The patching checklist is a series of steps you can take to ensure the most amount of success during a patching cycle. At this stage, you should have your remediation plan(s) created, but not yet activated.
Note: For a normal patch cycle process, these steps should be executed at least a day in advance, and thus activating the remediation plan a day in advance.
Verify that Endpoint Readiness is Turned On
- Go to Endpoints > Readiness
- Make sure Endpoint Readiness is enabled
- If Endpoint Readiness is enabled, you should see a lot of table data and other information.
- If it is disabled, go into settings, enable it, and save changes.
- Filter on Endpoint Readiness: Not Ready and Unknown
- Desired State: No results like the below screenshot
- If there are issues, review the endpoint readiness troubleshooting article.
-
If you are unable to figure out why a certain endpoint is not reporting as ready, run the endpoint readiness script and look at the output (steps)
- Note: if you see a red "X" for all WUA Communication, then there may be an issue with the "WSUS get groups" script. In order to further investigate, please download the manager logs and look at the discovery.log
-
Run Predictive Patching
- Go to Patches > Remediation Plans
- Find the remediation plan(s) you want to activate as part of the patching cycle and click on the predict icon
- If there are any issues, click on How to Improve and read both the Predictive Patching and Endpoint Exemptions and Warnings articles for information.
- Desired State: 100% predicted patching success rate like the below screenshot
Verify that System Tasks are Running Properly
- Go to Endpoints > Activities
-
Windows Endpoints
- Filter on Task Type: System
- Search for the name of the WSUS Primary machine
- Filter on the following system tasks and review any recent "Error" or "Failed" in the last couple of days
- WSUS get update summaries per computer
- WSUS get groups and computers in a group
- WSUS get updates (if this is failing or latest patches are not pulling, see article)
- Sync approval status with WSUS
- WSUS Group manipulations
- Assign or remove endpoint(s) to/from WSUS group(s)
- Note: If there are WSUS replicas, check for the following additional scripts (requires working connector with IPV6 disabled on the replica)
- WSUS Synchronize between Primary and Replicas
- WSUS client synchronization with WSUS server
- Note: More information on these WSUS scripts can be found in this article.
-
Linux and Solaris Endpoints
- Filter on Task Type: System
- Filter on Task: Collect Endpoint Updates
- Filter on Activity Status: Error and Failed
- Under More Filters
- Set Start Date to yesterday
- Set the End Date to today
- If there are any results, please check the exit code, and troubleshoot accordingly.
- Desired State: No results like the below screenshot
Additional Windows-Specific Checks
Go to Platform configuration and under settings verify the WSUS status it should be always in green.
Go back into JetPatch and make sure the relevant endpoints are in a Ready state in System > Smart Groups > Assignment
If there is a significant number of WSUS endpoints stuck in the "updating endpoint" or "synchronizing endpoint" state, append the following to the JetPatch URL
vmanage-server/rest/experimental/wsus-activities/run-sync
Note: It may take some time if this sync generates many queued activities
If there is small number of WSUS endpoints stuck in the "updating endpoint" or "synchronizing endpoint state within a specific smart group or set of smart groups, the best approach is to disable "support patching activities" for those groups. This action should trigger the necessary WSUS system tasks. Once the tasks are completed and the endpoints are ready, re-enable "patching activities" for the affected smart groups.
Make sure relevant patching smart groups are also ready and eligible for patching (System > Smart Groups) with "For Patching" enabled.
If Smart Group status is not Ready, then review the smart group statuses article for troubleshooting steps
Check for potential Windows Update Agent issues (useful if only a small number of machines have issues)
-
- Go to Endpoints > Management
- Filter on the Windows Endpoint Group(s) you are looking to patch
- Select all rows and select Action > Run Task
- Search for Check for potential Windows Update Agent issues
- Click on Run Task
- Wait a minute
- Go to Endpoints > Activities
- Filter Task: Check for potential Windows Update Agent issues
- Under More Filters
- Set Start Date to yesterday
- Set the End Date to today
- Set Exit Code to All except 0
- If there are any results, you will need to log into each machine and fix any Windows Update Agent Errors
- Desired State: No results like the below screenshot
Advanced Windows Steps
If all previous steps have been followed and a significant number of Windows endpoints are still stuck in synchronization or updating, please proceed with the following steps. Note: This is a major reset that may take several hours to fully re-sync.
- Remove the WSUS discovery source (Platform Configuration > Settings > X)
- Remove the WSUS connector from the servers tab (Platform Configuration > Servers > select servers > server actions > manage intigua on server > disable checkbox)
- Remove WSUS entry from servers tab (select server > server actions > remove from inventory)
- Re-add the WSUS server as a standalone (server actions > add standalone endpoint/server)
- Re-deploy WSUS connector (select server > server actions > manage Intigua on server, enable checkbox)
- Re-add WSUS discovery source (Platform Configuration > Settings > Add Discovery Source)
After this is completed, please wait an hour and verify status. If there is still an issue, then will need to investigate logs and db.
Verify Workflow Selection
- Go to Patches > Remediation Plan
- Click on edit on one of the remediation plans you plan to activate
- Go to Create Cycle and verify the workflow selection
- Note: You can not modify workflow selection once you save and activate the plan. Instead, you will need to cancel the activated plan, then duplicate it, in order to modify it.
- Once you verify workflow selection, if you want to view the workflow details, click the symbol next to workflow to bring up the "View Workflow" popup window and here, you can view both the pre-patching and post-patching tasks to make sure you have the right workflow
What Else?
If you are still experiencing patching issues, please review the in-depth patching logs and manager logs (vmanage.log and patching.log)
Additional Information
Comments
0 comments
Please sign in to leave a comment.