Articles in this section

See more

WSUS Group Management with JetPatch

JetPatch and WSUS synchronize Smart Groups in primarily one way (from JetPatch to WSUS), but there is an initial two way sync on initial WSUS discovery. This allows for a seamless and automated approach to managing Windows OS patching while ensuring consistency between JetPatch and WSUS.

Key Behaviors:

  • JetPatch should only be used for Creating, Deleting, Assigning, and Unassigning machines after first initial sync with WSUS.

  • If a group is deleted in WSUS, JetPatch will recreate it in WSUS unless the group is already flagged as “DELETING GROUP” in JetPatch. In that case, JetPatch will not recreate it.

  • In the case of a conflict (e.g., a group is deleted in JetPatch but still exists in WSUS), JetPatch enforces its configuration over WSUS.

Server-Side Targeting Only

  • JetPatch only supports server-side targeting.
  • Client-side targeting is not supported.
  • All WSUS groups are fully synchronized between WSUS and JetPatch to ensure consistent and automated management.

Replica Limitations

  • JetPatch only supports a single level of WSUS replicas (Primary → Replica).
  • Replicas of replicas are not supported.
  • All replicas must use server-side targeting for full compatibility with JetPatch.

How It Works

1. Discovery & Import

Once JetPatch is linked to a WSUS server and its replicas, all WSUS groups are imported into JetPatch as Smart Groups with matching names.

2. Centralized Management

From that point forward:

  • JetPatch is responsible for WSUS group modifications (creations, assignments, and deletions)
  • JetPatch ensures that WSUS group structures remain consistent across primary and replica WSUS servers.
  • If a conflict arises, JetPatch enforces its configuration over WSUS.

3. Group Synchronization

Automatic Group Updates

  • Any newly created or modified Smart Group in JetPatch is automatically reflected in WSUS.

  • If a group is deleted in WSUS, JetPatch will recreate it in WSUS unless the group is flagged as “DELETING GROUP” in JetPatch. In that case, JetPatch will not recreate it.

  • In cases of conflict (e.g., a group exists in WSUS but was deleted in JetPatch), JetPatch enforces its configuration over WSUS, meaning the group will be deleted from WSUS.

Group Status Tracking

JetPatch tracks the synchronization and management of WSUS groups with clear status indicators:

  • Ready: Group is successfully created and synchronized.
  • Creating Group: Group creation or update is in progress; not yet available for patching.
  • Creation Failed / Synchronization Failed / Deletion Failed: Errors occurred; details available in Logs & Alerts.
  • Synchronizing Group: Group is actively being updated in WSUS and replicas.
  • Deleting Group:
    • The group is being removed from WSUS and replicas.
    • If the group is also deleted manually in WSUS, JetPatch will not recreate it.

Monitoring WSUS Group System Tasks

When JetPatch manages WSUS groups, several system tasks run in the background to keep synchronization and updates functioning correctly. If a WSUS group action seems stuck, check the following system tasks under Endpoints > Activities:

WSUS Primary Server Tasks

  • WSUS get groups and computers in a group – Retrieves WSUS groups and linked endpoints.
  • WSUS Group manipulations – Creates, updates, or deletes WSUS groups.
  • Assign or remove endpoint(s) to/from WSUS group(s) – Updates endpoint assignments.

WSUS Replica Server Tasks (if applicable)

  • WSUS Synchronize between Primary and Replicas – Ensures downstream WSUS servers match the primary.
  • WSUS client synchronization with WSUS server – Keeps endpoint patch status updated.

Troubleshooting WSUS Group Issues

If a WSUS group fails to sync or delete, follow these steps:

  • Go to Endpoints > Activities and check for failed system tasks:
    • If system tasks have failed, investigate the logs for further details.

  • If a group is stuck in ‘Deleting Group’ status:

    1. Check if the group has already been deleted in WSUS.

    2. If the group no longer exists in WSUS, JetPatch will finalize the deletion in its next cleanup sync.

    3. If the group persists in JetPatch, re-enabling WSUS Discovery Source in JetPatch can help refresh the status.

  • If a group is stuck in ‘Synchronizing Group’ status:

    1. Check for system task failures under Endpoints > Activities.

    2. If no failures exist, wait for the next sync cycle before making changes.

    3. If the issue persists, disable/re-enable WSUS Discovery Source in JetPatch to refresh synchronization.

Upgrading to Version 4.2.2

  • JetPatch automatically migrates WSUS groups into Smart Groups.
  • Existing WSUS groups are mapped and synchronized with JetPatch Smart Groups.
  • The migration process follows the Computer Group to Smart Group conversion, as detailed in the Managing Smart Groups Article.

Related articles

Comments

0 comments

Please sign in to leave a comment.