Any Patch, Anywhere

Shavlik Protect provides everything your organization needs for an effective patch management strategy, including OS, virtualization, and third-party application patching.



Patch easily across all environments


Patch Effortlessly
Increase Security
Reduce IT Costs

Patch easily across all environments

“It’s easy for Shavlik to scan and let us know what’s patched and what’s not, and if it’s critical or not.”  

- Randy Bowman, Network Analyst II, Presbyterian Church USA


Patch data center, workstation, and virtual environments with OS and third-party software updates from a single easy-to-use solution.

1. Support the OS as well as hundreds of third-party applications - The easy-to-use Shavlik Protect console detects and inventories all the machines in your environment to manage and deploy hundreds of patches from the top vendors and most vulnerable applications.

2. Patch both the data center and workstation from a single solution - Discover both physical and virtual servers in the data center as well as client workstations from the same solution. Shavlik Protect offers flexible agent or agentless options.

3. Powerful virtualization patching –Patch online and offline virtual machines. With integration into VMware, Shavlik Protect discovers all virtual instances automatically to ensure no virtual machine is deployed without the latest patches. In addition, it supports virtualization templates and snapshots and even patches to the hypervisor.

4. Flexible agent/agentless options - Use agentless for lightweight server footprint to sustain high levels of performance. For systems difficult to reach, Shavlik Protect offers a Cloud-enabled agent.

Decrease risk; boost security and compliance

Automate the entire patching process, identify all the systems on the network, and deploy updates to the most vulnerable applications to ensure the security and compliance of your environment.

1. Cover the software that is attacked the most – 86% of reported vulnerabilities come from third-party applications (National Vulnerability Database). Shavlik Protect patches the OS and third-party applications in one solution.

2. Flexible and robust discovery and patch scanning to reduce vulnerabilities - To be compliant you must first know what you have. Shavlik Protect has many flexible features to find connected systems and scan for missing patches throughout the organization.

3. Gain in-depth information about the risks in your environment - Reporting options let you view dashboards and reports to see the most vulnerable systems or get an overall view of the environment. Share patch status with other groups and executives and verify patch compliance quickly.

Simplify and automate patch management to save time, effort, and cost

Free up IT’s time to concentrate on initiatives that drive the business.

1. Time-to-value in less than 30 minutes – Set up Shavlik Protect in 10 minutes and configure in less than 20 minutes. Start managing and deploying patches in less than 30 minutes.

2. Simple and intuitive interface – Shavlik Protect gives IT control over the entire patching process with reporting, compliance, OS, and third-party patch management from a single pane of glass.

3. Accelerate patching from months to minutes - Completely automate patching to decrease delivery time of critical updates dramatically. Shavlik Protect supports hundreds of vendors, significantly reducing time to manage patches in your environment.

4. Automated patch management – Gain granular, accurate control of the environment. Continuously scan and deploy all available patches to your environment with flexible scheduling and customization.


What’s New in Shavlik Protect 9.1

  • Localization support for 10 languages: Shavlik Protect has been localized to the standard LANDESK languages: German, French, Spanish, Italian, Russian, Portuguese (Brazil), Japanese, Chinese (Traditional), Chinese (Simplified), Korean.
  • Report Views for customized reporting: Shavlik Protect now has several views in the database with documentation describing the tables and relationships and including example queries. The views have everything needed to let SQL-savvy customers create their own reports in reporting solutions outside of Protect.
  • Support IPv6: Shavlik Protect now supports the next generation of Internet devices with IPv6 network configurations. As companies transition from IPv4 to IPv6, Protect will support their needs.

Comprehensive Patch Management

  • Deployment OS and third-party patches from a single interface – Patch vulnerable applications from vendors such as Apple (iTunes), Oracle (Java), Firefox, Google (Chrome), and many others. List of supported applications  
  • Agentless or agent patch deployment – Use agentless patching in the data center to keep physical and virtual machines efficient. Employ agents to manage end users’ machines without concern for availability. Cloud-enable your agents to manage machines off-network or laptops that frequently leave the network.
  • Automated patch deployment: By enabling the Auto Deploy option, you can define a policy for assessment and allow Protect to update any missing patches automatically, reducing time and effort to manage machines.
  • Support for custom patches: Shavlik Protect lets you patch virtually any Windows application on your network. With the Custom Patch feature you can extend that coverage to private-release patches, custom products, and home-grown applications.
  • Precise reboot options: Shavlik enables administrators to specify detailed, granular reboot instructions that allow for system restarting at specific times. Remediation and reboots can be scheduled separately. End users can be provided with a number of options to delay reboot so they can complete their work and the reboot can still be enforced, ensuring patches requiring reboot are completed.

