The patching checklist is a series of steps you can take to ensure the most amount of success during a patching cycle. At this stage, you should have your remediation plan(s) created, but not yet activated.
Note: For a normal patch cycle process, these steps should be executed at least a day in advance, and thus activating the remediation plan a day in advance.
Verify that Endpoint Readiness is Turned On
- Go to Endpoints > Readiness
- Make sure Endpoint Readiness is enabled
- If Endpoint Readiness is enabled, you should see a lot of table data and other information.
- If it is disabled, go into settings, enable it, and save changes.
- Filter on Endpoint Readiness: Not Ready and Unknown
- If there are issues, review the endpoint readiness troubleshooting article.
- Desired State: no results like the below screenshot
Run Predictive Patching
- Go to Patches > Remediation Plans
- Find the remediation plan(s) you want to activate as part of the patching cycle and click on the predict icon
- If there are any issues, click on How to Improve and read both the Predictive Patching and Endpoint Exemptions and Warnings articles for information.
- Desired State: 100% predicted patching success rate like the below screenshot
Verify that System Tasks are Running Properly
- Go to Endpoints > Activities
- Windows Endpoints
- Filter on Task Type: System
- Search for the name of the WSUS Primary machine
- Make sure you the most recent status of the following Activities are being reported as Succeeded
- wsus get update summaries per computer
- wsus get groups and computers in group
- wsus get updates
- Sync approval status with WSUS
- WSUS Group manipulations
- Assign or remove endpoint(s) to/from wsus group(s)
- Note1: if there are WSUS replicas, check for the following additional scripts (requires working connector on replica)
- WSUS client synchronization with WSUS server
- WSUS Synchronize between Primary and Replicas
- Note2: more information these WSUS scripts can be found in this article.
- Linux and Solaris Endpoints
- Filter on Task Type: System
- Filter on Task: Collect Endpoint Updates
- Filter on Activity Status: Error and Failed
- Under More Filters
- Set Start Date to yesterday
- Set End Date to today
- If there are any results, please check the exit code, and troubleshoot accordingly.
- Desired State: no results like the below screenshot
Additional Windows Specific Checks
- Check for potential Windows Update Agent issues
- Go to Endpoints > Management
- Filter on the Windows Endpoint Group(s) you are looking to patch
- Select all rows and select Action > Run Task
- Search for Check for potential Windows Update Agent issues
- Click on Run Task
- Wait a minute
- Go to Endpoints > Activities
- Filter Task: Check for potential Windows Update Agent issues
- Under More Filters
- Set Start Date to yesterday
- Set End Date to today
- Set Exit Code to All except 0
- If there are any results, you will need to log into each machine and fix any Windows Update Agent Errors
- Desired State: no results like the below screenshot
- Make sure the relevant endpoints are in a Ready state in Endpoints > Groups
Verify Workflow Selection
- Go to Patches > Remediation Plan
- Click on edit on one of the remediation plans you plan to activate
- Go to Create Cycle and verify the workflow selection
- Note: you can not modify workflow selection once you save and activate the plan. Instead, you will need to cancel the activated plan, then duplicate it, in order to modify it.
- Once you verify workflow selection, if you want to view the workflow details, click the symbol next to workflow to bring up the "View Workflow" popup window and here, you can view both the pre-patching and post-patching tasks to make sure you have right workflow
What Else?
If you are still experiencing patching issues, please review the in-depth patching logs and manager logs (vmanage.log and patching.log)
Additional Information
Comments
0 comments
Please sign in to leave a comment.