What Does Shavlik Patch Mean to Existing SCUPdates Customers?

Earlier this week, Shavlik announced the release of Shavlik Patch for Microsoft System Center. As an existing SCUPdates user, this likely left you with a number of questions. Let’s talk about them.


Q: We are using SCUPdates with SCCM 2007. What does this mean to us?

A: Nothing changes for you. You still have all the goodness of SCUPdates just with a shiny new name. If your organization is evaluating moving up to SCCM 2012, read on to see what the future holds.


Q: We are using SCUPdates with SCCM 2012. What does this mean to us?

A: A lot! You read earlier this week about the add-in, its tight integration with SCCM, and how easy it is to install and configure.  Hopefully, you attended our webinar yesterday and saw it in action. If not, check out the following.

  • Learn more about Shavlik Patch here.
  • View quick videos about how to install and configure Shavlik Patch here.
  • Download a free trial of Shavlik Patch here.
  • View user documentation for Shavlik Patch here.


Q: Lovely marketing material…tell me something technical.

A: Special logic has been added within the add-in for patching difficult to handle applications like Java. In the case of Java, you might find that updates often fail because Java doesn’t uninstall correctly when it is running. The Shavlik Patch add-in will

  • Uninstall Java
  • Detect if it was uninstalled incorrectly
  • Schedule the install on reboot if needed
  • Inform the SCCM Agent if a reboot is required

The Shavlik Patch add-in will also handle Apple updates that are bundled in with the QuickTime and iTunes patches such as Apple Mobile Device Support and Apple Application Support.


Q: If I am on SCCM 2012, do I have to switch over to the add-in?

A: No. We think you will want to, but you do not have to. Customers can choose to use the add-in configuration, the catalog file configuration, or even both if that makes sense in your environment. Your choice of configuration does not affect your licensing.


Q: Do we have to pay more to get the new SCCM add-in?

A: Nope, as a current SCUPdates customer, you are entitled to the add-in or the catalog file configuration. You may download the add-in at http://www.shavlik.com/downloads/patch/ and begin using it immediately.


Q: I’ve had this product for a few years and haven’t seen you guys do much of anything with it. Is this release a signal of increased investment by your technology team?

A: Absolutely! Yes, we haven’t had a release in some time, but we have been listening to you. Here’s some things you have been asking for that are addressed with the add-in.

  • Automatically download the catalog files
  • Handle Java better
  • Automate publishing to WSUS

Here’s some other things you have been asking for that are on our roadmap for upcoming releases.

  • Disable auto updaters
  • Expanded product support
  • Support for supercedence

The Next Generation of SCUPdates, Shavlik Patch for Microsoft System Center, Is Here

Shavlik is happy to announce the release of Shavlik Patch for Microsoft System Center. This follow-on to Shavlik SCUPdates provides third-party patching within Microsoft System Center Configuration Manager (SCCM) and does it in such a manner that third-party patching has never been easier.


What’s cool in Shavlik Patch?

If you are using SCCM 2012 (or later versions)…

  • Ability to patch more than 100 popular applications completely within Configuration Manager
  • An integrated add-in for the Configuration Manager console that no longer requires the use of System Center Updates Publisher (SCUP)
  • Automatically check for and download patch data from Shavlik
  • Publish new patches through SCCM manually or automatically
  • Smart handling of difficult to install patches like Java

If you are using SCCM 2007…

  • Continue to enjoy the goodness of SCUPdates just with a new name


Want to see it in action?

Join Shavlik Chief Marketing Officer Steve Morton, Systems Engineer John Rush, and I as we discuss the details of the new release and show you how Shavlik Patch will revolutionize the way you perform third-party patching within Configuration Manager.

Introducing the New Shavlik Patch for Microsoft System Center
Wednesday, February 12, 2014 10:00 a.m. CST
Register Now


Download it now and see for yourself

  • Learn more about Shavlik Patch here.
  • View quick videos about how to install and configure Shavlik Patch here.
  • Download a free trial of Shavlik Patch here.
  • View user documentation for Shavlik Patch here.

See you all at the webinar on Wednesday and check back later this week for an additional post providing more info on what this release means to existing SCUPdates customers.

February Patch Tuesday Advanced Notification

Microsoft has announced this month’s Patch Tuesday release.  There are 5 total patches expected to be released on Tuesday, February 11th. Here is the breakdown for this month:

Security Bulletins:

  • Two bulletins are rated as Critical.
  • Three bulletins are rated as Important.

Vulnerability Impact:

  • Two bulletins address vulnerabilities that could allow Remote Code Execution.
  • One bulletin addresses a vulnerability that could allow Elevation of Privileges.
  • One bulletin addresses a vulnerability which could lead to a Denial of Service.
  • One bulletin addresses a vulnerability which could lead to Information Disclosure.

