What is the best practice for achieving the following with BigFix. We have a real struggle with this:
How do we get it so a new XP or Windows7 workstation that is joined to the domain, downloads and installs any relevant updates. We could create one massive baseline with all fixlets, and submit that as an action, regardless of relevance to be sure they get patched (since we can’t always predict what will become relevant at any given time), but that seems like it would kill the BES agent. We are used to WSUS allowing us to approve an update for installation for ANYTIME it ever becomes relevant. Is there a way to replicate this with BigFix?
Sure we could submit a new action each month, but that doesn’t always ensure new PC’s get the needed updates, since the baselines created are based on what’s relevant at the time.
Create several baselines? Here are the baselines I have:
RequiredPatches-2007-2008
RequiredPatches-2009
RequiredPatches-2010-Q1
RequiredPatches-2010-Q2
RequiredPatches-2010-Q3
RequiredPatches-2010-Q4-Oct
RequiredPatches-2010-Q4-Nov
I then periodically go back and consolidate 3 months into a quarter. 4 quarters into a year etc.
I’m not saying it’s a “best” practice, but it is what I do, and is very effective. Note that I do not have EVERY patch in these, only those that are absolutely required.
Furthermore, I separate Office patches from OS patches because there appears to be a bit of a disconnect between BigFix and Microsoft on the Office patches, some of them don’t work. It’s Microsoft’s issue, but BigFix are unwilling to update their relevance…so we separate them so they don’t affect our OS baseline.