Hi Everyone,
I have a couple of questions regarding managing updates through BigFix:
I would appreciate your guidance or any best practices you can share based on your experience.
This announcement last month might be of interest to you with regard to driver updates.
Content Release: Support for Windows Drivers Patching - Release Announcements - BigFix Forum
BIOS updates may vary depending on manufacturer but you can peruse past forum postings as reference points.
@mahmoud_teleb , yes you can update BIOS on computers via Bigfix. We do it for HP computers all the time.
The workflow is to run a baseline with tasks to 1) disable BitLocker [if in use], 2) use the manufacturer’s BIOS utility to disable the BIOS password, 3) Run the BIOS update, 4) use the manufacturer’s BIOS utility to enable the BIOS password, 5) enable Bitlocker if applicable.
With Dell hardware, BigFix can similarly drive Dell Command Update for drivers, firmware, BIOS, etc.
(As in all things, if you can do it on the command line, you can do it with BigFix.)
Is there any reference or documentation for that to be followed?
Hi JonL,
In this case, I have to download the BIOS utility and BIOS update manually and create two fixlets for each. Is there any way to automate this process with BigFix? I'm not referring to disabling passwords, as this requires a custom fixlet, but rather addressing hardware updates, drivers, and patches. Can BigFix automatically check the manufacturer/vendor for updates and display which drivers need to be updated so that I can handle them using the same concept?
@madel.1982 , Have you seen the new Drivers site that HCL has provided? If you have a BIOS password, you may still need pre and post steps to disable and enable the BIOS password. Likely those steps would be custom to you depending on your hardware manufacturer and password you are setting.
We create custom packages for our drivers, BIOS, and firmware for HP equipment and that works well for us.
Possible? Yes.
Provided in current content? No.
@Aram maybe time for a new "Ideas Reference" post. The most recent I see is May 2022 - Ideas Reference
I suggest opening an Idea for this. The team may need your specific models that you'd want to have monitored, as that might impact the effort required to deliver or maintain it.
I'm not sure whether we can make a business case to include it in default content or to deliver an additional license add-on for device management -- I think it really would depend on the tradeoff between "how much does it take to detect, monitor, package, and deliver" vs "how many customers can use it". When it gets into hardware models across customers, it might be hard to balance that ratio -- i.e. monitoring drivers for one particular model of workstation might not be worthwhile if only one (or none) of our customers even use that model.
I do wonder whether something like the Driver Management Dashboard in OS Deployment and Bare Metal Imaging might be a start of something worthwhile. If we gave you a dashboard where you upload your driver packages and then we generated relevance against the drivers you uploaded, would that be worthwhile? If we did that, you'd still have to download the driver's from your vendor, but we might be able to help manage them in one area I a way that's more broadly useful ...
That would be a great idea Jason. It may be a bit complex given the variety of ways that BIOS, driver, and firmware updates are packaged by the hardware vendors.
Where it gets even more complex is with the combination of peripherals connected. In our case, as a retailer, the drivers and firmware for our POS peripherals are critical. It would be a very large matrix of items to support when one considers all the potential peripherals with their respective firmware and drivers.
For those with package building skills, those items are all achievable via custom tasks. We’ve done it for years. It would save many hours if those were provided. I just don’t know how realistic that would be given the vast scope.
BigFix already has content for updating Dell Command Update, so that is easily forked into a bare installer.
For command line scripting of Dell Command Update, I would point to Dell's command line reference.
Hi JonL,
Thank you for your support and cooperation.
Yes, I saw it and tested it, but it requires that each machine must have access to the internet, which is not suitable for a bank environment as all PCs, workstations, and laptops do not have internet access.
MS SCCM can achieve the same functionality without the need for internet access.
If you are using SCCM, which I presume means you are using and maintaining vendor driver updates via SCUP and deployed via WSUS, would that mean your endpoints are set so that any Windows Update scan would scan against your internal WSUS server? Not sure how the scan via the new BigFix offering would react in that scenario. Would the Windows Update call use your WSUS catalog and still output any relevant drivers approved on your WSUS server to the scan results to then be picked up by the dashboard?
i created a guide on how to do this for Dell machines.
DCU itself needs either direct Internet access from the endpoint, or access to a managed repository … accessed via SMB. 
I keep hoping they’ll improve that to be accessible as an HTTPS endpoint.
yeah you would have to tweak the commands run to pull from the network repository so each machine is not hitting the internet
I hope the HCL Bigfix developer team can find a solution soon for that.
As I mentioned, I saw that MS SCCM can do that and update machine drivers.
Additionally, as far as I know, Ivanti can also handle driver updates.
I am not sure about the complexity of
dealing with driver updates as patching. HCL bigfix agent easily scans drivers, detects the vendor, and then double-checks driver updates, even using a plugin or whatever.
BR,
Mohamed Adel