Ease of Use

  • Simple patch management: Start managing your physical and virtual assets, software, and patches from a single pane of glass.
  • Comprehensive reporting: Benefit from more than 20 built-in reports ranging from Executive Dashboard to Patch Status Detail. Reports detail everything from Seat License Count to Patch Status to Threat Summary and detail information. Advanced filtering allows you to obtain a very granular view all the way down to specific machines or specific patches. Reports can be exported in five different formats. Email reports or notifications automatically by defining the email recipients in scan template, deployment template, or machine group.
  • Report views for customized reporting: Shavlik Protect now has several views in the database with documentation describing the tables and relationships and including example queries. The Views have everything needed to let SQL-savvy customers create their own reports in reporting solutions outside of Protect.
  • Shavlik Agent: Shavlik Agent is an agent service. The agents configured by Shavlik Agent are distributed agents, meaning they are installed on physically distinct machines and can initiate specific actions independently. They are configured via the Shavlik Protect interface and then installed on the desired machines either by executing a menu command from the Shavlik Protect console or by installing them manually off a CD or flash drive. With Shavlik Agent you can create as many different agent policies as necessary to manage your network, providing a great deal of flexibility. You can assign different agent configurations to different machines in your organization. When installed on a machine and depending on how they are configured, a Shavlik agent can:
    • Scan for and deploy missing patches
    • Scan for and remediate viruses, worms, Trojans, and rootkits
    • Report the results to the local console
  • Cloud Agents: Register your Protect console with the Shavlik ProtectCloud service to extend management for Agents beyond the network boundaries in less than five minutes without opening ports on your network firewall.
  • ITScripts: Execute some of the most common IT functions to better secure your environment or to obtain additional inventory information with ITScripts. These include maintenance, configuration, inventory, support, and network scripts.

VMware Support

  • Online and offline virtual machine patching: Shavlik Protect enables you to scan and patch offline virtual machines. Offline virtual machines are those that aren’t powered on when a patch scan is performed. These virtual machines may be used for development purposes or as failover machines for disaster recovery purposes. It’s important to ensure that these systems are patched so that when they are brought online they don’t place your network at risk.
  • Template patching: Patch virtual machine templates before they come online. Every machine created from a template will go into production fully patched.
  • Snapshot support for superior rollback: For virtual machines hosted in the VMware infrastructure you can perform pre and\or post deployment snapshots to create an easy restore point to roll back if something were to go wrong while patching.
  • vCenter support: Find all virtual instances by simply connecting to the vCenter instances to enumerate every virtual instance in your organization. This minimizes the effect of virtual sprawl and keeps all virtual machines patched.
  • ESXi Hypervisor patching: Shavlik Protect can manage updates for ESXi Hypervisors (ESXi hosts) ensuring the infrastructure is as secure as the Virtual Machines running in it. Shavlik Protect also supports patching for Windows Hyper-V servers and Citrix Zenapp, ZenDesktop, and Presentation Server instances.

Flexible Infrastructure

  • Role-based administration: You can assign different roles to different users of Shavlik Protect. This enables you to make the program available to a wide variety of people within your organization while maintaining control over its use. The role assigned to a user determines what that particular user can do.
  • Support for multiple configurations:
    • Configure management of machines without an agent to reduce footprint on severs
    • Deploy agents to manage client machines
    • Enable Cloud agents to extend outside the network without opening ports on network firewalls or exposing a machine in the DMZ
    • Configure distribution servers to reduce WAN traffic
    • Configure additional management consoles to distribute workloads and separate duties
    • Central reporting across the enterprise with Data Rollup.

Protect Add-on Features

  • Antivirus Add-on Feature: For a fraction of your current antivirus protection investment you can realize complete protection against the top security threats—operating system patching, application-level patching, virtual machine patching, and AV. Shavlik Protect integrates the ThreatTrack Security VIPRE Antivirus + Antispyware engine within the Shavlik Agent. You save time by managing AV from the same familiar Protect console and eliminate headaches by reducing the number of agents on your desktops and laptops.
  • Power Management Add-on Feature: In the U.S. alone, more than $2.8 billion in PC power is wasted annually by not shutting down or reducing the power state of these machines when not in use. However, you must ensure that sleeping computers receive the needed software updates (patches). Protect Plus Power Management centralizes control from the familiar Protect console to power machines off in the evenings and on weekends—and to wake them up to deploy critical security patches. Additional ITScripts are included to remotely manage, configure, and report on the environment. You can use ITScripts out of the box, edit and configure them, or create your own custom scripts.
  • More information


Within a few minutes you can register your Protect console in the ProtectCloud service to extend management of agents off-premise, providing a complete coverage for laptop users who spend a lot of time outside your network.

Shavlik Protect monitors update execution near real time. You can see status updates as patches execute on a machine, including failures with return codes and feedback on patches that require reboots to finalize.

With Protect you can easily connect to and manage updates on your VMware ESXi Hypervisors. Here you can see a vCenter server, the details about the vCenter servers, the details about each hypervisor, and the updates detected on each hypervisor.

