Automatic patch deployment on newly build servers

We need to setup Automatic patch deployment for newly build servers. The requirement is that engineering team builds the servers and they want us to fully patch before pass the qualys compliance state and move to production.

We were able to achieve this in SCCM earlier but we moved to IEM so need to setup new approach to apply patch automatically without manual effort.

Any help is much appreciated, thanks all!!


In my environment the BigFix agent is auto installed via an automatic server deplyment tool. To auto patch these servers i have added an extra property in the config file which is used under agent installment. I use property “NeedPatch=1”.

I create a baseline with a fixlet at the end that deletes the NeedPatch property. You can add more relevance in the baseline to spesify the relevant nodes. I deploy the baseline as a policy and with dynamic targeting pointing towards servers that have “NeedPatch=1”. You can also use first report time property.

Servers deployed with the bigfix agent will then automatically get patched and then lose the NeedPatch property. The manual work here will be updating the baseline and redeploying the policy.

Hi mfuglem

I have a query, let an example I have Windows 2008, 2008R2, 2012 and Win 7,8,10 mean it required all flavour of OS patches minimum 300 patches (all the releasing date wise ), so we have to create multiple baseline for each OS right ?
Or please give your suggestion to avoid more baseline creation,

It’s my fault that i didn’t give you the sufficient details,
I have the similar approach… used the property Environment=Staging and then created the auto group called “Staging_Servers” to call this property matched servers.
Created the Baseline which contains patch from Jan17 to till Sept17 and Same is targeted against “Staging_Servers” Auto group.
Servers are taking patches whenever the property matches but not taking any new patches if add to the same baseline. In this case do i need to create separate baseline & deploy or is there anyway to modify the existing baseline settings.? please help me to deal with this situation. thanks for your support!

When you modify the baseline, you should stop the open action and create a new action using the new baseline content.

When you take an Action, the content of the baseline is copied into the action. Updating the baseline does not update the action.

Likewise when you add a Fixlet to a baseline, the baseline contains a copy of the fixlet. Updating the original source fixlet does not update the baseline; so when a fixlet is updated, superseded, etc. you should edit the baseline and “Sync with source” to update the baseline’s fixlet content.

Given the volume of patches that Microsoft releases, you will want to have multiple baselines.

While there does not appear to be a Technical limit on how many Fixlets you can add to a baseline, there is a Practical limit due to the fact that once the BES Client begins evaluating it’s relevance to a baseline, it doesn’t do anything else until it finished evaluating ALL the Components in the baseline. Depending on how many Fixlets you have added, this could be a LONG time. It’s better to have multiple smaller Baselines that you update on a regular basis.

I try to limit the baselines to a Quarter (3 months) worth of patches. I also recommend using the “Baseline Synchronization Dashboard” to keep an eye on your baselines. As Microsoft supersedes older patches with newer ones, you should consider Synchronizing your baselines to keep them optimized.

1 Like

It would also be easier and faster make the engineering team that builds the servers use updated images when deploying servers. By doing this there wont alway be 100+ patches on each new server that comes out.