Considering Bigfix - feedback wanted

(imported topic written by ReedMikel91)

Hi All,

I am an independent consultant with about 20 clients, each having anywhere from 5 to 40 Windows workstations - and most with a single Windows 200x server. I am trying to simplify remote management of these client sites using some sort of MSP tool like Bigfix. Last month I purchased Kaseya, but it has been far from impressive. They just released their new 2008 version and it has more bugs than features at this time. Tech support is overwhelmed and can take days to respond. I can still bail out and and get my deposit back. I suspect most of their customers that have thousands (or tens of thousands) invested have to stick it out, no matter how poorly Kaseya performs/supports… I think that’s called a “captive audience” :slight_smile:

Luckily, I have time to find an alternative/better product. So I did some searching and came across Bigfix. I just downloaded the demo, so will try it out. But I thought I’d seek some feedback of Bigfix users? Anyone come from the Kaseya camp?

One of my primary interests is simplifying patch management, something like the way WSUS lets you preapprove a category of patches (say Critical and Security). Does Bigfix streamline patch management along these lines?

I also want integrated antivirus/antispyware that I can offer to my clients. Hopefully a product that integrates so smoothly and requires little or no response from users when a threat is detected - as users just do not know what to do :slight_smile: Deployment and disinfection should be solid…

How about managing desktop policies? I’d love to be able to deploy Active Directory policies either globally or on a client by client basis (or even finer granularity). One example of a global policy might be to disable file downloads in Internet Explorer, as almost all my clients do not want their users downloading anything over the Internet. MS has such an AD policy - so can I make it a global policy that gets pushed out to all AD client sites? Would be even sweeter if I could allow download of just certain file types (by extension).

Thanks in advance for your time!


(imported comment written by ReedMikel91)

No feedback - how odd… This looked like an active forum

(imported comment written by BenKus)

Hi Mike,

I work at BigFix so I am not sure if I am best to answer your questions about how to rate us, but here are some thoughts based on your notes:

  • BigFix works very well in an MSP environment like you mentioned due to the general architecture being very friendly to mobile computers and almost all network environments. Also, the general flexibility with BigFix is very useful to accomplish lots of interesting tasks.
  • In BigFix, you send patches or groups of patches (we call baselines) to computers… You can set these as policies so new computers that come online will automatically take the patches.
  • BigFix provides AntiVirus and AntiSpyware fully integrated (the engines are from eTrust) and managed completely through BigFix. There should be no end-user input required.
  • BigFix helps manage many security policies for Windows (both for visibility and for changing the policies) and you can see many of these on the “Security Policy Manager” site.


(imported comment written by ReedMikel91)

Thanks for the info Ben. A couple questions if I can?

  1. Can BigFix push AD settings too?

  2. is there a trouble ticketing system that clients can use to request support?

  3. is eTrust a product of CA?

(imported comment written by ReedMikel91)

Also, is the “BigFix console” web-based - which would mean one or more tech support staff could be managing machines simultaneously - and from different locations (via the Internet)?

(imported comment written by SystemAdmin)

I support BigFix at an Enterprise level for the Corporation where I work. Not very similar to your situation, but I will share with you my impressions.

We have about 65,000 active agents in our environment and all are connected to our network. The only previous experience I have is with Tivoli and its a great improvement over that product.

We use it to deploy all Microsoft Security patches, via the BigFix provided content, deploy\update custom software, information gathering, and policy application. The policies we enforce via BigFix are mostly registry settings to support AD policy settings on machines on our network that are not part of AD as well as support machines that don’t seem to apply the AD domain policy correctly. BigFix allows use to create specific operators for specific machines, by Type, Application or location. It also allows us to control bandwidth usage between our main Data Center and remote sites, via local Relays. The relays can run on machines already located at each site and this kept our deployment costs down. It has many deployment options, such as start date\time, user presence, messages before\during\after, post action reboots if necessary.

I am on version 6.x, which is not the most current version (7.x), and there is no web interface for management. Your operators would need connectivity to your main server. We don’t use it here but I know you can set up connectivity via the internet for your clients to communicate with your main server usually via a Relay in the DMZ.

We do not use the built in BigFix content for anti-virus\spyware, we have another enterprise product. We do use it however for auditing client settings and client configuration of that product. We do have plans to deploy the anti-virus updates via BigFix in the future.

I feel that the greatest strength of BigFix has is its flexibility and customization. We have not run into many things that it can not support in some form.

(imported comment written by hanswee)


Thanks for the info Ben. A couple questions if I can?

  1. Can BigFix push AD settings too?
  2. is there a trouble ticketing system that clients can use to request support?
  3. is eTrust a product of CA?

I am a software engineer at bigfix.

Not sure about #1. I’m definitely sure #2 is a no.

For #3 eTrust is a CA product for antivirus. Our spyware solution is also through CA using their pestpatrol product (I believe it is called CA AntiSpyware now) but it was formerly a product made by a company called PestPatrol that was acquired by CA.

(imported comment written by SystemAdmin)

I also support Big Fix at an the enterprise level - approx. 4000 agents (a mix of XP/2000/2003/Vista). You do need to understand the logic behind how Big Fix gets “things” done - but from there almost anything is possible. One thing BF is not (in it’s current form) is a Help Desk Ticket system - or network monitoring system. However - it is a great tool to use in conjunction with a HD or monitoring system - because you can data mine on a workstation/server in seconds to find out all the details of a workstation or application that is being called in with an issue (real-time stats - and no waiting for lengthy scans to complete).

