Overview
This article provides an overview of all WSUS scripts in JetPatch, including discovery source scripts, update retrieval scripts, and approval synchronization scripts.
These scripts handle patch management operations between JetPatch and Microsoft WSUS servers.
These WSUS scripts are used for:
- Remediation Plan setup - Approving patches in WSUS
- WSUS discovery Source - Pulling information from the WSUS
Before we start:
All changes in WSUS scripts are made in the intigua.properties file.
To edit configurations, SSH JetPatch Application server and edit the intigua.properties file:(usr/share/tomcat/default/conf/intigua.properties)
WSUS Discovery Source Scripts
The scripts run when the following activities take place:
- Initial configuration of WSUS discovery source
- Tomcat Restart (only if a WSUS DS is already configured)
- Enabling the WSUS discovery source, in case it was disabled
- Idle - Configurable time in JetPatch properties.
Two scripts run as part of the WSUS discovery source
- WSUS gets groups and computers in a group
- WSUS gets update summaries per computer
General Configuration
Watchdog for WSUS discovery source and WSUS Get Updates scripts
|
# defaultpg.wsus.fail-unfinished-tasks-timeout.min=180 # defaultautomation.task.watchdog.job.enabled=true |
WSUS Get Groups and Computers in Group
Description:
Retrieve relevant data on computer groups and computers within WSUS
Configuration:
Define Specific target groups
To retrieve data only on selected groups from WSUS, you will need to set the following property. Regardless of this configuration, all groups will still show in the JetPatch Groups window, but the data will be retrieved only on the selected groups (by default, it will pull the data from all WSUS groups):
|
# Filter WSUS get groups and computers in groups to specific WSUS group namespg.wsus.target-groups=onegroup,anothergroup |
WSUS Get Update Summaries Per Computer
Description:
Collect the status of applicable patches for every server that is connected to the WSUS server. This is useful to know the current patch status.
Configuration:
General Idle Configuration:
|
# If the previous run was successful for WSUS Get Groups and Update Summaries Scriptsdiscovery source.WSUS.success.sleep-time.min=20 # If the previous run had failed for WSUS Get Groups and Update Summaries Scripts scriptdiscovery source.WSUS.error.sleep-time.min=10 # Delay for the WSUS DS scripts sequence (defaulse is -1) # Configuration affects only WSUS idle runs. Tasks that were derived by disable/enable or new WSUS DS will skip the delaydiscoverysource.WSUS.persisted.initial.delay.sec=-1 # Configure watchdog monitoring timeout (default is 90) discovery-source.watchdog.restart.after.minutes=90 |
Locking Patch Status after Deployment/Removal
Description:
In some situations, the patch status in WSUS will take some time to change after a successful installation/removal of a patch.
JetPatch knows how to handle this situation by locking the patch status after a successful installation/removal of a patch, so if a wrong status comes from WSUS, it won't be considered.
Configurations:
| pg.wsus.update-lock.expiration.min=240 |
Other WSUS Scripts
WSUS get Updates
Description:
Pulling the WSUS Updates Information. This script can execute in two different scenarios:
- Retrieve all updates.
- Retrieve only the new updates from the last run.
Enable Retrieving Patches from WSUS
|
#Enable / Disable WSUS patch fetching (default value=true): pg.wsus.update.enabled=true |
Delay the JetPatch operation for pulling Patches from WSUS after restarting Tomcat
|
# Delay WSUS get updates after restarting tomcatpg.wsus.update.job.initial.delay.sec=300 |
Defining the interval for pulling new patches
Fetches new patches that were added to WSUS and are not in the JetPatch patch inventory yet. This more frequent script only adds new patches; it does not remove any old ones.
|
# Configure the 'WSUS get Updates' Script intervalpg.wsus.update.job.interval.sec=64800 |
Defining the interval for pulling whole patches
Replicates all patches in WSUS and then removes any patches from JetPatch that are not a part of WSUS at that time.
| # Patches that are in JetPatch inventory and didn't return in the full scan will be deletedpg.wsus.update.full-scan-delay-hours=168 |
Number of Patches to pull in an activity
| # Configure the maximum number of returned patches for every 'WSUS get updates' Run (default is 5k) pg.wsus.update.num-to-fetch=5000 |
Relevant Patches to pull based on the patch classification:
If your WSUS contains many patches and unwanted classifications (categories), you can specify which classification JetPatch will pull.
| # comma-separated list of all the patches classifications that jetpatch will pull (default is empty = all classifications)pg.wsus.target-patch-categories= |
Example: By adding the following property to intigua.properties, JetPatch will pull only three classifications: "Critical Updates", "Definitions Updates", and "Security Updates"
| pg.wsus.target-patch-categories=Critical Updates,Definitions Updates,Security Updates |
Possible Values:
- Critical Updates
- Definitions Updates
- Drivers
- Feature Packs
- Security Updates
- Service Packs
- Tools
- Update Rollups
- Updates
- Upgrades
| Note: Empty list means to pull all patches (this is the default) |
Sync Approval Status with WSUS
Description:
After a remediation plan is activated, sync is made to WSUS in order to change the approval status for the relevant patches on the relevant groups.
No configuration is needed
Triggering WSUS Scripts from JetPatch
JetPatch needs to trigger the WSUS script to parse the results and populate them in the JetPatch data.
To force JetPatch to run the WSUS tasks, check How do I automatically trigger system tasks
Comments
0 comments
Please sign in to leave a comment.