This article provides an overview of all WSUS scripts in JetPatch.
These WSUS scripts are used for:
- Remediation Plan setup - Approving patches in WSUS
- WSUS discovery Source - Pulling information from the WSUS
Before we start:
All changes in WSUS scrips are made in intigua.properties file.
To edit configurations ssh JetPatch Application server and edit the intigua.properties file:(usr/share/tomcat/default/conf/intigua.properties)
WSUS Discovery Source Scripts
The scripts run when the following activities take place:
- Initial configuration of WSUS discovery source
- Tomcat Restart (only if a WSUS DS is already configured)
- Enabling WSUS discovery source, in case it was disabled
- Idle - Configurable time in JetPatch properties.
There are several scripts that run as part of the WSUS discovery source
- WSUS get groups and computers in a group
- WSUS get update summaries per computer
- WSUS get update summaries per group
Watchdog for WSUS discovery source and WSUS Get Updates scripts
pg.wsus.fail-unfinished-tasks-timeout.min=180 # default
automation.task.watchdog.job.enabled=true # default
WSUS Get Groups and Computers in Group
Retrieve relevant data on computer groups and computers within WSUS
Define Specific target groups
In order to retrieve data only on selected groups from WSUS, you will need to set the following property. Regardless of this configuration all groups will still show in JetPatch Groups window, but the data will be retrieved only on the selected groups (by default it will pull the data from all WSUS groups):
# Filter WSUS get groups and computers in groups to specific WSUS group names
WSUS Get Update Summaries Per Computer
Collect the status of applicable patches, for every server that is connected to the WSUS server. This is useful to know the current patch status.
General Idle Configuration:
# If the previous run was successful for WSUS Get Groups and Update Summaries Scripts
# If the previous run had failed for WSUS Get Groups and Update Summaries Scripts script
# Delay for the WSUS DS scripts sequence (defaulse is -1)
# Configuration affects only WSUS idle runs. Tasks that were derived by disable/enable or new WSUS DS will skip the delay
# Configure watchdog monitoring timeout (default is 90)
Locking Patch Status after Deployment/Removal
In some situations, the patch status in WSUS will take some time to change after a successful installation/removal of a patch.
JetPatch knows how to handle this situation by locking the patch status after a successful installation/removal of a patch, so if a wrong status will come from WSUS - it won't be considered.
WSUS get update summaries per group
Pulling the approval statuses of Patches, from WSUS.
The approval statuses will be shown for each patch in the Patches Catalog, under "Approval Status" column.
#Enable / Disable fetching patches approval (default value=false):
Note - Due to performance issues following the execution of this script, this script is disabled by default
Other WSUS Scripts
WSUS get Updates
Pulling the WSUS Updates Information. There script can execute in two different scenarios:
- Retrieve all updates.
- Retrieve only the new updates from the last run.
Enable Retrieving Patches from WSUS
#Enable / Disable WSUS patch fetching (default value=true):
Delay the JetPatch operation for pulling Patches from WSUS after restarting Tomcat
# Delay WSUS get updates after restarting tomcat
Defining the interval for pulling new patches
Fetches new patches that were added to WSUS, and are not in JetPatch patch inventory yet. This more frequent script only adds new patches, it does not remove any old ones.
# Configure the 'WSUS get Updates' Script interval
Defining the interval for pulling whole patches
Replicates all patches in WSUS and then removes any patches from JetPatch that are not apart of WSUS at that time.
# Patches that are in JetPatch inventory and didn't return in the full scan will be deleted
Number of Patches to pull in an activity
# Configure the maximum number of returned patches for every 'WSUS get updates' Run (default is 5k)
Relevant Patches to pull based on the patch classification:
If your WSUS contains many patches and unwanted classifications (categories), you can specify which classification JetPatch will pull.
# comma-separated list of all the patches classifications that jetpatch will pull (default is empty = all classifications)
Example: By adding the following property to intigua.properties JetPatch will pull only three classifications "Critical Updates", "Definitions Updates", and "Security Updates"
pg.wsus.target-patch-categories=Critical Updates,Definitions Updates,Security Updates
- Critical Updates
- Definitions Updates
- Feature Packs
- Security Updates
- Service Packs
- Update Rollups
Note - Empty list means to pull all patches (this is the default)
Sync Approval Status with WSUS
After a remediation plan is activated, sync is made to WSUS in order to change the approval status for the relevant patches on the relevant groups.
No configuration is needed
Triggering WSUS Scripts from JetPatch
JetPatch needs to trigger the WSUS script in order to parse the results and populate them in the JetPatch data.
To force JetPatch to run the WSUS tasks, check How do I automatically trigger system tasks