General Troubleshooting
If you are unable to figure out why a certain endpoint is not reporting as ready, run the endpoint readiness script and look at the output
- In Endpoint Readiness, check the box of the endpoint you want to troubleshoot
- Click on Actions > Run Readiness Test (in the top right next to settings)
- Wait 30 seconds, endpoint should start refreshing
- Once complete, view output by clicking on the eye
Note: this output will only update when you manually run readiness tests
Windows Example
The output of the windows readiness task tells you the following
- Powershell execution policy (which must be either Unrestricted or RemoteSigned)
- The WSUS URL as per the endpoint's intranet Microsoft update service location. This must match the required repo configuration.
- Powershell version must be greater or equal to three
- Both "has update service location" and "WSUS automatic updates" must be true.
Note: You can learn more about this script by downloading it from Tasks & Scripts > Scripts > Check endpoint readiness for single Windows computer
Linux Example
The output of the Linux readiness task tells you the following
- Repo ID (relevant repos must match required repo configuration)
- If repo is enabled (must be enabled for relevant repos)
- Number of packages in repo (must be greater than zero)
- Has Update info must be true
Note: You can learn more about this script by downloading it from Tasks & Scripts > Scripts > Check endpoint readiness for single [Linux/Debian/Ubuntu] computer
Readiness Criteria Summary
There are a total of eight readiness criteria. The Readiness Criteria is decided based on the Endpoint Specific OS and environment
Windows Criteria
Connector Installed | Repository Configured | PS Version | PS Execution Policy | WUA Communication | |
All Windows | V | V | V | V | V |
Linux Criteria
Connector Installed | Subscription* | Advisories Ready | Packages Support | Repository Configured | |
RHEL / SUSE | V | V | V | V | V |
RHEL / SUSE (Cloud) | V | V | V | V | |
Oracle Linux / Alma Linux / Rocky Linux / Amazon Linux | V | V | V | V | |
CentOS | V | V | V | ||
Ubuntu / Debian | V | V |
* "Subscription" criterion check is also dependent on "Linux Subscription" settings.
Solaris Criteria:
Connector Installed | Subscription | Advisories Ready | Packages Support | Repository Configured | |
Solaris 11 | V | V | V | V | |
Solaris 10 | V | V |
Criteria Guide
Note: General Unknown Message - JetPatch didn't get any data. Please check the Connector communication
Connector
-
General Information:
- Description - Connector should be installed and communicated properly with JetPatch and in a supported version
- Supported Operating Systems:
-
Readiness Statuses:
- Ready - Connector is Connected and in the right version
- Not Ready - Connector is installed but having problems with communication with JetPatch.
- Not Supported version - Connector is not in a Readiness feature supported version.
- Unknown - Connector does not exist on the endpoint.
- Exemption - If the connector is not Connected
-
How to fix:
- Unknown or Not Supported Version - Deploy Connector on the endpoint
- Not Ready - Check for communications issues
Subscription
-
General Information:
- Description: Checking for the data
-
Supported Operating Systems:
- RHEL (not in AWS)
- SUSE
- Solaris
-
Readiness Statuses:
- Ready - The endpoint has a valid subscription.
- Not Ready - The endpoint does not have a valid subscription.
- Unknown - JetPatch does not know what is the subscription status of the endpoint.
- Not Applicable - For endpoints that do not need a subscription or running an unsupported OS
- Exemption - In case the endpoint criterion is "Not Ready" the following exemption will appear for the endpoint - Subscription Missing
-
How to fix:
- Unknown - Deploy Connector on the endpoint
- Not Ready- Check for communications issues
Note #1 - Local Repository Architecture Configuration
Endpoint Readiness feature supports local repository architecture configuration.
Please check "Linux Subscription" settings.
Based on the settings, endpoints won't need the "Subscription" criterion for readiness status - it will be considered as "Not Applicable".
Advisories Ready
-
General Information:
- Description: Checking for available Advisories in the endpoints from the required repositories
-
Supported Operating Systems:
- All Linux platforms except CentOS and Ubuntu
-
Readiness Statuses:
- Ready - The endpoint has Advisories information from configured repositories.
- Not Ready - The endpoint does not have the Advisories information from the configured repositories in JetPatch settings.
- Unknown - If there is not data from the endpoint or in the settings.
- Not Applicable - Unsupported OS
- Exemption - In case the endpoint criterion is "Not Ready" and Repository Configuration readiness criterion is "Ready" - the following exemption will appear for the endpoint - Advisories Not Exist
-
How to fix:
- Unknown(❓)
- There are no Configured Repositories in JetPatch Settings matching the endpoint OS.
- Not Ready(❌)
-
Repository List - Make sure all the added repo IDs have advisories.
- For example, if you use the automatic repo configuration option, it will add all enabled repos, included those without advisories,like:
- Custom repos
- Extra / EPEL Repos (eg: for Enterprise Linux including RHEL / OL / Rocky / Alma etc)
- Pool repos (for SLES), which is just a collection of packages for the Update repos (which has the advisories).
