SCCM Security Scope setting causes Shavlik Patch functionality issues

Version 8

    Purpose

     

    Although this is more a SCCM issue, Shavlik Patch is directly affected.  This document will outline how to resolve Shavlik Patch functionality issues caused when the SCCM user's Security Scope isn't set to: All instances of the objects that are related to the assigned security roles.

     

    Overview

    The requirements for Shavlik Patch are located here:  How To: Verify your SCCM user is a member of the WSUS Administrators Group

    In addition requirements from the document, the SCCM user must be assigned to the All instances of the objects that are related to the assigned security roles Security Scope.

     

    This is an example of a SCCM Administrator who does not have All Instances Of The Objects That Are Related To The Assigned Security Roles set.

    Account.PNG

     

    The AutoPublish.log located in this folder: C:\users\username\Shavlik\Shavlik Patch folder will contain these errors:

    SMS Error: Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException You do not have security rights to perform this operation. AutoPublish 1/31/2017 3:14:14 PM 4 (0x0004)

    Generic failure AutoPublish 1/31/2017 3:14:14 PM 4 (0x0004)

    Your Configuration Manager security settings may be limited. Your security role should be 'Full Administrator' and your security scopes should be 'All instances of the objects that are related to the assigned security roles'. AutoPublish 1/31/2017 3:14:14 PM 4 (0x0004)

    Error - AutoPublish returned code 18: Error cleaning up categories AutoPublish 1/31/2017 3:14:14 PM 1 (0x0001)

     

    Resolution

     

         1. Open SCCM and select Administration.

         2. Expand Security and select Administrative Users.

         3. Locate the user used to log into the SCCM server and open its Properties.

         4. On the Security Scopes tab select 'All Instances Of The Objects That Are Related To The Assigned Security Roles'.

         5. Select OK..

     

    Additional Information

     

    There are two known workarounds if the option 'All Instances Of The Objects That Are Related To The Assigned Security Roles' is greyed. (pictured above)

     

    • Log into the Windows as the original user who installed the SCCM server.  This is the only user able to change the Security Scope option.
    • If all else fails, Microsoft advises to rebuild your SCCM environment. (yeah, option 1 is much better)

     

    Affected Product(s)

     

    Shavlik Patch