The patching checklist is a series of steps you can take to ensure the most amount of success during a patching cycle.  At this stage, you should have your remediation plan(s) created, but not yet activated.

Note: For a normal patch cycle process, these steps should be executed at least a day in advance, and thus activating the remediation plan a day in advance.

Verify that Endpoint Readiness is Turned On 

• Go to Endpoints > Readiness
• Make sure Endpoint Readiness is enabled
  • If Endpoint Readiness is enabled, you should see a lot of table data and other information.
  • If it is disabled, go into settings, enable it, and save changes.
• Filter on Endpoint Readiness: Not Ready and Unknown
• If there are issues, review the endpoint readiness troubleshooting article.
• Desired State: No results like the below screenshot 
• Note: if you see a red "X" for all WUA Communication, then there may be an issue with the "WSUS get groups" script.  In order to further investigate, please download the manager logs and look at the discovery.log 

Run Predictive Patching

• Go to Patches > Remediation Plans 
• Find the remediation plan(s) you want to activate as part of the patching cycle and click on the predict icon

• If there are any issues, click on How to Improve and read both the Predictive Patching and Endpoint Exemptions and Warnings articles for information. 
• Desired State: 100% predicted patching success rate like the below screenshot  

Verify that System Tasks are Running Properly

• Go to Endpoints > Activities
• Windows Endpoints
  • Filter on Task Type: System
  • Search for the name of the WSUS Primary machine
  • Make sure you the most recent status of the following Activities are being reported as Succeeded
    
    • WSUS get update summaries per computer
    • WSUS get groups and computers in a group
    • WSUS get updates
    • Sync approval status with WSUS
    • WSUS Group manipulations
    • Assign or remove endpoint(s) to/from WSUS group(s)
    •  Note1: If there are WSUS replicas, check for the following additional scripts (requires working connector with IPV6 disabled on the replica with the replica's WUA setting pointing to primary)
      • WSUS client synchronization with WSUS server  
      • WSUS Synchronize between Primary and Replicas
    • Note2: More information on these WSUS scripts can be found in this article.

• Linux and Solaris Endpoints
  • Filter on Task Type: System
  • Filter on Task: Collect Endpoint Updates 
  • Filter on Activity Status: Error and Failed
  • Under More Filters
    • Set Start Date to yesterday
    • Set the End Date to today
  • If there are any results, please check the exit code, and troubleshoot accordingly.
  • Desired State: No results like the below screenshot

Additional Windows-Specific Checks

• Make sure the relevant endpoints are in a Ready state in Endpoints > Groups

If there are several endpoints in a "updating endpoint" or "synchronizing endpoint", then append the following to the JetPatch URL

vmanage-server/rest/experimental/wsus-activities/run-sync

If there is still an issue, then put some of the endpoints in a test tag-based smart group and if it then goes to ready, then remove that test smart group.

• Make sure relevant smart groups are also ready and eligible for patching (System > Smart Groups) with "For Patching" enabled

• Check for potential Windows Update Agent issues
  • Go to Endpoints > Management
  • Filter on the Windows Endpoint Group(s) you are looking to patch
  • Select all rows and select Action > Run Task
  • Search for Check for potential Windows Update Agent issues
  • Click on Run Task
  • Wait a minute
  • Go to Endpoints > Activities
  • Filter Task: Check for potential Windows Update Agent issues
  • Under More Filters
    • Set Start Date to yesterday
    • Set the End Date to today
    • Set Exit Code to All except 0
  • If there are any results, you will need to log into each machine and fix any Windows Update Agent Errors
  • Desired State: No results like the below screenshot

If all of that is OK and there is still an issue on a significant portion of Windows endpoints stuck in synchronizing or updating, then do the following steps

1. Remove the WSUS discovery source
2. Remove the WSUS connector from the servers tab
3. Remove WSUS entry from servers tab
4. Re-add the WSUS server as a standalone
5. Re-deploy WSUS connector (latest version)
6. Re-add WSUS discovery source

Verify Workflow Selection

• Go to Patches > Remediation Plan
• Click on edit on one of the remediation plans you plan to activate
• Go to Create Cycle and verify the workflow selection
• Note: You can not modify workflow selection once you save and activate the plan.  Instead, you will need to cancel the activated plan, then duplicate it, in order to modify it.

• Once you verify workflow selection, if you want to view the workflow details, click the symbol next to workflow to bring up the "View Workflow" popup window and here, you can view both the pre-patching and post-patching tasks to make sure you have the right workflow

What Else?

If you are still experiencing patching issues, please review the in-depth patching logs and manager logs (vmanage.log and patching.log)

Additional Information

• FAQ Guide
• Customer Guide
• Support Deck