- For example, if you use the automatic repo configuration option, it will add all enabled repos, included those without advisories,like:
- Repository Issue - If the endpoint is using a local repository, make sure it can pull Advisories information (updateinfo.xml / updateinfo.xml.gz) from the repository. This can be made by running the command "find /var/cache/ -iname *updateinfo.xml*" on the endpoints. If nothing shows up, this means advisories are not configured on the repository. Please refer to the article on How to fix Missing Advisory Information in Local Repository.
-
Endpoint cache issue - Sometimes the endpoint is not pulling the full Advisory information. To pull the updated information, run the following command:
- YUM based systems - "yum clean all && yum updateinfo"
- ZYPPER based systems - "zypper clean"
-
Repository List - Make sure all the added repo IDs have advisories.
- Unknown(❓)
Packages Support
-
General Information:
- Description: Checking for available packages in the endpoints from the required repositories.
-
Supported Operating Systems:
- All Linux platforms except Ubuntu
-
Readiness Statuses:
- Ready - The endpoint has available packages from configured repositories.
- Not Ready - The endpoint does not have packages from the configured repositories.
- Unknown - If there is no data from the endpoint or in the settings.
- Not Applicable - Unsupported OS
- Exemption - In case the endpoint criterion is "Not Ready" and Repository Configuration readiness criterion is "Ready" - the following exemption will appear for the endpoint - Packages Not Exist
-
How to fix:
- Unknown(❓)
- Connector compatibility - Connector version should support Endpoint Readiness. Check for the installed Connector version
- There are no Configured Repositories in JetPatch Settings matching the endpoint OS.
- Not Ready(❌)
- Duplicate Repo ID - Make sure the same repo ID is not accidentally added twice (known issue to be fixed in 4.2.7)
-
Connectivity/Repository Issue - check the endpoint repository configuration. The endpoint should be able to connect to the repository and pull the right information.
- YUM based systems - In the output of the following command number of packages should be higher than 0 - "yum repolist -all "
- ZYPPER based systems - Output should contain list of available packages - "zypper se -r <REPO_ID>" (to fetch the REPO_ID run the command "zypper repos -E")
-
Endpoint cache issue - Sometimes the endpoint is not pulling the full Advisory information. To pull the updated information, run the following command:
- YUM based systems - "yum clean all && yum updateinfo"
- ZYPPER based systems - "zypper clean"
- Unknown(❓)
Repository Configured
-
General Information:
-
Description - Checks if the repository configuration of the endpoint is pointing to the right repositories, determined by the user in the Readiness settings, and checks for other related settings.
For Windows:- WSUS is treated as a repository for Windows endpoints.
- In addition to the WSUS configuration, Endpoint Readiness checks some additional settings in the GPO:
- "Configure Automatic Updates" = enable
- In endpoint readiness output, this is wsusAutomaticUpdates = true
- "Specify intranet Microsoft update service location" = enable
- In endpoint readiness output, this is hasUpdateServiceLocation = true
- "Configure Automatic Updates" = enable
-
Supported Operating Systems:
- All OSs supported by JetPatch Patch Management module
-
Readiness Statuses:
- Ready - The endpoint is pointing to the right WSUS (and configured with the right settings)/Linux repositories. Only one configured repository can match the incoming configuration from the endpoint. For more information please see the notes below
- Not Ready - Endpoint configuration is wrong and not match the Readiness settings
- Unknown - If there is a problem in the Endpoint for fetching the repositories or there is no data in the settings.
-
Description - Checks if the repository configuration of the endpoint is pointing to the right repositories, determined by the user in the Readiness settings, and checks for other related settings.
-
Exemption - For exemption handing, JetPatch considering the Configured Repository Flag (see the "Readiness Settings" section for more information).
- In case the flag is marked - JetPatch will raise exemption if the criterion status is Not Ready and Unknown, and won't execute the required patch operation.
- In case the flag is unmarked - JetPatch will raise exemption if the criterion status is Not Ready only, and won't execute the required patch operation.
-
How to fix:
- Unknown(❓)
- Check the Required Repository Configuration in the Readiness Settings and make sure there is an entry represents the EP Operating System and CIDR. More information for setup the "Required Repository Configuration" can be found below in the Settings section.
- The Readiness information didn't get any "Repositories" data from the endpoint (a problem in the script) - please contact JetPatch support for an investigation.
- Not Ready(❌)
- Check if the endpoint configuration for WSUS/Repositories is the same as configured in the Readiness Settings -> Configured Repository Configuration. For more information of configuring the right values in the settings, please see the Readiness Settings section.
- Check if the endpoint configuration to the repositories are enabled (and with the expected values for Windows repository setting).
