How To: Automated Service Pack Deployment with Agents

Version 4



    This document will explain how to setup Shavlik Protect Agents to automatically deploy service packs




    1) Open your Agent Policy you would like to add the service pack task to or create a new agent policy by going to New > Agent Policy.

    2) Click on the Patch Tab and then click on Add a Patch Task....

    3) Name the new Patch Task. (Example: Service Pack Deployment)

    4) Select a schedule that you would like the service pack to be scanned for and deployed. For the purpose of this article, we are choosing to use a schedule to automate the installation of service packs. You can leave the Use Schedule box unchecked and perform the service pack deployment manually through the agent in Machine View. More on that here:


      Service Packs tend to be very large and thus can take time to download. It is recommended to select a time when the users will not be on the target machine and when the network is not at peak hours.


    5) Click on the Scan and Deploy Options tab (In Protect 9.1, this is in the drop down menu).


    6) Choose a Patch Scan Template.


    7) Select a Deployment Template.

      Since service packs always require a reboot, we recommend to use the Agent Standard template, but if the machine is unable to be rebooted after Service Pack deployment, please be sure to use or create one that has a no reboot after post deployment.


    8) You can choose whether to deploy patches at this time as well. For the purposes of this article, I have chosen not to include patches in my deployment and to only deploy service packs if they are missing.


    Follow the notes below for more options and what the available options mean:


    Deploy service packs

    If you want the agent to be able to automatically deploy service packs that are identified as missing by the patch scan, enable this check box.

    When the agents perform a service pack deployment they will deploy only those service packs that are:

    1. Scanned for by the patch scan template, and
    2. Reported as missing, and
    3. Approved for deployment.
    The approved service packs can be either all service packs detected as missing by a scan, or they can be limited to those service packs you define in a service pack group. The list of approved service packs defined here is bound to this particular patch task. The list will not be used by other patch tasks within the agent policy.
    • More info: A link to the Help topic that explains how service pack groups are used by the program:
    • All SPs detected as missing: Specifies that any service pack identified as missing will be eligible for deployment.
    • Service Pack Group: Only those service packs contained in the specified service pack group will be deployed by the agent. If a scan detects missing service packs not included in this group, those service packs will not be deployed.
    • Limit deployments (per day): Specifies the maximum number of service packs that can be deployed to a machine in one day. Service packs can take a long time to deploy and almost always require a reboot of the machine, so you typically want to keep this number rather small. If you do not limit the number of service pack deployments in a day you run the risk of overwhelming a machine if it is missing a large number of service packs. If a machine is missing more service packs than the specified limit, the additional service packs will be deployed the next time the patch task is run.
    Tip: Note that a "day" in this case is considered to be a calendar date and not a 24 hour period. This means the day is reset at midnight. If you were to schedule the patch task to run on an hourly basis (not recommended), it would allow you to maximize an overnight maintenance window by deploying the maximum number of service packs before midnight and then again immediately after midnight.
    • New: Enables you to make a new service pack group. For more information see
    • Edit: Enables you to make modifications to the selected service pack group. Be careful here, because any modifications you make will affect any patch task that references the service pack group. Also, if you edit and save a service pack group that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

    Service Pack Deployment Process

    If an agent machine is missing multiple service packs, only one service pack will be installed at a time. The patch task will begin by initiating the download of all missing service packs. Operating system service packs are downloaded at a higher priority, but whichever service pack gets downloaded first is the one that is first installed. After the service pack is successfully installed, the machine is restarted, rescanned, and the process is repeated until all service packs are deployed or until the daily limit is reached [see theLimit deployments (per day) option].

    In addition, each patch task is allotted a 60 minute window to complete the download > install > restart > rescan process. (This is part of a two hour total maintenance window that is allocated for downloading missing service packs and patches.) Only those service packs that are successfully downloaded during this 60 minute window will be installed by the active patch task. If the patch task cannot finish downloading all missing service packs during the 60 minute window, the remaining service packs will be identified, downloaded, and installed the next time the patch task is run.

    The downloads occur in the background using idle bandwidth not being used by other applications. Foreground tasks such as Web browsing are not affected by the service pack download process.

    If an agent machine becomes disconnected from the network during a file download, the process will be suspended and will automatically resume where it left off when the network is available again. This technique is called checkpoint/restart and is extremely useful for machines that are frequently disconnected.


    9) Click Save and Update Agents button. If this is an agent policy already installed on target machines, then the target machines will check-in at this time if able to receive the new policy change. If this is a new Agent Policy, you will need to assign the policy manually. For more information on that process, consult the following:


    10) At the next scheduled time for scan and deployment that you selected in Step 4, is when the service packs will be scanned for and deployed.


    Additional Information


    Scheduling and deploying service packs automatically is currently only available with a Shavlik Protect Agent. Agentless service pack deployment must be done manually.

    For instructions on how to deploy a service pack agentlessly, follow this article: How To: Deploy a Service Pack to Multiple Machines


    For guidelines on service pack deployment, consult the following article: Shavlik Protect Agentless Service Pack Deployment Guidelines


    Affected Product(s)

    Protect 9.x