Atomatic Patch Deployment

(imported topic written by bzarine91)

Does BigFix support deployment of MS patches automatically in which clients are scheduled to download approved patches automatically and apply them? There would a pool of approved patches which clients can go to and check.

(imported comment written by BenKus)

Hi bzarine,

Effectively yes, but it doesn’t exactly work the way you mentioned… Basically you can click on each Fixlet and deploy them to all computers (or groups of computers) with the options of advanced scheduling/messages/restarts/etc (this is effectively the “approve” step). If you find yourself always choosing the same options when you deploy Fixlets, you can use the “Action Preset” options so you can basically click the Fixlet action, click on the preset, and then everything can be deployed.

Alternately, you can put your Fixlets into baselines and then deploy the baselines to computers.


(imported comment written by bzarine91)

That will not work for us. We have about 800 Servers in 5 different time zones with 16 different maintenance windows. The task of scheduling all these hosts every month for new patches is extremely time consuming. The idea was to put a setting in each Server maintenance group to download all the approved patches at same date and time every month and then reboot themselves.

(imported comment written by jessewk)

What we typically do in that situation is define a maintenance window property for the servers. The property locks the computer from taking actions except when it’s in the maintenance window, at which time it will take any relevant actions. So all you need to do is take one action on a baseline or set of patch fixlets and then the servers will automatically take care of everything themselves when they get into their maintenance window.

Setting up maintenance windows is usually completely different between organizations so it would be best to consult your sales engineer or professional services for assistance. I’ve put together some horribly complicated schemes and also some very simple ones. For some idea how this might work, see these posts:


1 Like

(imported comment written by bzarine91)

I am trying to use MaintenanceWindows.bes, tasks, but having no lock. The client still recieves fixlets outside of maintenance window and it also indicates maintenance window “False” at all times. Am I to use the task from: also? If so the registry entries don’t match with MaintenanceWindows.bes, tasks.

(imported comment written by BenKus)