Adding BigFix Client into Group Policy

(imported topic written by Ashwin.D91)

Hi,

I’m planning on adding the BigFix client to the group policy for deployment. However, I have a few concerns.

  1. Is there any particular setting that I have to take note of?

  2. Will the clients be pushed down to each machine every time a user logs in? Will the client overwrite itself?

  3. If yes, is there anyway to make it aware of whether bigfix is already installed on the machine?

Thanks,

Ashwin

(imported comment written by SystemAdmin)

We have deployed BigFix via GP since v5.x. It works like a champ. Here’s what I have found:

  • It only pushes down only when it’s not already installed.
  • If the client has been updated via BigFix to a newer version it won’t push down and overwrite the newer version.
  • If we do a GP software update with a new version it will push the new version out and overwrite the older version.

In other words, it works like you’d want it to. Rather than exclusively use GP to keep BigFix up to date we only do a GP update with a new base version of BigFix (5.x, 6.x, 7.x, etc.). We then use BigFix to update itself.

(imported comment written by Ashwin.D91)

rames

We have deployed BigFix via GP since v5.x. It works like a champ. Here’s what I have found:

It only pushes down only when it’s not already installed.

If the client has been updated via BigFix to a newer version it won’t push down and overwrite the newer version.

If we do a GP software update with a new version it will push the new version out and overwrite the older version.

In other words, it works like you’d want it to. Rather than exclusively use GP to keep BigFix up to date we only do a GP update with a new base version of BigFix (5.x, 6.x, 7.x, etc.). We then use BigFix to update itself.

Thanks for the reply.

However, from a customer, I received feedback that every time a machine comes online, the software is being pushed down as they can see a bigfix window coming up. I’m assuming that even though it does come up, it is not being reinstalled. But still, I would like to know how I can make it silent.

Ashwin

(imported comment written by SystemAdmin)

Could it be the BESClientUI they’re seeing? We don’t do anything special with regards to GP deployment. We simply point it at the “BESClient.msi” file as assigned software, change the name to include the version, add the upgrade packages accept all remaining defaults.

Rames

(imported comment written by jpeppers91)

I am seeing some of the same things as Aswin D. Even though clients all ready have the client, the GPO is reinstalling the software. Is there something I’m missing?

(imported comment written by SystemAdmin)

I can also confirm that in our test environment, we see the same thing. There are also events in the event log which confirm what we are seeing. We never rolled it out to production because we lacked the time to troubleshoot the test environment.

(imported comment written by jpeppers91)

Can anyone from Bigfix elaborate on this?

(imported comment written by BenKus)

Hey guys,

I personally don’t know much about Group Policy, but here are some notes from previous experiences FWIW:

  • Many customers use GP to deploy the BigFix Agent successfully (and as far as I know, they don’t have this issue).
  • As far as I know, the behavior you mentioned with the installer re-running constantly is completely controlled by GP (I don’t think we can change anything to help).
  • You certainly don’t want GP to repeatedly run he MSI (once it is installed, there is no need to re-run the installer).
  • One customer that I worked with had used the “Hide BigFix from Add/Remove Programs” Task and this triggered Active Directory to constantly reinstall the BigFix because it was using the add/remove programs name as a check to see if the BigFix Agent was installed.

Hopefully that is somewhat helpful,

Ben

(imported comment written by Ashwin.D91)

I think that is what we are missing out as well. Is there a setting in GPO that limits the installation to run just once or only if the software is not installed?

If somebody who has successfully deployed this before using GPO where to help us, then that would be great.

Ashwin

(imported comment written by Ashwin.D91)

Hey guys,

I just found this link from Microsoft that seems to be detailing the problem.

http://support.microsoft.com/kb/828452/en-us

Unfortunately I can’t test it out. Was wondering if somebody could test this out and see if it holds true.

Ashwin

(imported comment written by SystemAdmin)

Thanks for th KB link. For us, it does not apply.

I do have to wonder if it is an issue between the .exe and .msi installers. I’m not sure which version we used on which computers.

On one system that used the setup.exe to manually install the client, we definetly see the error when the AD based .msi installer attempts to run. The event log shows the following 7 items:

1

  • The install of application BigFix Enterprise Client from policy Software-BigFixAgent failed. The error was : %%1603

2

  • The removal of the assignment of application BigFix Enterprise Client from policy Software-BigFixAgent succeeded.

3

  • Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : %%1603

Windows failed to apply the Software Installation settings. Software Installation settings might have its own log file. Please click on the “More information” link.

4

  • The assignment of application BigFix Enterprise Client from policy Software-BigFixAgent failed. The error was : %%1274

5

  • The removal of the assignment of application BigFix Enterprise Client from policy Software-BigFixAgent failed. The error was : %%2

6

  • Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %%1274

7

  • The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

(imported comment written by Miran_p91)

When user sign in does it starts installing everytime - is this still isue? How provent and how to ensure manualy that is not happening? Is there anythig that should be carefull about? What does domain administrator need’s to know if I give him a msi for GPO? Can this be deployed only to workstations and leave servers alone?

Hello All,

Is there any current update on GPO based bigfix agent installation “.msi” file.
.msi file needed to add masthead configuration in GPO implements.

Please confirm whether any one came across successfully deployed BigFix agent installation via GPO policy.
If only .msi to be added in policy then hopefully we can do this task.

Not exactly sure what you are asking, however you can use the .msi package for the BigFix agent and push out via GPO. If you use the .msi that’s created via the installation generator, then the masthead file is already embedded, so you don’t need a separate .afxm file. You can further modify the .msi to add other settings if you need, use Orca or a similar tool.

Also read this thread: https://forum.bigfix.com/t/making-a-bigfix-msi/8224?u=gwyndafdavies