How to set up a windows Patch baseline based on a policy

I am looking for information on how to setup a baseline that is policy based so when new computer is added into a certain computer group the baseline is applied to the system and deploys what ever patches are needed. I know this can be done and hoping someone has some information on how to accomplish this task.

If you already have baselines and the group, you can just deploy that baseline to the group using the “Dynamically target by property” so that any system that is then added to the group will run any fixlet contain in the baseline that it is relevant for.

1 Like

How would I deploy based on a policy? I have read about policy based baselines but how would you go about setting it up?
I know you could use the Dynamically target by property but was wondering about policy based baselines.

I have no idea what this means. You need to link to documentation or provide a lot more info on what you mean by this.

Baselines should generally be dynamically targeted to an automatic group so that as new systems come online, they join that automatic group and then get the baseline.

If you deploy a baseline as a “policy action” this just means that the baseline will apply indefinitely, so that if any of its components that are set to make the baseline applicable become applicable again, any applicable components of the baseline will apply again. Doing this requires careful management of the components, their relevance, success criteria, and if they are set to make the baseline relevant again.

If everything is written well, then anything you want to always be the case should be deployed as a “policy action” that is dynamically targeted. If the relevance isn’t written well, or the actionscript has issues, then doing this could cause computers to run the action over and over and over, which is bad.

Anything is technically a “policy action” if the “reapply this action” box is checked.

If you are using BigFix for fully automated configuration management, then this is how most things should be deployed… assuming the content is well crafted.


You have explained it very well. I knew that you could dynamically target but want to get more clarification on the baseline as a “policy action” and think now I understand with your explanation.

Thank You

If you want to add additional components to your baseline will your dynamically targeted endpoints see the relevant additions and apply them? This is what i’ve attempted but it doesn’t seem to be the case… or perhaps i’m not being patient enough.

You have to re-issue your baseline actions when you add, remove, or modify any components.

Thanks Jason. I’m still new to BigFix but aren’t patches being superseded fairly regularly and baseline synchronizations needed often as well. I’m trying to understand the value of creating an action with the additional config if I have to re-issue it each month anyway.

Yes, that’s one of the real pain points in managing actions. It’s not automatic, and seems counter-intuitive especially if you’re accustomed to dealing with something as hands-off as WSUS.

My impression is that most of the customer base are running large or tightly-controlled environments, and are more concerned about updates getting deployed without internal testing and oversight.

There’s a fairly new capability called “Patch Policies” or “Autopatch”. It’s not managed in the Bigfix Console at all, it requires installation of the WebUI and is managed there. I haven’t used it myself but have seen some demos. The idea behind Patch Policies is that you build groups for your endpoints, a schedule for each group, and define categories of content to deploy. Patch Policies automatically fire actions to the endpoints for whichever fixlets match your policy criteria, so it’s a lot more like automated patching.


I will note that you still have to manually approve patches with Patch Policies, so if you want true automation you still have to use the REST API.

Guys, thanks for the info. I took a quick look at the WebUI and it looks promising. One issue I noticed is the lack of ability to filter out unwanted patches like it’s possible in the console. For example if I select Critical, Windows, Security patches it includes all the applications for windows patches as well. Hopefully in a future release this functionality will be included. In the meantime i will play around with it. Thanks again.