We utilize the AntiPest and DLP solutions from Big Fix and also manage our McAfee 8.5 installs through Big Fix (because EPO can barely handle the responsibility). The AP has cut down workstation support calls immensely - by keeping our PCs clean. We hope to add the full AV and firewall client for next year. And DLP (Data Leak Prevention) is allowing us to keep people from using USB devices and taking data away from the network.

All our updates are done utilizing baselines (similar to policies). Our users never know that we are keeping them up to date on patches and providing them with a safer computing experience.

In past - when a critical exploit was found and when a patch was available - we would send out a fleet of support staff to update computers. Now - as soon as the patch is available with only a few mouse clicks - I can have our entire organization patched and secure in approx 5 minutes. Provided the computer is on (if not they will get the updates the next time they connect to the network). For our mobile users - we have a Big Fix Relay on the DMZ - and it doesn’t matter where in the world our laptops go - as soon as it hits the Internet - the agent checks in and receives any updates that we have made relevant for it.

As far as a web console - don’t do it! The Big Fix console is so powerful and robust - a web front end would kill it. I disliked Patchlink because of how clumsy the web controls were. Big Fix does have a very nice web reporter (in addition to the full console) that I give to all my support people - so that they can report on systems. The console is very powerful - so you want to be very conscious of who you give access too. One malicious push and you could wipe out every workstation.

And lastly - BF support is top notch. Great engineers and a great gang to work with. Hope this helps.


(imported comment written by ReedMikel91)

Thanks for the feedback! I really do want a Help Desk ticketing system, and web-based console - as I want other support techs (that might reside anywhere) to be able to assist me… I will keep BF in mind, but Kaseya has turned things around this week and finally gotten caught up on all the support issues after their new 2008 release a few weeks ago.

(imported comment written by jr6591)

I’ve been using BES for a number of years. Started in version 3x. We are currently running v7. I’ve dealt with numerous products over the last 10 years. Altiris, patchLink, LanDesk, ZenWorks, etc. From a package deployment methodology, I would have to say i though ZenWorks was by far the most robust. Cream of the crop.

Over the course of time, i have expanded our uses of BES and would have to say without a doubt, that I would highly recommend this to any environment at any level.

Its architecture and evolution seems to be going in the right direction and seeing its growth over the past 6 years has been remarkable. I deploy in record time, report patch deployments at very high percentages and manage SW distribution effectively and efficiently.

Of course web console are beneficial, but there are its drawbacks in terms of what you can do within them. The console allows me to manage my environment for things outside BES and support clients quickly.

Extremely highly recommended.

(imported comment written by ReedMikel91)

Thanks fot the feedback. Unfortunately the salesperson never followed up - he was supposed to arrange on online demo with an engineer. His last message was that he could not find an available engineer, and would get back to me. Haven’t heard from him in over a week - so I’m giving up on BF for now. I am surprised companies don’t realize what a negative impact lack of follow-up has on sales…

But if Kaseya should not pan out for me, I’ll come back and hope for a more attentive salesperson…

(imported comment written by BenKus)

Hey ReedMikel,

Sorry our salesperson didn’t follow-up with you… It is certainly strange since they work on commission… Can you please email me directly the salesperson’s name so I can go kick them? :slight_smile:

And thanks to everyone for their detailed recommendations of BigFix. I sent this thread around internally to our engineers and they were very happy to see the direct feedback from all you guys.


(imported comment written by rharmer91)

I don’t know if you need any more information… the guys who responded certainly hit the nail on the head. We’ve been using BigFix for 2 years now and it’s going very well. We have around 14,500 clients in a medical enviornment.

  1. It scales nicely on a WAN

  2. It Works well

We tested just about everything when we did our initial evaluation and for what we wanted it for, it works like a champ. Microsoft Patching, some application deploying, Security compliance checking, application version reporting, registry value pushing, anything you want to dig out of your machines (if a file exists, versions of anything, running applications, if a registry entry is set or not set, how much disk space is left, which machines are missing a patch)… it goes on and on.

Downsides: The web interface could be easier to use and possibly faster, the console could be faster to load/quit.


(imported comment written by Macideus91)


Big Fix is what you need. Its only limits are your imagination and skill. If you need remote access for more than one tech, use RDC out of windows to your server. I use it from home to monitor and apply things I wouldn’t have time for at work. Big Fix gets things done. That is the bottom line. As far as a trouble ticket, I know of problems many times before the end user knows. It’s all about what you decide to do with that problem, and if it’s a wide spread issue or a single machine. The only draw back to using RDC to connect, they cant get the graphic real time mapper for progress (which is way cool for knuckle draggers like me). I don’t pretend to have near the technical skills as some of the other guys who post on here, but so far with some patience, I have been able to do everything needed and a few things I didn’t dream of before Big Fix. I currently manage about 1000 clients in 11 states and growing by a couple hundred each year. I know Big Fix will grow with me, and it more than just an app you will lose interest in, it is your best friend, your hard worker, and your all in one IT Army! Last year when I didn’t have Big Fix we had a flood of calls for pc related issues on software problems. I feel comfortable stating that my call volume dropped at least 2/3 since we implemented Big Fix. I have even discovered a way to post messages to all or one machine for the end user to call me when they have time to deal with a problem Big Fix found or even messages of announcements for the whole company! Bottom line is you can look all you want and do the research, or you can get on board now and save time, money and a bottle of aspirin.

-Mike Morse

Tax Tech Inc

Harrisburg IL

618-252-6505 ext 207 if you wanna talk to someone in person who uses Big Fix and loves it!