Hi, just want to understand how 3rd party patching works when it comes gathering the 3rd party files and applies to a patching policy.
Is bigfix using what it knows about all the software installed on each workstation and then searching for 3rd party files\updates? Or is there a limited set of software that it knows about (I assume most known\common\major software) and it will just include it in the patch policy even if not a single workstation in the organization uses it?
For example we have a 3rd party pp running now for critical but I just happened to notice that my machine wasnât relevant for notepad++. quick search and found the update to notepad++ in the pp to be categorized as a critical update, I was then was able to find the newest version of notepad++ which is categorized as unspecified. Now the 3rd party pp targets only unspecified patches and is targeting only 4 workstations, I see software listed in the pp that none of the 4 workstations use so I wonder if thatâs the software that other workstations have installed but itâs shown in this pp because thatâs how bfix gathers patches - based on all known software. Man I hope that all makes sense.
Thanks!
one more bonus Q : what if we discover a software that should not be allowed such as winrar for example, is there a quick way to create an uninstall task for the software from the software list under the Update for Windows Applications Extended site?
BigFix maintains Fixlet content for a wide range of products, both from OS vendors and third-party applications. Weâre frequently expanding the list, but a starting point of covered titles is at HCLSoftware
Regarding the Notepad++ update, âSeverityâ generally comes from the application vendorâs bulletin list (if there are any). It appears from our Fixlet content that only a couple of versions have had any security rating at all, listed as âHighâ. Checking the Notepad++ website, I donât see severity ratings for many of their versions, so Iâm curious how you determined that some version is a Critial update, and which version that is?
When using Patch Policy, the fixlets that are selected to be âinâ the Action are those that match your criteria (severity/sites/category/name filters/etc.) and are relevant to at least one computer in your deployment at the time the action is issued. When it comes to executing on the endpoint, any individual machine will only download & execute the âRelevantâ fixlets, i.e. have an older version of the given product installed. There might be a hundred components in an Action, but a computer might run only one of those components if that computer had only one of the patched products installed.
As for your bonus question, in some cases you can use BigFix Inventory to uninstall some detected software, but there are some limitations based on how the software is installed (must be detected as a Windows Package / MSI rather than a signature-based detection, among others). This is described at Uninstall Software . For many cases though you would need to create your own fixlets for uninstalling software, we donât generally publish those.
@JasonWalker as usual, thanks for your excellent explanation and the links provided.
So the patch policy will report on all known software across all the registered endpoints in bigfix, the computers that are targeted will obviously become relevant based on their installed applications I do like that fact that I can get to see everything thatâs out there installed on all machines.
In regards to notepad++ I have a single lonely machine that just needs to get updated to the latest version:
I donât think we have BigFix Inventory, I would presume it would show under License Overview and I only see Compliance and Lifecycle.
Thanks again!
ps: One more thing, why are there 2 external sites for Updates for Windows? Thereâs Application and Extended. Any reason why software is split between the two?
Iâd check which single machine is applicable to the Notepad++ 8.5.7 Update and see why it hasnât updated already. It looks like there are six open actions from that fixlet, maybe that machine hasnât been targeted by your Patch Policy, or maybe itâs a machine that is offline / hasnât reported in a while.
If you activate the âApplication Information (Windows)â Analysis in the âBES Inventory and Licenseâ Site, you should be able to determine the installed version of Notepad++ on the machine.
Iâd note that 8.5.7 is not the Latest version of Notepad++, itâs just the last one that had a Severity rating on it. Since then at least 8.6.2 and 8.6.4 have been published as well but those are non-Security updates.
As for the two sites, the âExtendedâ sites are a very recent offering and lack some of the functionality of the traditional âUpdates for Windows Applicationsâ site. The âExtendedâ site is generated automatically based on vendor update releases; publishes only the most recent update fixlet (older fixlets are removed entirely, not just marked âsupersededâ); and generally CVE information and Severity are not tracked (most of the vendors donât publish that info in a standard way our automations can ingest). For the price of those limitations, we have a wide range of software and a site that is updated several times a week - much more frequently than we could do with manual interventions.
Yeah that computer has notepad++ 8.33, and I am aware of not being the latest version (8.6.4), paying attention to the PP and comparing it to my machines current n++ version is what led me down this rabbit hole. I have to get with service desk to chase down this user and machine
In regards to the sites, so they basically do the same thing of providing the latest version of a software, itâs just split between 2 sites with the differences you mentioned. The software to update that a Patch Policy retrieves is based on the Severity selected within the PP? This software update can come from either the Extended or the traditional Updates for Windows Applications site?
For example here I have 3rd Party Updates selected under Content Type (not visible) and then depending on the Severity selected itâs where bfix will get the updates from? Again from either of the 2 sites?
: what if we discover a software that should not be allowed such as winrar for example, is there a quick way to create an uninstall task for the software from the software list under the Update for Windows Applications Extended site?
I do like that fact that I can get to see everything thatâs out there installed on all machines.
