The patching checklist is a series of steps you can take to ensure the most amount of success during a patching cycle. At this stage, you should have your remediation plan(s) created, but not yet activated.
Note: For a normal patch cycle process, these steps should be executed at least a day in advance, and thus activating the remediation plan a day in advance.
Verify that Endpoint Readiness is Turned On
- Go to Endpoints > Readiness
- Make sure Endpoint Readiness is enabled
- If Endpoint Readiness is enabled, you should see a lot of table data and other information.
- If it is disabled, go into settings, enable it, and save changes.
- Filter on Endpoint Readiness: Not Ready and Unknown
- Desired State: No results like the below screenshot
- If there are issues, review the endpoint readiness troubleshooting article.
-
If you are unable to figure out why a certain endpoint is not reporting as ready, run the endpoint readiness script and look at the output (steps)
- Note: if you see a red "X" for all WUA Communication, then there may be an issue with the "WSUS get groups" script. In order to further investigate, please download the manager logs and look at the discovery.log
-
Run Predictive Patching
- Go to Patches > Remediation Plans
- Find the remediation plan(s) you want to activate as part of the patching cycle and click on the predict icon
- If there are any issues, click on How to Improve and read both the Predictive Patching and Endpoint Exemptions and Warnings articles for information.
- Desired State: 100% predicted patching success rate like the below screenshot
Verify WSUS Status (if patching Windows)
- Navigate to Platform Configuration > Settings > Discovery Sources.
- Check the WSUS status:
- Green Status: OK, nothing to do.
- Red X Status: Analyze discovery.log via manager logs.
Resolve Windows Endpoints Stuck in "Updating" or "Synchronizing" or "Failed"
Assumption: Endpoint Readiness is 100% ready for endpoints stuck in one of these states.
-
Filter for Affected Endpoints:
- Navigate to Smart Groups > Management.
- In the Endpoint Statuses dropdown, filter by "Updating Endpoint", "Synchronizing Endpoint", "Update Failed", and "Synchronized Failed"
-
For a smart group that is tied to one of these statuses: Disable and Re-enable "Support Patching Activities":
- Go to Smart Groups > Management.
- For affected smart groups, click the edit pencil icon
within the last actions column and then disable "Support Patching Activities".
- Wait a few minutes, and monitor system activities (see below). If system activities are successful and the status becomes fully "assigned" while unchecked, then then re-enable "Support Patching Activities", wait a few more minutes and see if that soles the problem
-
Monitor System Activities:
-
- Go to the Endpoints > Activities and monitor the progress of the relevant tasks:
-
WSUS Primary Only Tasks
- Assign or remove endpoint(s) to/from WSUS group(s)
-
WSUS Replica Only tasks
-
- WSUS Synchronize between Primary and Replicas
- WSUS client synchronization with WSUS servers
-
- If any of these tasks fail, view details of output.
- More information on WSUS Group Management
-
WSUS Primary Only Tasks
- Go to the Endpoints > Activities and monitor the progress of the relevant tasks:
-
-
If machines are still not fully assigned, then Run Sync:
vmanage-server/rest/experimental/wsus-activities/run-sync
- Append the following to the JetPatch URL to trigger synchronization:
-
- If the found count is more than 0, those found tasks will be processed.
- If the found count is more than 0, those found tasks will be processed.
-
What else?
-
Restart Tomcat: Running
service tomcat restartcan clear stuck records in the WSUS group activity table. -
Create New Smart Group and Delete Old Smart Group:
- Assign all affected devices to a newly created smart group (note: you cannot edit the name of smart groups).
- It is very likely the new group will fail. This is OK, because status is cumulative across all groups. Therefore, delete the old group.
- Once the old group is deleted, the new group should be working.
-
If Smart Group status is not Ready
then review the smart group statuses article for troubleshooting steps
Verify that System Tasks are Running Properly
- Go to Endpoints > Activities
-
Windows Endpoints
- Filter on Task Type: System
- Search for the name of the WSUS Primary machine
- Filter on the following system tasks and review any recent "Error" or "Failed" in the last couple of days
- WSUS get update summaries per computer
- WSUS get groups and computers in a group
- WSUS get updates (if this is failing or latest patches are not pulling, see article)
- Sync approval status with WSUS
- WSUS Group manipulations
- Assign or remove endpoint(s) to/from WSUS group(s)
- Note: If there are WSUS replicas, check for the following additional scripts (requires working connector with IPV6 disabled on the replica)
- WSUS Synchronize between Primary and Replicas
- WSUS client synchronization with WSUS server
- Note: More information on our patch related WSUS scripts can be found in this article.
- Note: More information on our group related WSUS scripts can be found in this article
-
Linux and Solaris Endpoints
- Filter on Task Type: System
- Filter on Task: Collect Endpoint Updates
- Filter on Activity Status: Error and Failed
- Under More Filters
- Set Start Date to yesterday
- Set the End Date to today
- If there are any results, please check the exit code, and troubleshoot accordingly.
- Desired State: No results like the below screenshot
Verify Workflow Selection
- Go to Patches > Remediation Plan
- Click on edit on one of the remediation plans you plan to activate
- Go to Create Cycle and verify the workflow selection
- Note: You can not modify workflow selection once you save and activate the plan. Instead, you will need to cancel the activated plan, then duplicate it, in order to modify it.
- Once you verify workflow selection, if you want to view the workflow details, click the symbol next to workflow to bring up the "View Workflow" popup window and here, you can view both the pre-patching and post-patching tasks to make sure you have the right workflow
Check for potential Windows Update Agent issues (useful if only a small number of machines have issues)
-
- Go to Endpoints > Management
- Filter on the Windows Endpoint Group(s) you are looking to patch
- Select all rows and select Action > Run Task
- Search for Check for potential Windows Update Agent issues
- Click on Run Task
- Wait a minute
- Go to Endpoints > Activities
- Filter Task: Check for potential Windows Update Agent issues
- Under More Filters
- Set Start Date to yesterday
- Set the End Date to today
- Set Exit Code to All except 0
- If there are any results, you will need to log into each machine and fix any Windows Update Agent Errors
- Desired State: No results like the below screenshot
Advanced Windows Steps
Warning: If all previous steps have been followed and a significant number of Windows endpoints are still stuck in synchronization or updating, please proceed with the following steps. Note: This is a major reset that may take several hours to fully re-sync.
- Remove the WSUS discovery source (Platform Configuration > Settings > X)
- Remove the WSUS connector from the servers tab (Platform Configuration > Servers > select servers > server actions > manage intigua on server > disable checkbox)
- Remove WSUS entry from servers tab (select server > server actions > remove from inventory)
- Re-add the WSUS server as a standalone (server actions > add standalone endpoint/server)
- Re-deploy WSUS connector (select server > server actions > manage Intigua on server, enable checkbox)
- Re-add WSUS discovery source (Platform Configuration > Settings > Add Discovery Source)
After this is completed, please wait an hour and verify status. If there is still an issue, then will need to investigate logs and db.
What Else?
If you are still experiencing patching issues, please review the manager logs (vmanage.log and patching.log) and the in-depth patching logs.
Additional Information
Comments
0 comments
Please sign in to leave a comment.