Shavlik Protect has been localized into several languages, including German and Japanese. From the console to dialogs on the end user machine, we support localization into the native OS language.

Protect allows you to manage Microsoft and third-party updates from a single management console. Here we see a scan of a Windows 2012 Server that is missing several Microsoft patches, an update for VMware Tools, and Firefox.

Protect provides a gallery of rich reports out-of-the-box that ease reporting and address many audiences from management to auditors. With the Reports Views you can create custom reports or integrate with other reporting solutions to extend your reporting beyond the canned reports.


Shavlik Protect 9.1



  • An NTFS file system is required on the console machine.
  • If you install the console on a domain controller that uses LDAP certificate authentication, you may need to configure the server to avoid conflict issues between the SSL certificate and the Shavlik Protect program certificate. There is no easy way to configure this on a Windows Server 2003-based domain controller and this combination is not recommended for use as a console.
  • If you install the console on two or more machines that share a database, all of the console machines must have unique security identifiers (SIDs) in order to prevent user credential problems. Machines are likely to have the same SIDs if you make a copy of a virtual machine or if you ghost a machine.


  • Minimum: 2 processor cores 2 GHz or faster
  • Recommended: 4 processor cores 2 GHz or faster (for 250 – 1,000 seat license)
  • High performance: 8 processor cores 2 GHz or faster (for 1,000+ seat license)


  • Minimum: 2 GB of RAM
  • Recommended: 4 GB of RAM (for 250 – 1,000 seat license)
  • High performance: 8 GB of RAM (for 1,000+ seat license)


  • 1024 x 768 screen resolution or higher (1280 x 1024 recommended)

Disk Space:

  • 100 MB for application
  • 2 GB or more for patch repository

Operating System (one of the following):

Note: Shavlik Protect supports 64-bit versions of the listed operating systems. Please note that 32-bit versions are not supported for the console.
  • Windows Server 2012 Family R2, excluding Server Core
  • Windows Server 2012 Family, excluding Server Core
  • Windows Server 2008 Family R2 SP1 or later, excluding Server Core
  • Windows 8.1 or later, excluding Windows RT
  • Windows 7 SP1 or later, Professional, Enterprise, or Ultimate Edition


  • Use of a Microsoft SQL Server database [SQL Server 2005 (Full or Express Edition) or later]. If you do not have access to a SQL Server database, the option to install either SQL Server 2012 Express Edition SP1 will be provided during the prerequisite software installation process.
  • Size: 1.5 GB

Prerequisite Software:

  • Use of Microsoft SQL Server 2005 (Full or Express Edition) or later
  • Microsoft .NET Framework 4.5.1 or later
  • Windows Management Framework 4.0 (contains Windows PowerShell 4.0, which is required for the ITScripts feature)

Windows Account Requirements:

  • In order to access the full capabilities of Shavlik Protect, you must run under an account with administrator privileges

Configuration Requirements:

  • When performing an asset scan of the console machine, Windows Management Instrumentation (WMI) service must be enabled and the protocol allowed to the machine

Clients (agentless)

Operating Systems (any of the following): Note: Windows 2000 machines must contain Internet Explorer 7.0 or later in order to receive patch deployments.

  • Windows 2000 Professional
  • Windows 2000 Server
  • Windows 2000 Advanced Server
  • Windows 2000 Datacenter Server
  • Windows 2000 Small Business Server
  • Windows XP Professional
  • Windows XP Tablet PC Edition
  • Windows XP Embedded
  • Windows Server 2003, Enterprise Edition
  • Windows Server 2003, Standard Edition
  • Windows Server 2003, Web Edition
  • Windows Server 2003 for Small Business Server
  • Windows Server 2003, Datacenter Edition
  • Windows Vista, Business Edition
  • Windows Vista, Enterprise Edition
  • Windows Vista, Ultimate Edition
  • Windows 7, Professional Edition
  • Windows 7, Enterprise Edition
  • Windows 7, Ultimate Edition
  • Windows Server 2008, Standard
  • Windows Server 2008, Enterprise
  • Windows Server 2008, Datacenter
  • Windows Server 2008, Standard - Core
  • Windows Server 2008, Enterprise - Core
  • Windows Server 2008, Datacenter – Core
  • Windows Server 2008 R2, Standard
  • Windows Server 2008 R2, Enterprise
  • Windows Server 2008 R2, Datacenter
  • Windows Server 2008 R2, Standard - Core
  • Windows Server 2008 R2, Enterprise - Core
  • Windows Server 2008 R2, Datacenter – Core
  • Windows 8
  • Windows 8 Pro
  • Windows 8 Enterprise
  • Windows 8.1
  • Windows 8.1 Enterprise
  • Windows Server 2012, Foundation Edition
  • Windows Server 2012, Essentials Edition
  • Windows Server 2012, Standard Edition
  • Windows Server 2012, Datacenter Edition
  • Windows Server 2012 R2, Essentials Edition
  • Windows Server 2012 R2, Standard Edition
  • Windows Server 2012 R2, Datacenter Edition

