Patch Scanning & Deployment Best Practices - Verifying Requirements and Initial Setup

Version 1

    Table of Contents

     

    Verifying Requirements and Initial Setup

     

    The first thing that should be done if you are initially setting up Protect, or even if you're a new user of Protect in your organization, is to verify that your environment is meeting requirements for agentless patch scanning and deployment and that all options/settings are configured correctly.

     

    Resources for verifying requirements:

    Shavlik Protect Requirements Guide

    Shavlik Protect Online Help

    Shavlik Protect Quick Start Guide

    Shavlik Protect Installation & Setup Guide

    Shavlik Protect Administration Guide

     

    Ensure that your Shavlik Protect console is licensed:

    How to activate or renew Shavlik Protect console - Licensing

     

    Verify Settings within Tools > Options in the Protect Console

     

    Within Protect there are many options and configurable settings. If you are a new Protect administrator it is a best practice to confirm that the settings are in place as you would like them to be and that the settings will allow Protect to work properly in your environment. If you just installed Protect, these settings should be defaulted to what Shavlik considers best practice, however, it is good to verify these settings and understand them if you are new to Protect.

     

    Below are some of the important settings to verify:

     

    From the top menu, go to Tools > Options.

    Untitled.jpg

    Display tab (Below)

    • Results
      • You can change some settings how scan results are displayed. These are all based on your preference.
      • Note that if you check the option 'Show only items created by me' you will no longer see any items created by other users of Protect.
      • If you uncheck 'Show informational items in patch scan results' you will no longer see informational items in scans.
    • Language
      • Ensure the language settings for the Protect console are set how you want.

    01.JPGNotifications & Warnings tab (Below)

    • Ensure that the notifications and warning messages that Protect can provide are set to your preference.

    02.JPGPatch Languages tab (Below)

    • The default is only set to include English. Make sure to add any DEFAULT languages you want Protect to download patches in.

    03.JPGScans tab (Below)

    • You can change the default patch scan template that is used. This is set to the built-in 'Security Patch Scan' template by default, but you can set it to any scan template available.
    • It is best practice to leave 'Use replacement patches' checked. This allows patch supersedence detection to be used when scanning.
      • If you want to be able to see patches considered effectively installed based on supersedence, you can enable effectively installed patches to be shown via a custom scan template.

    04.JPGDeployment tab (Below)

    • You can change the default deployment template that is used. This is set to the built-in 'Standard' template by default, but you can set it to any deployment template available.
    • Deployment Tracker address - This is good to verify, especially if the system where Protect is installed has multiple NICs. This address is where Protect's deployment tracker will attempt to send updates to. (Tracker provides status updates during patch deployment.)

    05.JPGScheduling tab (Below)

    • Ensure that the scheduling method you prefer is chosen. By default this is set to the Shavlik Scheduler.
    • Scheduler lifetime allows you to choose what happens with the Shavlik Remote Scheduler service on client machines when deployments finish. The default is to leave the service running.

    06.JPGProxy tab (Below)

    • If you require the use of an authenticated proxy to access the internet, Protect will require this as well. Make sure to check the box and add credentials if needed.
      • Protect will be unable to download patch definitions or patch files if you fail to set this when needed.

    07.JPG

    Verifying Settings within Tools > Operations in the Protect Console

    From the top menu, go to Tools > Operations.
    08.JPG
    Downloads tab (Above)

    • Make sure to verify these settings especially if a different Admin was running Protect before you. If patches or definition files are failing to download there may be a mis-configuration here.
    • General patch download options - Patch download directory
      • Default directory is in C:\ProgramData\LANDESK\Shavlik Protect\Console\Patches\
      • You can change this to a directory on any local drive or UNC share. Note: You cannot use a mapped drive.
      • This is the location where patch/update files are downloaded on the Protect console system.
    • Definition download source
      • These settings are concerning the download of the patch definitions (XML content) that Protect uses for scanning and deployment logic.
      • Auto-update definitions (before scans)
        • Checked by default. This allows Protect go check for new patch definitions at the time any scan is run. Uncheck this if you are in a disconnected network or plan to manually update patch definitions.
      • The default setting for definition download source is 'Default (http://xml.shavlik.com).
      • You should NOT change this unless you are planning to use a configuration such as described in the following document:
        Configuring consoles within an offline environment to obtain definitions & patches from a distribution server share
    • Patch and Service Pack download source
      • Default setting is for patches to be download from 'Vendor web sites', meaning Protect will download the patches from a publicly available URL from each product vendor.
      • Just as with Definition download source, the best practice is to NOT change this setting unless your network configuration requires it.
    • Schedule automatic downloads
      • Here you can set up a schedule so that definitions can be automatically downloaded.
      • Unless you are in a disconnected network, it is best practice to implement this.
      • In the drop-down, there are two options:
        • Core engines/definitions - The patch definitions used for scan and deployment logic.
        • Threat engines/definitions - The definitions used by clients where the Protect agent is installed with the Threat protection component enabled.
      • To add a scheduled automatic download:
        091.JPG
        • Choose the definition type from the drop down menu.
        • Click 'Add'.
        • You will be prompted with the Schedule Download window.
        • Set to 'Recurring', and set the time and days that you want the automatic download to take place.
        • Click 'Save'.
    • For more information about configuring the download operations, see the Help Article.

    09.JPGDistribution Servers tab (Above)

    • Distribution servers are basically a Windows share used to store patch files, definitions, and other files for deployment and and use with agents.
    • If you are taking over admin duties of Protect from another admin, you should verify if a distribution server is configured and in use.
    • If you want more information about why you might use a distribution server, see the Help Document - Why Use a Distribution Server?
    • Some things that you should verify if setting up or using distribution servers:
      • Ensure that the paths are valid
      • Ensure the credentials set are valid
      • Consider setting up scheduled automatic synchronization of distribution servers.
    • More information about how to set up and configure distribution servers can be found in the Help Document - Configuring a New or Existing Distribution Server

    10.JPGDatabase Maintenance tab (Above)

     

    Back to Patch Scanning And Deployment Best Practices Guide (Agentless)