- Unknown(❓)
Notes #1 - Configured Repository Configuration Scenarios
For "Ready" status, only one configured repository in the readiness settings can match the incoming configuration from the endpoint. Example Scenarios:
Scenario ID | Scenario #1 | Scenario #2 | Scenario #3 |
Repository configuration on the Endpoint |
|
REPO1 | REPO3 |
Configured Repositories in JetPathc Readiness Settings (which matching the OS and CIDR of the endpoint) |
|
||
Result | Ready | Not Ready | Ready |
Explanation | The endpoint matching the second configured repository in JetPatch settings | There is no Configured Repository in JetPatch Readiness Settings to match the endpoint configuration. It's match only part of the repositories in #2 | The endpoint matching the first configured repository in JetPatch settings |
Notes #2 - Configured Repository Readiness Status Decision Matrix
The following scenario describes the result of matching the endpoint repositories configuration to the Configured Repositories in JetPatch.
Top raw = Configured Repositories in JetPatch Settings
Left Column = Endpoint repositories configuration:
JetPatch Settings |
REPO1 REPO2 |
REPO1 | REPO2 | Empty (no configuration or OS + CIDR matching) |
REPO1 REPO2 |
Ready | Ready | Ready | Unknown |
REPO1 | Not Ready | Ready | Not Ready | Unknown |
REPO2 | Not Ready | Not Ready | Ready | Unknown |
Empty List (endpoint does not configure) | Not Ready | Not Ready | Not Ready | Unknown |
Not exist (a problem in the Readiness information) | Unknown | Unknown | Unknown | Unknown |
PS Version
-
General Information:
- Description: Checking the endpoint PS version.
-
Supported Operating Systems:
- Windows only
-
Readiness Statuses:
- Ready - The major PS version is 3 or above.
- Not Ready - The major PS version is 2 or below.
- Unknown - If there is no data from the endpoint.
- Not Applicable - Unsupported OS
- Exemption - In case the endpoint criterion is "Not Ready" the following exemption will appear for the endpoint - Unsupported PowerShell Version
-
How to fix:
-
Unknown -
- Connector compatibility- Connector version should support Endpoint Readiness. Check for the installed Connector version.
- Not Ready - Need to upgrade PowerShell version to 3 or above.
-
Unknown -
PS Execution Policy
-
General Information:
- Description: Checking the endpoint PS Execution Policy (highest Scope).
-
Supported Operating Systems:
- Windows only
-
Readiness Statuses:
- Ready - The PS Execution Policy is Unrestricted/RemoteSigned
- Not Ready - The PS Execution Policy is AllSigned/Restricted
- Unknown - If there is no data from the endpoint.
- Not Applicable - Unsupported OS
- Exemption - In case the endpoint criterion is "Not Ready" the following exemption will appear for the endpoint - Unsupported PowerShell Execution Policy
-
How to fix:
-
Unknown -
- Connector compatibility- Connector version should support Endpoint Readiness. Check for the installed Connector version.
- Not Ready - Need to change the PS Execution Policy to a supported policy.
-
Unknown -
WUA Communication
-
General Information:
- Description: Checking the endpoint (Windows Update Agent) Connectivity to the WSUS server. This information extracted from the "wsus get groups and computers in group" task (the filed to check is "LastReportedStatusTime"), as part of the WSUS Discovery Source scripts.
-
Supported Operating Systems:
- Windows only
-
Readiness Statuses:
- Ready - The endpoint reported in the last X minutes (configurable value in Readiness Settings)
- Not Ready - The endpoint didn't report in the configurable time.
- Unknown - If there is no data on the endpoint.
- Not Applicable - Unsupported OS
- Exemption - In case the endpoint criterion is "Not Ready" the following exemption will appear for the endpoint - WSUS Communication Problems
-
How to fix:
-
Unknown -
- WSUS Discovery Source - make sure it is added and is in a working state.
- WUA Configuration -
- Verify Windows Update Settings are set correctly to the WSUS
- Verify device shows up in the WSUS Console
-
Not Ready -
- WUA Connectivity:
- WSUS Discovery Scripts - download manager logs and verify there are no errors in discovery.log for the wsus scripts, including wsus get groups
- Windows Update Agent can't reach the WSUS. Solution - Check connectivity between the Windows Update Agent to the WSUS.
- Endpoint reporting is happening in a lower interval than the configured value in the Readiness settings - Go to WSUS console and find the problematic endpoint in the "Computers" section. Check the "Last Status Report" column and make sure it was last communicated in the time interval provided in the Readiness configuration. If not - Solution - Increase the Readiness setting for "Endpoint Communication with WSUS".
- Replica endpoint reports synchronization - See Note #1 below.
- WUA Connectivity:
-
Unknown -
Note #1 - WSUS Replica Architecture
The reports of endpoints communicating with a WSUS Replica (downstream) will be sent to the WSUS Main (upstream) only after downstream synchronization.
Related Articles
- Endpoint readiness overview
- Endpoint readiness settings
- What is the patching checklist?
- Running a task
Comments
0 comments
Please sign in to leave a comment.