Deployment problems

Usage and Config Platform
1

(imported topic written by Harald.Zarakowitis)

Hi,

we have some major problems with our patch deployment (V. 7). Our patch process: We create baseline actions with all the patches and the baselines are deployed as policy action. These baselines are only applicable if a specific registry key exists. The registry key on the other hand is deployed separately by the various offices. In that way, we reduce the actual amount of open actions to have better performance (this approach was actually recommended by BigFix).

We found the following issues with this:

  1. We find that it is very often the case that computers simply are not patched. The baseline is applicable (so BigFix finds the registry key), but the patches do not get deployed. If the baseline is then deployed again, many computers are fixed immediately. The prior baseline however should have worked too, because of the deployment options (the baseline is set to deploy over and over again, even if it fails).

  2. Another behavior is as follows: Computers are fixed, but are still marked as applicable for a baseline. If the baseline is deployed, then the specific computer report back “not relevant” (However, the console still finds them relevant).

  3. Additionally out of despair, we created an analysis based on the relevance of a patch, which showed as applicable in a baseline (but was not). Now the weird thing is, that as soon as the client evaluated the analysis, the client didn’t show up as applicable for the baseline anymore.

This makes using BigFix at the moment a bit difficult, let alone impossible to use efficiently. Our reports are messed up because we cannot trust the data from BigFix.

For me it seems that there is no point in investigating this further without extensive knowledge on how the client handles the incoming fixlet messages or tasks.

It would be great, if we could get a reasonable explanation for this behavior.

Best regards,

Harald

2

(imported comment written by BenKus)

Hi Harald,

You should definitely contact support because it sounds like you have some serious issues with your agents and you need someone to do a full analysis of the situation for you.

Based on the information you presented, it sounds like everything is a symptom of the same problem: The agents are either constantly interrupted or too busy to process all the data. This could occur for many reasons and here are some things to look at:

  • Do the clients constantly have error in their logs? Gather errors? Actions reapplying constantly? If so, the agents might never be able to evaluate Fixlets/Baselines/Actions because it is always getting interrupted and “starting over” in its evaluation.

  • Do you have a very large number of open actions? Have you run your Health Checks Dashboard? In certain cases, if you have a very large number of open actions (especially large baseline actions that are constrained), the agent will be so busy evaluating these actions, it won’t be able to get to the rest of the actions/Fixlets/Baselines.

For #2, note that whenever you deploy a new action, the agent evaluates it immediately, which is why you see immediate responses when you deploy a new action.

For #3, what was the relevance? Was it a copy of the relevance or relevance that referred to the Fixlet ID?

Again, it sounds like you have major issues and need to have a full check on your deployment…

Ben