Need better understanding of 3rd party patching - unspecified

Hi, just want to understand how 3rd party patching works when it comes gathering the 3rd party files and applies to a patching policy.

Is bigfix using what it knows about all the software installed on each workstation and then searching for 3rd party files\updates? Or is there a limited set of software that it knows about (I assume most known\common\major software) and it will just include it in the patch policy even if not a single workstation in the organization uses it?

For example we have a 3rd party pp running now for critical but I just happened to notice that my machine wasn’t relevant for notepad++. quick search and found the update to notepad++ in the pp to be categorized as a critical update, I was then was able to find the newest version of notepad++ which is categorized as unspecified. Now the 3rd party pp targets only unspecified patches and is targeting only 4 workstations, I see software listed in the pp that none of the 4 workstations use so I wonder if that’s the software that other workstations have installed but it’s shown in this pp because that’s how bfix gathers patches - based on all known software. Man I hope that all makes sense.


one more bonus Q :slight_smile: : what if we discover a software that should not be allowed such as winrar for example, is there a quick way to create an uninstall task for the software from the software list under the Update for Windows Applications Extended site?

BigFix maintains Fixlet content for a wide range of products, both from OS vendors and third-party applications. We’re frequently expanding the list, but a starting point of covered titles is at HCLSoftware

Regarding the Notepad++ update, “Severity” generally comes from the application vendor’s bulletin list (if there are any). It appears from our Fixlet content that only a couple of versions have had any security rating at all, listed as “High”. Checking the Notepad++ website, I don’t see severity ratings for many of their versions, so I’m curious how you determined that some version is a Critial update, and which version that is?

When using Patch Policy, the fixlets that are selected to be “in” the Action are those that match your criteria (severity/sites/category/name filters/etc.) and are relevant to at least one computer in your deployment at the time the action is issued. When it comes to executing on the endpoint, any individual machine will only download & execute the “Relevant” fixlets, i.e. have an older version of the given product installed. There might be a hundred components in an Action, but a computer might run only one of those components if that computer had only one of the patched products installed.

As for your bonus question, in some cases you can use BigFix Inventory to uninstall some detected software, but there are some limitations based on how the software is installed (must be detected as a Windows Package / MSI rather than a signature-based detection, among others). This is described at Uninstall Software . For many cases though you would need to create your own fixlets for uninstalling software, we don’t generally publish those.


@JasonWalker as usual, thanks for your excellent explanation and the links provided.

So the patch policy will report on all known software across all the registered endpoints in bigfix, the computers that are targeted will obviously become relevant based on their installed applications :+1: I do like that fact that I can get to see everything that’s out there installed on all machines.

In regards to notepad++ I have a single lonely machine that just needs to get updated to the latest version:

as you can see the source severity is high and there are some CVEs listed in the description

I don’t think we have BigFix Inventory, I would presume it would show under License Overview and I only see Compliance and Lifecycle.

Thanks again!

ps: One more thing, why are there 2 external sites for Updates for Windows? There’s Application and Extended. Any reason why software is split between the two?

I’d check which single machine is applicable to the Notepad++ 8.5.7 Update and see why it hasn’t updated already. It looks like there are six open actions from that fixlet, maybe that machine hasn’t been targeted by your Patch Policy, or maybe it’s a machine that is offline / hasn’t reported in a while.
If you activate the “Application Information (Windows)” Analysis in the ‘BES Inventory and License’ Site, you should be able to determine the installed version of Notepad++ on the machine.
I’d note that 8.5.7 is not the Latest version of Notepad++, it’s just the last one that had a Severity rating on it. Since then at least 8.6.2 and 8.6.4 have been published as well but those are non-Security updates.

As for the two sites, the ‘Extended’ sites are a very recent offering and lack some of the functionality of the traditional “Updates for Windows Applications” site. The ‘Extended’ site is generated automatically based on vendor update releases; publishes only the most recent update fixlet (older fixlets are removed entirely, not just marked ‘superseded’); and generally CVE information and Severity are not tracked (most of the vendors don’t publish that info in a standard way our automations can ingest). For the price of those limitations, we have a wide range of software and a site that is updated several times a week - much more frequently than we could do with manual interventions.

Yeah that computer has notepad++ 8.33, and I am aware of not being the latest version (8.6.4), paying attention to the PP and comparing it to my machines current n++ version is what led me down this rabbit hole. :slight_smile: I have to get with service desk to chase down this user and machine

In regards to the sites, so they basically do the same thing of providing the latest version of a software, it’s just split between 2 sites with the differences you mentioned. The software to update that a Patch Policy retrieves is based on the Severity selected within the PP? This software update can come from either the Extended or the traditional Updates for Windows Applications site?

For example here I have 3rd Party Updates selected under Content Type (not visible) and then depending on the Severity selected it’s where bfix will get the updates from? Again from either of the 2 sites?