So as we struggle with trying to maintain patches / baselines / compliance we figured we would put out the request for Dynamic Baselines. For anyone that has used VMware, the concept is that Dynamic Baselines are automatically updated when new patches meeting the specified criteria are available. Only the baseline us updated, not the action, so there is no need to worry about an unintentional environment change…
You create a baseline for an OS
You add criteria such as Severity Level, Release Date on or Before, Release Date on or After, Patch Vendor, etc.
You have the ability to include / exclude certain patches.
I know this goes against the grain of how BigFix was intended to work, but it seems a necessary evil.
The only downside I see is you loose your ability to report against a baseline historically, unless BigFix could include some type of version record of a baseline (just a list of the patches it contained) each time it is changed. That way you could report against a baseline at any point in time and know what was in the baseline at that point in time.
Yes, i see us using this functionality too. Right now it is too difficult for us to queue up an old baseline from 6 months ago because a couple of its fixlets were missed, or are now applicable.
A dynamic baseline could be deployed to a sever and the fixlets that meet the criteria would be deployed. Similar to an “approved fixlet” list…
Up from the dead. Are there any plans to introduce this feature? “Sync all components” is a huge pain and there’s no reason why it couldn’t be built into the product and done automatically.
I’d like to see this as well. If I want to take the risk with a test baseline, verify with a pilot group, and a week or so later roll them into another baseline, that’s great. I’d rather not do all the work.
Where we run into problems might be lack of default actions for some fixlets - and the way to resolve that today is currently not simple. This might require a breakout UI for all the non-default actions you can take.
I would like to move from a reactive patch model to a proactive one - and I don’t want to go through all the patches and create a ton of baselines broken up into chunks of 200 at time. That’s repetitive tasks, that’s computer work Let a machine break the patches up, I’ll just tell it the first patch to go back to.
How about a baseline patch creation wizard that does all this work by setting up dynamic baselines? It’s gonna be an even bigger problem to use baselines for patch management if the non-critical microsoft security updates feature request ever makes it in (so that I don’t have to deploy wsus, which I am just about to do).
deathbots - I couldn’t agree more with the “I would like to move from a reactive patch model to a proactive one - and I don’t want to go through all the patches and create a ton of baselines broken up into chunks of 200 at time. That’s repetitive tasks, that’s computer work Let a machine break the patches up, I’ll just tell it the first patch to go back to” statement.
TEM as it stands today requires too much handholding to get the job done. When you look at what WSUS can do and even more so what SCCM (2010) can do, it’s small things like “dynamic baselines” that would bring TEM to the level we believe is needed in a modern patch management and endpoint security compliance solution.
But I am wondering if we are in the minority, as more people have not chimed in and requested this feature - hopefully perhaps, they just haven’t found this thread
With the amount of patches out, I think this would be important… to be able to say “I want to apply all missing MS Security Bulletins on these machines”.
I agree 100%, wmehardt. And I’ve brought this up before with a Product Manager, but nothing yet. There should almost be a “white list” of approved fixlets, and various white lists can be set on computers. Then, when patching is triggered, those approved patches are applied. The biggest issue I see right now with baselines is their limitation for the number of components, and idealy this new process would not have that limitation.
Also, If you have a “baseline”, or whatever this new process would be called, it should have the ability to stop at any time. If I have a 2 hour window to patch, I need the ability to have the patching stop at 2hrs, unlike what baselines currently do which is continue until their completed, regardless of any constraints.
Additionally, a reboot ability needs to be included.
deathbots - I couldn’t agree more with the “I would like to move from a reactive patch model to a proactive one - and I don’t want to go through all the patches and create a ton of baselines broken up into chunks of 200 at time. That’s repetitive tasks, that’s computer work Let a machine break the patches up, I’ll just tell it the first patch to go back to” statement.
TEM as it stands today requires too much handholding to get the job done. When you look at what WSUS can do and even more so what SCCM (2010) can do, it’s small things like “dynamic baselines” that would bring TEM to the level we believe is needed in a modern patch management and endpoint security compliance solution.
But I am wondering if we are in the minority, as more people have not chimed in and requested this feature - hopefully perhaps, they just haven’t found this thread
We ditched SCCM for TEM - way too much effort required to keep the client and infrastructure healthy in a distributed environment, and no non-windows support. WSUS is a lot simpler but still error prone. I’m very happy to have TEM as a reactive patch solution (server patching) and a way to ensure WSUS is working correctly. I’d be extremely happy if I could get rid of WSUS and just use TEM, but I don’t see any way forward that isn’t a massive, massive effort on BigFix’s part. Think about writing all the fixlets for all the updates not currently deployed - and a completely new way to bundle up and target patches.
Let a machine break the patches up, I’ll just tell it the first patch to go back to.