We recently purchased BigFix for patching… Used WSUS prior and have 1,400 PC’s that needed a TON of attention… Basically what I have done up to this point is selected around 40 fixlets at a time and applied them to all the PC’s (at night, while no users were using)…
I’m now at the point where PC’s are needing 5-6 updates but could be anywhere from MS02-XXX to MS10-XXX… I am also still getting the BigFix client loaded on a few PC’s a week which need 10-20 updates…
What is the best practice to get all my clients to where none of them need any updates? Create numerous baselines? If so, how should I go about it? How many should I put in each baseline?
I thought I read somewhere that putting too many fixlets in a baseline could cause major performance issues and that is the last thing I want to do…
Regarding the “too many Fixlets in a Baseline” question: You don’t really need to worry until you get to over 100 Fixlets per Baseline… and even then you have a little wiggle room.
Baselines are your best bet. I recently emailed my BigFix sales engineer about baselines and he explained this. It answered my question and possibly yours:
Typically customers use baselines for grouping patch related fixlets that are required to be part of an SOE baseline. So they might have a Windows XP SOE image that contains all patches up to December 30 2009. Any time a machine is reimaged it gets this SOE (which naturally includes the BigFix agent). Then the customer will add patches that they’ve deemed mandatory for deployment into a baseline, ie the baseline might be called “Microsoft Patches Q1-2010†. This baseline will be applied to all relevant machines permanently and all fixlets will be configured to take their “default action†should they become relevant again. This was if a machine is reimaged or newly imaged, when the Client checks in it will automatically apply the baseline. You can have several baselines applied to one or more computers, in fact that is the recommendation as we recommend no more than 100 fixlets per baseline.
The reason for the 100 fixlets per baselines is this, under normal circumstances your BigFix Client will subscribe to the Patches for Windows site, download all 6000+ windows patch fixlets and evaluate them. It will continue to evaluate them and report relevance on every full evaluation cycle which hopefully takes no more than 15 minutes as the Clients post results in every 15 minutes by default. If an operator takes an action to have the Client perform a task, the Client can be interrupted from its evaluation cycle in between fixlet evaluation, it can perform the action and report back the result to the Console Operator immediately, then continue on with fixlet evaluation cycle. The problem with baselines line is that they are treated like one big fixlet and whilst being evaluated can not be interrupted, so rather than have one big baseline with 1000 fixlets in it, you are far better off having 10 smaller baselines with 100 fixlets in each.
Ok… So I have, like I said, ones as old as 1/21/99 up to present… So should I just group them by 100’s until they are all in baselines? I am applying all of them and want them all installed to every PC…
Or, should I break them up in quarters? IE: 1/1/99 - 1/3/99 and so on… If I did it that way I would have some that only had like one or two fixlets while other may have 30 or more… Should they be broken down by OS as well? Severs shouldn’t have to process XP fixlets and vice versa…
What he means by quarters would be a proactive change not a retroactive one. So say you had your baselines update computers to be standardised totally up to today. You’d not create a new baseline till the end of the quarter and that would contain any patches that appear between now and then.
For your current situation though, you’d probably be best to just create baseline groups to get your SoE up to speed then go quarterly. It seems the most logic to me and it will be what I am implementing.
I’m also looking at splitting baselines into XP and so on as per your other question but that’s because I support desktop SoE and our Infrastructure team will be managing the Server patching.
I think the “Corrupt” fixlets are patches that are used to repair fixlets that didn’t complete successfully. But you’d have to have a BigFix person verify that.
If you can I’d say it’s worthwhile discussing with your BigFix sales engineer. My one is very helpful and I thoroughly recommend talking to them. They will have experience with other companies and how they do it.
If I were you, I would start with the big updates like the service packs, major upgrades, and cumulative updates. Then take some of the leftover older Fixlets and just select a bunch and do a “Take default action” and apply them all at once (similar to a big baseline, this can have a performance hit on the agents, but if you expire it within a couple days, the performance hit will be short-lived and you probably won’t notice it).
After you get to a reasonably recent time (maybe 2009?) then you can start with the baseline strategy.
This sounds all to familiar. I had exactly the same issue back when we started with BigFix. Starting with SP’s helps alot. I also set the machines to get these from the web instead of the server. Having over 1000 machines downloading SP1 and SP2 and or SP3 at once would be a bear for my T1. Just focus on the most critical and or largest files first. It will not happen overnight…but will over a few nights. Typically in our branches not much happens over the weekend and after 7pm at night so “bombing” is what I did in the beginning. Every night have 2-3 patches applied and the weekend hittem again with several.