Virtual Machines (offline virtual images created by any of the following):

  • VMware ESXi 4.1 or later (VMware Tools is required on the VMs)
  • VMware vCenter (formally VMware VirtualCenter) 4.1 or later (VMware Tools is required on the VMs)
  • VMware Workstation 9.0 or later
  • VMware Player

Configuration Requirements

  • Remote Registry service must be running
  • Simple File Sharing must be turned off
  • Server service must be running
  • NetBIOS (TCP 139) or Direct Host (TCP 445) ports must be accessible
  • When deploying patches on Windows Vista or later operating systems, the Windows Update service Startup type must be set to Manual or Automatic
  • Remote Desktop connections must be allowed in order for the console to make an RDP connection with a target machine
  • When performing an asset scan, Windows Management Instrumentation (WMI) service must be enabled and the protocol allowed to the machine (TCP port 135)

Products Supported (for patch program):

See http://www.shavlik.com/support/supported-products-protect/ for the current list

Disk Space (for patch program):

Free space equal to five times the size of the patches being deployed

Supported Languages (for patch program):

Arabic, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Thai, Turkish

Clients Running Shavlik Protect Agent

Note: An NTFS file system is required on agent machines. Processor:

  • 500 MHz or faster CPU


  • Minimum: 256 meg RAM
  • Recommended: 512 meg RAM or higher

Disk Space:

  • 30 MB for Shavlik Protect Agent client
  • 500 MB or more for patch repository

Operating Systems (any of the following except home editions):

  • Windows XP SP2 or later
  • Windows Vista Family
  • Windows 7 Family
  • Windows 8 Family, excluding Windows RT
  • Windows Server 2003 Family
  • Windows Server 2008 Family
  • Windows Server 2008 Family R2
  • Windows Server 2012 Family
  • Windows Server 2012 Family R2

Prerequisite Software

  • MSXML 3.0 or later

Configuration Requirements

  • Workstation service must be running

Port Requirements

These are the default port requirements. The port numbers are configurable.

  Inbound Ports (Basic NAT Firewall)
  TCP 80   TCP 135   TCP 137-139 OR TCP 445 (Windows file sharing / directory services) TCP 443   TCP 3121   TCP 3122   TCP 4155   TCP 5120   TCP 5985  
Client System     X (for asset scans) X       X (for listening agents) X X (for WinRM protocol)
Console System           X X      
Distribution Server   X   X X          
  Outbound Ports (Highly Restricted Network Environment)
  TCP 80   TCP 137-139 OR TCP 445 (Windows file sharing / directory services) TCP 443   TCP 3121   TCP 5120   UDP 9  
Client System   X (for Agents) X X (for Cloud Agents) X (for Agents and Deployment Tracker)    
Console System   X X X (for Cloud Sync)   X X (for WoL & error reporting)
Distribution Server              


Shavlik Protect Documentation

White Paper: ESG Labs on Shavlik Protect

Organizations continue to struggle with patch management for physical and virtual machines within their networks. ESG Lab validated that Shavlik Protect simplified the patching of systems by providing a centralized patch management, asset inventory, and legacy physical system integrated solution.

Shavlik Protect Datasheet | Download  
Shavlik Protect Add-on Feature Datasheet | Download  
Shavlik Protect Quick Start Guide | Download  
Shavlik Protect Installation Guide | Download  
Shavlik Protect Administration Guide | Download  

Additional Shavlik Protect documentation

Webinars & Training Videos


Take the Worry Out of Patch Management
View this webinar to discover how Shavlik Protect 9.1 saves organizations time and money. By automating and verifying the entire process, Shavlik takes the worry out of patch management.


What’s New in Shavlik Protect 9.1
Join us for this webinar as Chris Goettl takes you through the upgrade to Shavlik Protect 9.1. Get the details on what to watch out for on upgrade and walk through the latest features of Shavlik Protect 9.1.


Shavlik Protect Preview
Get a preview of the capabilities of Shavlik Protect, including patch management, threat management, and power management features.


Shavlik Protect Scan and Deploy Patches
Use Shavlik Protect to scan systems and deploy patches in an easy-to-use interface.

Additional Shavlik Protect training videos

What's New

The Communicator’s Corner: Add to Your Holiday Cheer with ITScripts
Earlier this month, Anne Steiner wrote a short series of blog articles call...

December Patch Day Round-Up
Although it was not as large as the November Patch Tuesday, December’...

Shavlik in the news- December Patch Tuesday
Compared to last month’s Patch Tuesday (the biggest this year) this month’s...