Tasks on the top menu or live in View>Deployment Track on the top menu…
Due to the terrible UI design, in order to remove any “pending” or historic scan/deployment results (why does a scan/deployment I’ve cancelled still say deploying here? anyone? anyone?), you must go to View>Results and deelete the previous scan results.

5) When you’re ready, you can easily deploy the needed patches:
a) View> Results
b) Find the latest scan that encompasses the Servers
c) In the right-pane, you will see the Machines Scanned tab middle-pane showing the patch status
d) right-click on Patch Missing (for instance), and click Deploy> All Missing Patches…
e) Given that the top right-pane on the Machines Scanned tab listed the machines targetted in the previous scan & download operation, you will be targeting those machines
f) You want to select:
– Deploy How: [the Deployment template you created earlier] (in our case “(Servers) Deployment – Reboot within three minutes after install”)
– Deploy when: Install the patches… install immediately.
g) review the bottom summary to verify everything looks good and click “Deploy (machines will reboot)”

Setup patching for roaming/remote users (machines that aren’t accessible all the time from the Shavlik Protect console)

These will be agent based and will communicate with the Shavlik Protect server via the Shavlik Protect Cloud (the agent checks in with the cloud, uploading a file via HTTPS; your server leaves and grabs info in the cloud to/from your your roaming agents).

1) Register your console in Shavlik Protect cloud
a) having previously created a shavlik account, you should be able to add those credentials, then register the Cloud
b) open the shavlik console
c) Tools> Operations> Protect Cloud Sync
d) Create an account if you don’t have one following the link. If you have one, you can click New… to add the credentials, or if you’ve added them select them in the dropdown.
e) click “Register this console” > save

2) create an agent policy
a) open shavlik protect
b) click HOME on the top menu
c) in the drop down on the left-pane (right above the left-pane), select Agent Policies
d) in the top menu New> Agent Policy
e) You probably want to set these:
Name: (Roaming) Agent Policy – No threat
General settings tab:
– Allow the user to:
— Uncheck: Cancel operations
– Network:
— Check: Sync with Protect Cloud
Patch tab:
– Add a Patch task…
— Schedule:
— Daily: Saturday at 1AM
— Check: run on boot if schedule missed, delay after boot minutes: 10.
— Scan and deploy options:
— Patch Scan Template: probably the one you created earlier (or go create one)
— Deployment template: probably the one you created earlier (or go create one)
— Deploy patches: all patches detected as missing
— Deploy services packs: Bullet a service pack group, and create one (if you haven’t yet), and select “Use Current” and Exclude as necessary.
No further configuration required (unless you’re interested in asset and threat protection. Note the agent listens on port 4155 by default.

3) install the agent:
a) agents that are online can be pushed (find the machine in the machine view via view>machines), right-click on the machine> Agents> Install/Reinstall> select the agent policy you just created
– this method will auto connect to the console
b) the agent installer is located on the Shavlik Protect server at “C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles\STPlatformUpdater.exe”
– this method allows you to connect to the console through the local network (connect, then get policy list), or the cloud.
– You can also download the agent from the cloud: protectcloud.shavlik.com, agent keys> new> select the proper things and click Create key, send an email and/or note the activation key
Current download is available: http://xml.shavlik.com/data/protect/v9/92/protect/5046/stplatformupdater.exe
c) run the agent installer and select “I connect to the console through the cloud”, then use the activation key.
d) once installed, you can check in immediately via the UI (c:\program files(x86)\landesk\shavlik protect agent\stagentui.exe), selecting Update patch policy on the left-side menu.

boring: Reports

1) You probably want to schedule one of the following reports: http://help.shavlik.com/Protect/onlinehelp/92/ENU/PRT.htm

2) You can also create SQL queries with assistance from the Reports View Guide>/a>.
I wrote
a quick powershell that Emails a CSV of patch status for products and machines which I can easily create a pivot table to produce missing patches per product per machine (a report my boss likes to see weekly).

Advertisements
%d bloggers like this: