JetPatch Deployment Guide

Getting Started with JetPatch On-Premise

Download and Deploy the OVF template:

1. If you haven’t already, download the JetPatch OVA file.

• The download file contains a server running CentOS 7.7 with JetPatch pre-installed, along with some agent packages.
• There is no reason to log into the server other than to change the default password. To log in, use SSH with user “root” and password “jetpatch123456”.

2. Deploy the OVF template:

• If you are using VMware vSphere Client follow these steps.

or

• If you are using VMware vSphere Web Client follow these steps.
• By default, the JetPatch virtual appliance IP configuration is set to DHCP

Getting started with JetPatch:

1. Go to the JetPatch Console via a browser at http://< IP>/

• When you first access the JetPatch Console, you will be asked to create an admin user with a strong password (at least 8 characters combining uppercase, numbers and symbols).
• After creating this user, log into the console and accept the license.

2. Discover your servers

• Go to Settings → Discovery Sources
• Select “Add Discovery Source”

• Choose Source Type – vCenter, AWS, WSUS or Azure (for WSUS discovery see Windows Update here)
• Fill in the credentials and test the connection
• For more details, see the JetPatch Installation Guide

3. Provide endpoint user accounts – once JetPatch is able to connect to endpoints, it needs to be able to log into them to manage their management stacks. For this, it needs user accounts with administrative permissions over the endpoints.

• Go to Settings → Server Accounts
• Select “Edit Credentials” to add new accounts
• Select the Account Type and provide an Account Name, Username, and Password
• For Linux you can select and use an SSH private key.

4. Create an MBSA management service –  The MBSA agent is used to retrieve the baseline configuration and populate the JetPatch compliance report for all endpoints.

• Go to Library → Management Services
• Select “Add Service”

• Enter a Name and select the MBSA management tool from the drop-down list

5. To apply/remove the MBSA management service, select a server, then click “server actions” → “apply/remove management services”

• A window of tools will pop up
• Choose the MBSA agent and the management service
• In case you haven’t assigned an account, a window will pop up in which you will have to assign an account.

» Recommended: You also can automatically configure to deploy MBSA to groups of servers, through the Policy tab

• Knowledge center

Note: If you have WSUS already configured in your environment this step may be skipped. 

Configuring Windows Updates:

1. WSUS server configuration – When using the WSUS discovery source for Windows patches, it is required to have a connector on the WSUS server and all servers that are reporting to the WSUS server will be discovered.
   • Configure the patch classifications to include the relevant patches for the environment you are managing
   • Verify that the ports 8530/8531 are open on the WSUS server for the endpoints to register
   • Enable PowerShell execution policy to run scripts here
   • Recommended:
     • Disable ipv6 on the WSUS server
     • Set WSUS to have endpoints download Windows Updates from Microsoft and not local WSUS storage (This will have the JetPatch remediation plans execute faster rather than having to wait for the WSUS server download each patch)
       • This may be configured by going to the Update Services console on the WSUS server, Options -> Update Files and Languages -> “Do not store update files locally; computers install from Microsoft Update”

2. Endpoint server configuration

         Pre-requisite: In order to automate Windows Update deployment, it is required to have a connector deployed on each endpoint.

• Register the endpoints to the WSUS server (can be done either by domain policy or local policy). In order to register endpoints to WSUS:
  • Open the policy of the endpoint (start->run->gpedit.msc)
  • Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
    • Configure Automatic Updates -> Enabled and set to “Auto download and notify for install”
    • Specify intranet Microsoft update service location -> Enabled and set both URL’s to http://wsusserverip:8530 (if using SSL use 8531)
  • Enable PowerShell execution policy to run scripts here

3. Add WSUS discovery source

         Pre-requisite: Have all endpoints registered and reporting to the WSUS server. It is also recommended to have the endpoints in groups before using JetPatch.

• Have a connector deployed to the WSUS server and verify that it is connected to the JetPatch server
• Add the WSUS discovery source by server name by going to Discovery Sources

PowerShell Execution Policy (for Windows Updates):

Pre-Requisite: For managing Windows Updates on all endpoints, PowerShell 3.0 and above is required to be installed on the servers. The execution policy can be set either by domain or local policy.

• Set the PowerShell execution policy to run scripts by going to the group policy (start->run->gpedit.msc)
• Enable the execution policy by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on Script Execution -> Enabled and allow all scripts