We are demoing some Patch Management solutions and BigFix is one of them. We currently use WSUS for our 1,100 workstations and SMS for our 175 servers…
Currently, when new patches come out, I approve them to my test group of PC’s and let them run for a week… If no issues arise I will approve them for the rest of the workstations…
WSUS clients are constantly checking in to the WSUS server to see if there are any approved updates that are applicable to them… If they find one, they then download it locally to the PC and wait for the scheduled install day/time…
So, say for instance last patch Tuesday there were 13 updates I wanted to approve… I just selected them all, right clicked and said approve… I was then done…
What will be my procedure in BigFix? Would I select those same 13 updates, right click and choose take default action? In the Target I would select my test group, set my time I want it to be installed, and I’m guessing I would choose the “Reapply this action > whenever it becomes relevant again”? Then, let it run for a week and do the same process against the rest of my PC’s?
In my demo with BigFix I was a little confused on the difference of baselines and just taking the “default action”… Basically, I just want my old procedure of approving updates, PC’s checking in to see if they need those updates, and then them installing them on the appropriate day / time.
Yes… You can multi-select the Fixlets and apply them to computers just as you did… This creates a one-time action that applies to whatever computers you would like… Alternately, you can put the Fixlets in a Baseline and then apply the Baseline to whatever computers you would like. One of the benefits of the Baseline is that you don’t need to reselect the Fixlets when you apply them to a different group of computers.
So the process could look like:
Put the Fixlets in the baseline.
Apply the baseline to the test group and choose whatever action parameters apply to the test group.
Later apply the baseline to another group (or all computers) and choose whatever action parameters you want to apply.
Basically by picking the appropriate action options (targeting “All computers”, making the action not expire, choosing the “run between” times), then you have something similar to WSUS…
Ben, we have went ahead with the purchase of BigFix and now with patch Tuesday just behind us I’m at the point where I want to do what I originally asked…
So, you’re saying the easiest thing to do would be to select all the patches released on the 8th and put them into a baseline and then apply that baseline to the test group? Once it’s confirmed they are all good then I apply the baseline to “All Computers” with a never expire?
Also, just curious but do you know what a best practice is for patching with BigFix?
Yes. That is a good strategy. We don’t have a one-size-fits-all best practice for patching because many people have different requirements (but it seems like maybe we should try to put something together), but the baseline approach you mentioned should work fine.