This article provides an overview of all WSUS scripts in JetPatch.
These WSUS scripts are used for:
- Remediation Plan setup - Approving patches in WSUS
- WSUS discovery Source - Pulling information from the WSUS
Before we start:
All changes in WSUS scrips are made in intigua.properties file.
To edit configurations ssh JetPatch Application server and edit the intigua.properties file:(usr/share/tomcat/default/conf/intigua.properties)
WSUS Discovery Source Scripts
The scripts run when the following activities take place:
- Initial configuration of WSUS discovery source
- Tomcat Restart (only if a WSUS DS is already configured)
- Enabling WSUS discovery source, in case it was disabled
- Idle - Configurable time in JetPatch properties.
There are two scripts that run as part of the WSUS discovery source
- WSUS get groups and computers in a group
- WSUS get update summaries per computer
General Configuration
Watchdog for WSUS discovery source and WSUS Get Updates scripts
pg.wsus.fail-unfinished-tasks-timeout.min=180 # default
automation.task.watchdog.job.enabled=true # default
WSUS Get Groups and Computers in Group
Description:
Retrieve relevant data on computer groups and computers within WSUS
Configuration:
Define Specific target groups
In order to retrieve data only on selected groups from WSUS, you will need to set the following property. Regardless of this configuration all groups will still show in JetPatch Groups window, but the data will be retrieved only on the selected groups (by default it will pull the data from all WSUS groups):
# Filter WSUS get groups and computers in groups to specific WSUS group names
pg.wsus.target-groups=onegroup,anothergroup
WSUS Get Update Summaries Per Computer
Description:
Collect the status of applicable patches, for every server that is connected to the WSUS server. This is useful to know the current patch status.
Configuration:
General Idle Configuration:
# If the previous run was successful for WSUS Get Groups and Update Summaries Scripts
discovery-source.WSUS.success.sleep-time.min=20
# If the previous run had failed for WSUS Get Groups and Update Summaries Scripts script
discovery-source.WSUS.error.sleep-time.min=10
# Delay for the WSUS DS scripts sequence (defaulse is -1)
# Configuration affects only WSUS idle runs. Tasks that were derived by disable/enable or new WSUS DS will skip the delay
discovery-source.WSUS.persisted.initial.delay.sec=-1
# Configure watchdog monitoring timeout (default is 90)
discovery-source.watchdog.restart.after.minutes=90
Locking Patch Status after Deployment/Removal
Description:
In some situations, the patch status in WSUS will take some time to change after a successful installation/removal of a patch.
JetPatch knows how to handle this situation by locking the patch status after a successful installation/removal of a patch, so if a wrong status will come from WSUS - it won't be considered.
Configurations:
pg.wsus.update-lock.expiration.min=240
Other WSUS Scripts
WSUS get Updates
Description:
Pulling the WSUS Updates Information. There script can execute in two different scenarios:
- Retrieve all updates.
- Retrieve only the new updates from the last run.
Configurations:
Enable Retrieving Patches from WSUS
#Enable / Disable WSUS patch fetching (default value=true):
pg.wsus.update.enabled=true
Delay the JetPatch operation for pulling Patches from WSUS after restarting Tomcat
# Delay WSUS get updates after restarting tomcat
pg.wsus.update.job.initial.delay.sec=300
Defining the interval for pulling new patches
Fetches new patches that were added to WSUS, and are not in JetPatch patch inventory yet. This more frequent script only adds new patches, it does not remove any old ones.
# Configure the 'WSUS get Updates' Script interval
pg.wsus.update.job.interval.sec=86400
Defining the interval for pulling whole patches
Replicates all patches in WSUS and then removes any patches from JetPatch that are not apart of WSUS at that time.
# Patches that are in JetPatch inventory and didn't return in the full scan will be deleted
pg.wsus.update.full-scan-delay-hours=168
Number of Patches to pull in an activity
# Configure the maximum number of returned patches for every 'WSUS get updates' Run (default is 5k)
pg.wsus.update.num-to-fetch=5000
Relevant Patches to pull based on the patch classification:
If your WSUS contains many patches and unwanted classifications (categories), you can specify which classification JetPatch will pull.
# comma-separated list of all the patches classifications that jetpatch will pull (default is empty = all classifications)
pg.wsus.target-patch-categories=
Example: By adding the following property to intigua.properties JetPatch will pull only three classifications "Critical Updates", "Definitions Updates", and "Security Updates"
pg.wsus.target-patch-categories=Critical Updates,Definitions Updates,Security Updates
Possible Values:
- Critical Updates
- Definitions Updates
- Drivers
- Feature Packs
- Security Updates
- Service Packs
- Tools
- Update Rollups
- Updates
- Upgrades
Note - Empty list means to pull all patches (this is the default)
Sync Approval Status with WSUS
Description:
After a remediation plan is activated, sync is made to WSUS in order to change the approval status for the relevant patches on the relevant groups.
Configurations:
No configuration is needed
Triggering WSUS Scripts from JetPatch
JetPatch needs to trigger the WSUS script in order to parse the results and populate them in the JetPatch data.
To force JetPatch to run the WSUS tasks, check How do I automatically trigger system tasks
Comments
0 comments
Please sign in to leave a comment.