How to Verify Patch Applicability Mismatch Between Jetpatch and WSUS

There appears to be a discrepancy in patch applicability between Jetpatch and WSUS. This guide will walk you through the steps to confirm the mismatch and identify the root cause.

Environment

• Jetpatch platform
• WSUS server
• Endpoint machines running the Jetpatch agent (Connector)

Resolution

Follow these steps to check the status of a specific patch in both WSUS and Jetpatch and compare the results.

Step 1: Check Patch Status on the WSUS Server

1. Connect to your WSUS console.
2. Navigate to the machine status report.

3. Check the Jetpatch Patches Catalog: 

• Navigate to the Patches Catalog section in Jetpatch.
• Compare Patch Count: Count the number of patches listed in the Jetpatch catalog and compare this number with the count of patches reported in WSUS.

Note: If the counts are the same, there is likely no general patch synchronization problem.  

If there is a mismatch in the counts, please proceed with the more detailed log analysis below

4. Find the patch you are investigating (e.g., KB5062560).

5. Verify the status of the patch on the target server. The expected status should be either Not Approved | Not Applicable. If the status is Installed and was installed by Jetpatch, you can create a Remediation Plan with a 'Removal' operation.

6. If the status is incorrect or the patch is missing from the report, this indicates an issue with the Windows Update settings on the endpoint machine. You must connect to the endpoint and troubleshoot its update settings directly.

Step 2: Verify Patch Status in Jetpatch

This step requires you to download and analyze Jetpatch's activity logs for WSUS.

1. Log in to your Jetpatch server and navigate to: /vmanage-server/patch-governance/#/endpoints/activities
2. Download the latest output file for the wsus get update summaries per computer task.

3. To ensure the most recent data is available, you may need to manually trigger the WSUS discovery tasks. This can be done by disabling and then re-enabling the WSUS discovery source in Jetpatch. For detailed instructions on this process, refer to the following article: How do I trigger automatic system tasks.

Step 3: Compare Jetpatch Logs with the WSUS Report

This is the core of the investigation. You will need to cross-reference data from multiple Jetpatch log files.

1. Find the Update ID: Download the wsus get updates activity file. Search this file for the name of the patch and save its unique Update ID.
2. Find the Group ID: Download the wsus get groups and computers in group task output. Locate the machine in question and save its Group ID.
3. Find the Endpoint ID: In the same wsus get groups and computers in group file, verify that the endpoint machine has the correct group ID. Save the EP ID for this machine.
4. Check Status in Summary: Open the wsus get update summaries per computer file that you downloaded in Step 2. Search for the EP ID you saved. Within that section of the file, find the Update ID for your patch.
5. Final Verification: Check the status associated with the patch in the log file. It should be the same as the status you observed in the WSUS console in Step 1.

Conclusion

• If the statuses match: Jetpatch is correctly reporting the data it receives from WSUS. The issue is likely a problem with the WSUS client on the endpoint machine itself, not with the Jetpatch-WSUS communication.
• If the statuses do not match: A mismatch exists. This indicates a problem with the WSUS-Jetpatch synchronization. In this case, please open a support ticket with the Jetpatch team, providing all the log files and findings from this investigation.