Assumptions
- It's been more than 24 hours since patch Tuesday (see relevant configuration below)
- Relevant machines show as 100% in endpoint readiness (and thus relevant machines are reporting fine to WSUS).
- Relevant patches are in WSUS (if they are not in WSUS, then make sure you have selected all relevant products and classifications).
- You are not purposefully limiting patches classifications.
Observations
- Endpoints have Patching Status = No Status
- Note: for non-domain joined machines, please check if there is a local policy object overriding registry settings
- Endpoints have patching status, but do not have latest patches
- Some endpoints have latest patches, but some do not
- Note: If this is the case, please temporarily disable all compliance rules to see if this solves the problem. If it does, the problem is one of your compliance rules.
Next Steps
- For older deployments that have upgraded major versions, check intigua.properties and remove any line regarding pg.wsus.update.num-to-fetch and then restart tomcat
- Run a full WSUS scan (it may take 10-20 mins across a few script cycles)
- Check manager logs: vmanage.log (errors on wsus get updates)
If you see transaction timeouts in vmange.log surrounding wsus get updates, set the following properties in intigua.properties and restart tomcat (service tomcat restart)
spring.transaction.timeout.sec=14400
spring.datasource.hikari.connectionTimeout=60000
Relevant Configuration
By default, WSUS get Updates runs every 18 hours, you can modify that by adjusting the following property. Example, if you would like 12 hours:
# Configure the 'WSUS get Updates' Script interval pg.wsus.update.job.interval.sec=43200
In addition, you can manually run WSUS get updates by following this article.
Comments
0 comments
Please sign in to leave a comment.