HI, SO I want a simplified method of checking to see if a KB or a group of KBS is installed. I don’t need the date installed or any other contemporaneous data. Unfortunately every explanation in the KBS in Microsoft WU is not of much help. What I want is a simple method to check if KB Y is installed and KB Z is installed.
Here are the examples of relevance:
(exists descriptions of records whose (event id of it = 2 AND description of it contains "KB4284867 was successfully changed to the Installed state") of event log "Setup") or (exists descriptions of records whose (event id of it = 2 AND description of it contains "KB4338823 was successfully changed to the Installed state") of event log "Setup") or (exists descriptions of records whose (event id of it = 2 AND description of it contains "KB4343899 was successfully changed to the Installed state") of event log "Setup")
ANother method I am trying:
exists (string values of properties "HotFixID" of it) whose(it starts with "KB4284867") of select objects "HotFixID from Win32_QuickFixEngineering" of wmis and exists (string values of properties "HotFixID" of it) whose(it starts with "KB4338823") of select objects "HotFixID from Win32_QuickFixEngineering" of wmis and exists (string values of properties "HotFixID" of it) whose(it starts with "KB4343899") of select objects "HotFixID from Win32_QuickFixEngineering" of wmis
The first thing to do is to get all of the installed HotFixIDs:
unique values of (it as trimmed string) of string values of selects "HotFixID from Win32_QuickFixEngineering" of wmis
You could use this directly in an analysis property that you can then look for specifics using Session Relevance. If you anticipate using this kind of relevance a lot for reporting many different KBs, then it is going to be better to just report ALL installed KBs to BigFix and then look for specific ones using Session Relevance.
You could make it more specific to only return TRUE if all of the 3 you are looking for are installed:
This is TRUE if all 3 are there:
3 = number of unique values whose( it is contained by set of ("KB4284867";"KB4338823";"KB4343899") ) of (it as trimmed string) of string values of selects "HotFixID from Win32_QuickFixEngineering" of wmis
This is TRUE if ANY of the 3 are there:
exists unique values whose( it is contained by set of ("KB4284867";"KB4338823";"KB4343899") ) of (it as trimmed string) of string values of selects "HotFixID from Win32_QuickFixEngineering" of wmis
This method is very inefficient as it makes the WMI call 3 times in a row. WMI calls are slow, so it is best to make the call only once.
In this particular case, these are both equivalent, but one is faster than the other:
Q: number of string values of selects "HotFixID from Win32_QuickFixEngineering" of wmis
A: 151
T: 2101.365 ms
Q: number of string values of properties "HotFixID" of select objects "HotFixID from Win32_QuickFixEngineering" of wmis
A: 151
T: 2414.017 ms
There is a bunch of related info in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing but I’m not sure how to get the equivalent of the WMI call from there.
It seems like anything with the current state of 32, 80, 112, 128 is either effectively installed or superseded according to the chart linked above.
(multiplicity of it, it) of unique values of (it as string) of values "CurrentState" of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of (x64 registries; x32 registries)
This is what I came up for to try to get installed KBs from the registry:
("KB" & it) of unique values of (preceding text of first "~" of it | it) of (preceding text of first "_" of it | it) of following texts of firsts "_for_KB" of names of keys whose( exists (it as integer) whose(it is contained by set of (32; 80; 112; 128) ) of values "CurrentState" of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of (x64 registries; x32 registries)
The number of items returned is slightly more than what is returned by WMI.
This relevance gives the difference of the WMI results vs the Registry Results: (removing all KBs that appear in both)
(elements of item 0 of it; elements of item 1 of it) of (item 0 of it - item 1 of it, item 1 of it - item 0 of it) of (it, set of string values of properties "HotFixID" of select objects "HotFixID from Win32_QuickFixEngineering" of wmis) of sets of ("KB" & it) of unique values of (preceding text of first "~" of it | it) of (preceding text of first "_" of it | it) of following texts of firsts "_for_KB" of names of keys whose( exists (it as integer) whose(it is contained by set of (32; 80; 112; 128) ) of values "CurrentState" of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of (x64 registries; x32 registries)
NOTE: this particular relevance is slow, it is just here to investigate the differences between the KBs reported by WMI vs those reported by the Registry and is not intended for use in an actual bigfix property, though it is a good use case for WebUI Query.
Hi Jgstew, tremendous information and answers a concern I had that I had redunancy. I am really new to Bigfix and I apologize for the lack of knowledge.
Thank you for this information. I have put these in place now in a test analysis. I have another question and I am trying to think this through but I dont know enough about Bigfix. Does bigfix have a custom report that can be generated that would provide the total numbers of all devices and quantify devices by the KB needed as a report? I see theBigfix labs has a Windows Patch management , but It allocates a point system and doesn’t break down the KBs by total devices need per KB. except in their interface sheet.
I would like to know if there is a better method that I can generate a report that provides totals need by KB that I can print out or export out to a pdf or excel format.
If not I can build one from the information you provided but ai am aware there are Security roll ups that will update the device to a specific KB prior to the rollup. But it wont populate that the other KBS are installed.
Example KB 1,2 and 3 are security updates for Jan Feb March, but Sept roll-up installs all three but it doesn’t make aware that those KBS are now also taken care of.
My idea:
Create an analysis and add the three KBS and the Security rollup as an or statement.So if it doesnt find KB 1, 2, and 3, but it found the rollup I would still get a true statement.
Example, Jan-Feb March are the three kbs in the first line:
The second statement with the or is the security rollup from Oct
3 = number of unique values whose( it is contained by set of ("KB4284867";"KB4338823";"KB4343899") ) of (it as trimmed string) of string values of selects "HotFixID from Win32_QuickFixEngineering" of wmis or exists (string values of properties "HotFixID" of it) whose(it starts with "KB4462923") of select objects "HotFixID from Win32_QuickFixEngineering" of wmis
There are many different approaches to auditing these things with BigFix and BigFix Patch.
The relevance statements above have focused on the client machine reporting which KBs it has patches installed for already, but you can also use BigFix Patch to see which patches are relevant on which machines (which means BigFix detects that those patches are needed) and use that info to determine the number of machines per KB, though it is generally easier to break it down per patch rather than per KB.
The main issue is that multiple patches can resolve the same KB because 1 patch may contain all previous patches or some previous patches, so getting an accurate count by just counting the KBs per patch isn’t exactly right since that will double count some computers.
This should give you the number of BigFix Patches for Windows with (at least one) applicable computers:
number of fixlets whose(0 != applicable computer count of it) of bes sites whose("Enterprise Security" = name of it)
This goes further and is closer to what you are asking:
(source ids of it, applicable computer count of it) whose(item 0 of it contains "KB") of fixlets whose(0 != applicable computer count of it) of bes sites whose("Enterprise Security" = name of it)
Hi and thanks again for the reply. Where would I add this? Would this be an analysis or a relevance for an automatic groups that would populate it with devices that need an update?
I have seen big fix patch management and can use it to quantify the needed baselines and patch as indicted.
Do you know where I can view best practices or better information for the full use of patch management?
These examples are session relevance that can be used in Web Reports, or the Presentation Debugger, or in a Console Dashboard, or REST API, or similar.
Generally you would build a baseline for patches by OS, so one might be for Windows, another for Mac, another for RHEL, etc… Many orgs only deploy the important or critical security patches.
You might want to look at AutoPatch in the WebUI.
That is a bit complicated. Ideally there would be some better write ups around this, but part of it is patching in general, while another part is patching with BigFix, and those are both related, but not identical.