Hello folks,
Recently we started to roll some updates throughout our environment. We started with 25gb in total of patches being distributed through our entire environment.
We created baselines separated by O.S (Win7, Win10 and Win11), patch type (cumulative updates, app updates) and country. We sent the actions yesterday at 8pm and scheduled the updates to start today around 8am, but when we got to around 1pm, a lot of users started to complain that they couldn’t access files, save their work through the network because it was taking too long.
We went to investigate, and we saw a high network usage from 8 am to around 2pm coming from the BigFix relays. We took the initiative to allocate more resources, for examples, there are some countries that does not have their dedicated relay and since our country is also big territorially speaking, we created 3 additional relays from the current 4 we had, and we have plans to add 2 more in the coming weeks.
The problem is, our environment is considered small from BigFix planning perspective, as we currently have 2202 managed devices in our BigFix server. Our network is complex though and we have MPLS links which can sometimes cause more than 10 network hops until the relay can communicate to the server and also it is managed by our ISP.
Also, some users complained that their machines were slow during the update process.
Knowing all this, I want to know ways to reduce the network load in BigFix, without having to do this in firewall or any other means, directly in the application.
Also how much of CPU BigFix Clients use when running updates? Is there a way to reduce this value?
Thanks in advance.
To solve your high network utilization, you can use the Relay & Client download throttling settings below. I strongly advise using these settings instead of implementing network capping, reason client settings are easy to manipulate rather than network capping.
Fixlet ID 152 - BES Relay Setting: Download Throttling
Fixlet ID 167 - BES Client Setting: Download Throttling
Check out the fixlet below to see what the default settings are and what you can change based on your need for CPU control.
Fixlet ID 168 - BES Client Setting: CPU Usage
Additionally, you can create two fixlets to use some of your custom settings during baseline patch deployment. One fixlet will set requirements at startup, and the other will restore them to normal.
When the update process started and the users complained about the “slowness” of the system - did you see spike in the CPU (100%) or Hard Disk (100%)?
We were not able to check, the alarm soared, and we had to quicky stop every action. I believe since it was a cumulative update, maybe they had some kind of slowness when multitasking. The complaints came mostly from people who work with some CPU - RAM eating softwares.
I appreciate you for correcting me in the title and thank you for all the valuable suggestions. The BES Client setting, Fixlet ID 168 is a temporary setting in my opinion, we use it a lot when running multiple actions. Does it apply only when applying patches?
What if I want to insert on the client a permanent configuration of CPU Usage when running patches? Is it possible?
I don’t plan to change anything when Idle because I consider it irrelevant to the overall CPU Usage.
Edit: Also, for 2200 computers, we had 4 relays and now we have 8 relays and there are plans to install 2 more, I believe it’s a valid point now to see how things goes.
The throttling setting only applies to BESClient.exe itself, not to the patch binaries that get spawned.
You’d need to check into general Windows performance tuning, I don’t think even custom action scripts would help much since most patches are simply handed off to Services to get installed.
In the event that you only wish to consider setting these settings during patch deployment, you can easily create custom tasks as previously mentioned, one at the start and another at the end. If you wish to set permanent configuration, you can set these client settings on all of your devices regardless of whether you are deploying patches or not.
_BESClient_Resource_WorkNormal
_BESClient_Resource_SleepNormal
The answer to your question is provided in the shared client settings (Work/Sleep Normal) above.
That brings up another point of discussion: in order to prevent network utilization from going all the way down, you can set up local site relay, which is hosted on the same VLAN or network as the network where the high network utilization issue is occurring, to download the patches directly from the internet rather than through Relay to Root chain.