Affected Products:

  • All supported Windows operating systems
  • Microsoft Forefront Protection 2010 for Exchange Server
  • .Net Framework

Join us as we review the Microsoft and third-party releases for February Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, February 12th at 11 a.m. CST.  We will also discuss other product and patch releases since the January Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Virtualization and Security: A Beginner’s Guide Part 1

As of 2013 over 90% of Enterprises had virtualized more than half of their server workloads.  By the middle of 2013 surveys of SMBs reflected an expected 80% or more having started or being well into their virtualization efforts.  The move from on-premise to hosted virtual environments has steadily increased as well.  So with all of this consolidation what are the risks?  Think about all of the security measures and policies you put in place in a physical environment.  Consider the separation of duties, separation of workloads and resources, configuration and patching policies that were put in place.  Now, consider how your virtualization strategy has changed your environment and if the measures you put in place still stand up, now, that your workloads run on the same physical resource.  Are the administrators of the virtual environment part of your core team? Or spun out on their own and not required to adhere to the same guidelines as the rest of the team?

A few years back Gartner outlined six security risks to look out for and how to combat them.  They also forecasted that the majority of virtual environments would be less secure than the physical servers they replaced.  In addition, they  forecasted that by 2015 this should fall to a minority. But as we enter 2014,  from what we’ve seen there is still room for improvement. I am not going to try and tackle all six risks in this post, but let’s focus in on a couple of them and the added risk enterprises bring to their environment by virtualizing.

Among the risks described, Gartner recommends ensuring that the same security policies and tools apply to the physical and virtual environments, especially to the new layer introduced by a virtual infrastructure –  the hypervisor and Virtual Machine Monitor (VMM).

  • Ensuring the administrators of the hypervisorVMM layer are assessing and communicating security risks to the business.
  • Ensuring monitoring, patching, configuration tools all can support the virtual infrastructure as well as the physical infrastructure.
  • Ensuring that vulnerabilities with known resolutions are being remediated in a timely manner.

Here are some things you can do to reduce some of these risks with Shavlik Protect today:

1. Take control of the VM sprawl.  The first and more important thing you can do to minimize your risk is to understand what you have.  Think about how many users in your company have rights to create new VMs.  Even if you have restricted that heavily, think of the one off cases where someone begged you or someone on the team to create them a VM just for a short period of time and they will let you know when to remove it.  Many companies find that in that mess of VMs there are stragglers who are not being managed by the tools that are meant to inventory and secure them.  For vSphere users there is an easy solution.  In Protect go to +New > Add vCenter Server/ESXi Hypervisor and fill out the dialog just as you would the vSphere client login.


This will allow us to connect to and enumerate all hypervisors and VMs in your vSphere environment in just a couple of minutes.  Assess all of those agentlessly to determine how much exposure you have.  FYI Templates and Offline VMs will be assessed as well without having to power them on.


2. Assess and remediate vulnerabilities at the hypervisor level.    Shavlik Protect can scan and remediate updates on VMware vSphere ESXi Hypervisors, Microsoft Hyper-V, and Citrix XenApp, XenDesktop, and Presentation Server.  Many of these updates are plugging vulnerabilities on the hypervisor OS and also in components that service the VMM level, which is all software driven between the host and the endpoint.  Often the administrator of the virtual infrastructure is not part of, or indirectly reports, to the team responsible for patching.  Make it a goal to ensure they are under the same umbrella and securing the foundation of your virtual infrastructure.  For Hyper-V and Citrix, these installs are a Windows OS or an application on a Windows OS.  Your normal agentless or agent scan and deploy will cover those.  For VMware we are able to assess directly through the vCenter server.

  • Once you have connected to your vCenter server you can go to the Virtual Inventory on the left nav drop down.
  • Click on your vSphere server and it will bring up all of your hypervisors.
  • Select all of your Hypervisors and click Scan.  Check to be sure you meet the pre-reqs to do an ESXi hypervisor scan here.
  • Click on the Bulletins tab once the scan operations are complete and you can select and deploy the updates just like any windows machine.  Protect will prompt you to determine how you want handle the maintenance mode, DRS triggering, and required power state changes to be able to perform the updates.


Check out this example of what you can configure on deployment.   For both assessment and remediation it is interesting to watch the vSphere client as Protect executes.  You see each step as we call into the VDDK (vSphere APIs) to request each action.  It is pretty cool to watch.







Check back for Virtualization and Security: A Beginner’s Guide Part 2 where we will talk about assessing and remediating Templates and Offline VMs in a vCenter environment, snapshotting prior to patch deployment, and updating of VMware Tools.  Also, if you are going to the VMware Partner Exchange next week swing by the Shavlik booth and say ‘Hi!’ to the team…