Need assistance converting to Big Fix

(imported topic written by klemery91)

My company is forcing a move to Big Fix for all Patching. I currently manage the WSUS patching solution and need to maintain the current standard we have. Below is a description of the current environment and questions I have about Big Fix to help me maybe get us the same results with Big Fix.

Current Environment:

We have over 2500 Windows servers being patched with WSUS. The patching occurs like this:

  1. I approve updates and they are automatically downloaded to the servers without installation.

  2. The patches sit in the C:\Windows\Softwaredistribition\downloads directory until time to install them.

  3. Each server has a designated Maintenance window (these vary with each server). When the maintenance window arrives and automated script generated by our command center puts the server in Miantenance mode (so we do not get alerts for down servers), and engages a local script to install any patches locaed in the downloads directory.

  4. Upon completion of the patch installation the script ends and then the Command Center script see this and reboots the server.

  5. The Command Center script monitors the entire reboot and once the server is safely back up it removes it form Maintenance mode and the server is back being monitored.

Big FIx Questions:

  1. Is there one common staging directory for all patches and downloads that we can have a script index all downloaded items and install them?

  2. Does anyone out there have a monitoring solution (We use Tivoli) such as this and has found a work around for this using Big Fix?

If anyone can help I would greatly appreciate this.

(imported comment written by BenKus)

Hi klemery,

Probably it would be best to make a few changes to this method to accomplish the same result and there will be some work convert systems. One place to start is to look at the “Maintenance Windows” built into BigFix:

http://support.bigfix.com/bes/misc/maintenancewindow.html

These maintenance windows can be set by using the console OR you use the platform API to set them:

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/BigFix%20Platform%20API

Here are a few notes:

  • Assuming you use the “lock when not in maintenance window” specified in the link above, the “approving updates” should be the equivalent of “applying the action” to the servers.
  • You can either preset the maintenance window in the console or use the APIs mentioned above to set it from a central server.
  • The BigFix Agent can take care of restarting the server for you.
  • You probably don’t need to have your custom script run the patches for you (BigFix can do it for you).

Ben

(imported comment written by klemery91)

Ben thanks for that but in my case I do not control the Tivoli side of the house nor will they work with much.

Questoin: Is there a way to use the registry setting for maintenance window on the client to disable the client computer from downloading and installing the updates (or software depending on what is being deployed). Then use a script to enable the client download and install?

One other peice is we not only use this patching prodecures for for known maintenance windows but we also use this to do adhoc maintenance actions for servers without set maintenance windows. So we send and email to our command center and tell them to reboot a server at a specific time, then that reboot script will place the server in maintenance mode, install any patches, then reboot the server, and finally remove the server from maintenance mode.

I know this is making it difficult but there has to be a way to do this.

Another possibility is can Big Fix communicate with IBM Tivoli Monitoring to put the server in maintenance mode so while patching and reboots occur we will not get alerts from ITM?

(imported comment written by BenKus)

Hi klemery,

The “locked” settings (which is a registry key for Windows agents) will control if the agent will run actions or not…

If you want to integrate BigFix with your other backend processes, then you will need to use our APIs and there really isn’t much out-of-the-box that you can do with that sort of customization.

Ben

(imported comment written by klemery91)

Ben,

I cannot find anywhere any referene to a registry to lock the client. Is there any documentatoin on this. It seems like this might be an easy fix if it works fine. Here is what I am thinking can you give me your take on it:

  1. Set all clients registry key to “Locked”.

  2. Approve fixlets as they are needed on all servers.

  3. Use a script to change the registry setting to “unlocked” once the server is placed in maintenance mode.

  4. Then fixlets will deploy.

  5. Return the server back to locked once server is done accepting fixlets and has rebooted.

Now the question is once the server is placed in the “unlocked” mode in the registry, what triggers Big Fix to deploy the fixlet? Is it on a timing cycle much like WSUS? Is there a command that can be run at the client that can speed this timing along?

Again thanks for your help and if there is detailed documentation on this please let me know. I do not have any documentaiton on Big Fix and from what I see from Internet searches not much is out there either.