I have a problem with Patches for Windows - Patch Management.
In order to get to the question I need to explain architecture.
1 BigFix Server (abroad) --> 1 Top Lever Relay (in Central office) --> 250 Local Relays (in small offices) --> 2-3 machines connected to local relays in office.
We are planning to use Patches for Windows site to perform Win build upgrade.
This upgrade is around 5 gigs…
Of course we don’t want to download 5 gigs 200+ times by the cross country channel so we want to use TOP level relay to download 5 gigs one time and then distribute this patch by local network.
The issue:
Machines, that connected through Top Level Relay ARE NOT applicable to install Win build update.
Machines, that connected directly to Main BigFix Server ARE applicable to install Win build update.
I have checked each relevance for Win build update and we should have 200+ relevant machines.
Where I need to search what causes machine be not applicable if they are connected via TOP Level Relay?
PS: just during writing of this message I assumed that the cause for the issue can be that cash size of the TOP level relay is less that 5 gig. I’m going to check it now.
Which Fixlet ID are you trying to use? I want to check it’s relevance
The Relay cache size should have no effect on whether a client is relevant, but it’s possible the client’s cache size or free space is considered.
I have double/tripple checked that my machine satisfy all 8 relevancies.
The only difference for relevant and don’t relevant machines is Relay settings.
Relevant - Main BigFix Server
Not relevant - Top Level Relay
In addition to this.
As soon as I created a custom copy from “Patches for Windows” site to “Master action Site” - this new custom copy fixlet for Win10 update become relevant to all required machines.
(yes, all machines also subscribed to “Patches for Windows” site )
I’d send a ‘Force Refresh’ to a few of the clients that showed relevant to the custom copy but not to the original.
I’d also check the client logs for problems gathering the site “Enterprise Security” (the internal name for “Patches for Windows”. One possibility would be a third-party antivirus or EDR blocking some files from the site (there is some JavaScript on the content, for example). If the AV blocks access or deletes a file so the content no longer matches our expected signatures, the client won’t process it.
)