Coming Soon! Shavlik Protect 9.1

Hey All,

Shavlik Protect 9.1 getting closer to release.  I wanted to share some details about the release with you and also let you know that in March you will get an opportunity to take 9.1 for a test drive.  We are rapidly nearing the Protect 9.1 beta so if what you see below is of interest shoot an email to us at to sign up for the beta today.


The Protect Console has been localized into ten languages.  Check out the screenshot of the Protect UI in German:






Protect now supports IPv6 and has enhanced resolution features to allow the assessment to discover a machine by FQDN, Hostname, IPv4, or IPv6 more effectively.

deploymentWe have cleaned up and enhanced the agentless deployment workflows in Protect.  Now you will see more high level summary and more detailed information about deployments as they occur.  Check out this screenshot showing a machine level status and how many patches were deployed and how many executed.  Also see the patch level and the description showing the return code from the patch:




We have expanded the filters in the Scan template to include vendor severity which allows for more flexibility to scan for what you need without a lot of configuration of patch groups.

And for those of you with reporting customization needs, we have added several report views and documentation on the relationships so you can customize your own reports.  You can also use them to build reports from SQL Reporting Services or other 3rd party reporting tools.

Again, if any of these features are of interest to you we are looking to start the beta in early March before patch Tuesday.  Shoot us an email at to get on the beta list.




January Patch Tuesday Advanced Notification

Microsoft has announced this month’s Patch Tuesday release.  There are 4 total patches – 0 Critical and 4 Important – expected to be released on Tuesday, January 14th. Here is the breakdown for this month:

Security Bulletins:

  • ZERO! bulletins are rated as Critical. Yay!
  • Four bulletins are rated as Important.

Vulnerability Impact:

  • One bulletin addresses a vulnerability that could allow Remote Code Execution.
  • Two bulletins address vulnerabilities that could allow Elevation of Privileges.
  • One bulletin addresses a vulnerability which could lead to a Denial of Service.

Affected Products:

  • All supported Windows operating systems
  • All versions of Office
  • Office Web Apps 2010 and 2013
  • SharePoint Server 2010 and 2013
  • Dynamics AX 4.0, 2009, 2012, and 2012 R2

Looks like we may have a nice calm start to 2014!

Join us as we review the Microsoft and third-party releases for January Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, January 15th at 11 a.m. CST.  We will also discuss other product and patch releases since the December 2013 Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Keeping off-network machines up-to-date…is it an impossible problem for IT?

One question that often comes up when we are out talking to IT administrators and IT executives is “Is patch management a solved problem?” On the surface it seems like this is the case, but as computing evolves, we have seen the challenges of patch management evolve right along with it.

Shavlik Systems Engineer John Rush and I sat down last week to discuss one of these newer challenges in patch management – how do we keep off-network machines up-to-date?

“For customers I talk to the biggest issue they have for patch management is that most of the tools out there require you to be connected to the network to get your patching done. That’s just not realistic,” Rush said.

Is this a new problem brought on by the proliferation of cloud-based applications and BYOD?

“It’s been a problem for a number of years now. Take the Shavlik Team for example, we exclusively use SaaS-based tools in our sales team like Concur, Salesforce, etc., so employees in the field never have to connect to our network,” Rush explained.

“In the old days, we had to VPN in to get email. Everyone had to be connected, but today, they never have to connect to the VPN. They are doing everything from their own laptops, and some are doing it from their iPads. The world has changed with respect to connectivity.”

With that change, IT is left with lots of questions about these off-network machines.

  • What’s being installed?
  • What versions are out there?
  • Is it time for a hardware refresh?
  • Are these machines lacking patches that make them vulnerable?

Rush added, “Today’s world no longer conforms to a Visio diagram. We are connected to the internet, but we are not connected to the corporate network.”


How can we solve it?

As an industry we need to build tools for managing machines in the wild, let those machines/users become self-sufficient when it comes to things like patch management and asset inventory, and then provide a mechanism to give that data back to corporate.

Shavlik addresses this problem with the Protect Cloud. The Protect Cloud is a cloud-enabled patch services that aggregates, analyzes, and distributes patch data and associated deployment policies over the Internet. This services is used to send patch data to your Protect console, but that is just the beginning.

The Protect Agent can be installed on off-network machines and be configured for use with the Protect Cloud. So long as the machine connects to the internet (off network or on network), the Protect Agent communicates with the Protect Cloud to receive patch and policy updates and to return update status to the Protect console. This means that without additional infrastructure IT can ensure that off-network machines are patched and monitored in the same manner as those PC’s that sit inside the firewall.

Protect Cloud Diagram

“Before The Protect Cloud we had to have a box outside in the DMZ, and we had to open up ports. Now, with this technology, we have business as usual for everybody; the only difference is the Protect Cloud,” Rush said.



How does the Protect Cloud work with the Protect Agent?

Protect Agents that are configured to use the Protect Cloud can receive updates via the console if they are on-network or via the cloud if they are off-network.

Here’s how it works.

  • The Protect Console uses a secure connection to push agent policy information to the Protect Cloud.
  • At its next scheduled check in time, remote agents first attempt to check in directly with the console.
  • If they do not have access to the console, they perform the check in using the cloud.
  • The agents use a secure connection to the cloud service to report the same information they would have reported to the console (e.g. scan results, threat information, etc.)
  • The cloud stores the uploaded agent results until the console retrieves that data.
  • Agents download and apply any new policy updates that were pushed to the cloud from the console.
  • The console retrieves the agent data from the cloud. This happens several times every hour.

Scan engines and XML data are not a part of the cloud synchronization process. Agents receive updated engines and XML data from either the console or the vendor websites.

Agent Check In Via the Cloud

Check out the video, “Introduction to Protect Cloud” at, to learn more about how the Protect Cloud works and how to configure agents to use the cloud service.


How can I get this?

This capability was introduced in Shavlik Protect 9.0 as part of the Standard, Advanced, and Government editions. All customers running 9.0 have access to it, and those who are on earlier versions of Protect can upgrade to 9.0 at no cost. Learn more about upgrading Protect here.


Protect Console Migration Tool Early Access

We have been developing a tool to easy the burden of moving a Shavlik Protect Console from one system to another.  It could be done with some manual effort.  Moving certificates, swapping out the name of the system so agents would just start talking to the new one once you had moved everything, but it was a pain.  With the performance benefits of 64 bit and the EOL of Windows XP (Apr 2014) and Server 2003