Should I use sites? I couldn’t find a way to use “computer groups” in the custom filters. Maybe I’m missing something so had to ask the experts.
Looking for the right way to setup using Custom Filters for a set of computers. Goal is we do 3 patching groups. Dev, Test & Prod. These don’t all need the same patches. Some never get .NET updates for example, but some do.
Ideally I have custom filters for ‘critical patches’ as example. As I have all these machines in one “site”, it shows whats needed on all of them. But really, I’d like to create a baseline for “Dev” machines as example and only show the ‘critical updates’ in that custom filter for the “Dev” machines.
You can create three computer groups based on your device types (Dev/Test/Prod). Once these groups are created, navigate to the desired group in the BigFix Console, where you’ll find the Relevant Fixlets section. From there, you can filter the applicable patches by site, category, and severity to focus on specific updates, such as critical patches. This allows you to easily manage and deploy the patches tailored to each environment.
This approach is efficient, as it leverages built-in group and filter functionalities, enabling quick identification of patches relevant to each group without additional configurations. It also ensures flexibility and scalability as your environment grows or changes.
Here was a thought, but wanted to run it by others. Create sites for Dev, Test & Prod. Then I could create a custom filter using the “site” field in it.
Example:
Sites:
Site → Windows Dev
Site → Windows Test
Site → Windows Prod
Custom Filters:
Dev Critical Patches->
“Site equals Windows Dev”
“Category contains Critical”
I would echo what @vk.khurava stated. Our Dev or QA machines are either in a specific QA domain where we can target all QA machines because of the domain membership or we create a task that sets a client setting or a registry key that “tags” them as QA, Dev, Non-Prod, Sit, etc, then you can use a computer group to base the custom filter on. To use a computer group you would just need to use the drop down menu for Include “Computer Group” and type the name of the computer group that you are wanting to include.
I just wanted to check-in here and make sure it’s understand that it’s not a problem to have "extra things in your baseline.
Each computer will only download and install the specific Fixlets that are relevant to that individual computer. Anything in the baseline that’s not relevant will just be skipped.
It’s very common to have one baseline each month, for all computers
Learned something new, probably basic, but wanted to share. In the “custom filters”, having “Site” doesn’t seem to include external or custom sites. This means using “Sites” won’t work as I’d original thought.
Thanks @JasonWalker_HCL (and everyone). I was worried that to many “patches” being added to baseline might cause issues with how long it takes. But my understanding is the relevance statement would quickly dismiss those and not even attempt to run. Example in my head would be: Windows 10 being added to the baseline and being sent (take action) to 2019 servers would immediately test the relevance (is this computer windows 10?) and just quickly be skipped. Thanks again for the expertise.
The smaller the baseline, the better. Over the years I have heard several different numbers for the number of components a baseline should be limited to.
I was told once, no more than 200 or you could have long evaluation times, sometimes too long.
We try and limit ours to no more than 150 components per baseline. Our patching methodology has us with numerous baselines, trying to stay within the confines of no more than 150 components per baseline.
I believe I’ve found a way that cuts down for the items being added a little more focused.
Tell what you guys think? What I’ve found is I can select multiple computers groups. Example:
Windows Servers No-Touch - Windows Servers Prod 1 - Windows Servers Prod 2
Windows Servers Dev 1
Say I select “Windows Servers Prod 1” and "Windows Servers Prod 2". Now heading over to the right top, I see the list of computers in those groups. Now I highlight them and “View Them as Group” and now, when I check the fixlets it shows only for that group. This really cuts down on the 1000s of possible computers in my “Site” that we don’t touch and don’t need to add fixlets to a baseline that aren’t part of the computers I’m looking for.
Might be helpful for others who have a gazillion patches that aren’t relevant and adding those to a baseline when they aren’t needed.
