BigFix Patching Wizard

Hey Guys - Aloha!

I was creating a baseline using BigFix Windows Patching wizard and was struggling yet again while trying to select all the critical and security patches for both Windows 7 OS and Microsoft Applications.

One of the major problems with the new environment that i am working with is that the whole Production environment has not been patched since the last one year and some of the deployed machines also have patches relevant going back to 2013.

So I decided to create one big baseline with all the patches in it and deploy it keeping active for a month. The problem with this is that BigFix Patching wizard becomes a fuzz while creating a baseline this being specially when trying to select only patches for win7 machines as the filter exlused Office related application patches.

Also, one thing that I noticed is that there isn’t any way to select patches for both 2015 and 2016 in one go using the patching wizard.

Is there any way to create a streamlined baseline which would make the chaos a little more easier to handle ?

If not then what would be the best approach to create a baseline with all the critical and important security patches from MS.

Thanks

Hi Diwanker,

It might not be a good idea to create a baseline that contains too many Fixlets.

If you are looking to patch Win7 SP1 OS, maybe you can take a look at this KB: https://support.microsoft.com/en-us/kb/3125574 (Note that it has a prerequisite KB3020369.) After deploying this KB, there should be much less relevant content to be applied and they should suit in a baseline.

I would break it into smaller baselines (from what I’ve read, under 100 total fixlets preferred, and you can stretch it out to about 250 or so …). Rather than use the wizard, I’d suggest creating your own baselines. Maybe make one for each quarter of a year until the # of relevant baselines becomes too large to support that approach, and then make it on a month to month basis to keep it under control (which you can revert back to the wizard for). under all relevant fixlets, go to microsoft as the source and add everything in that date range for both critical and important updates.

I make one for each month, and I made one for each month going back to as early as patches were needed, which was a little overkill, but it kept it manageable.