New PC Build - How to force patching now?

(imported topic written by ktm_200091)

Due to our network I have to spread out the deploys of baselines over 2-4hrs depending on the size of the files being copied. This causes an issue when a new PC is built as the pc may not take the patches for a while.

Is there a command one can run on a local PC to remove the wait time and patch immediately?

(imported comment written by BenKus)

Hey KTM,

I think your best bet would be to make a new operator that manages only “new computers” and then you can have specific policies taht don’t have the time spread…

Ben

(imported comment written by ktm_200091)

Ben,

The issue here is that I do not want to re-issue actions multiple times as Big Fix doesn’t seem to handle it well.

For example:

I rollout July’s security patches in a baseline, night 1 of my rollout I setup 2 actions, 1 to start after business hours and to stop at 6am the next morning, with the distribution spread out over 4hrs (This will reliably get 75% of my environment) the second action would then start at 6:01am the next morning and go on forever with no time spread.

I have tried this 2x and have found that 10% of clients get confused and never apply the patches as they stay in “waiting” status. A lot of those pcs are on and connected during the 1st night. If I close out both actions and start up a new one, the remaining pcs patch.

(imported comment written by snoczp91)

We are also interested in a ‘Force All Now’ option that would run all relevant actions. Is this possible?

Thanks,

(imported comment written by BenKus)

Hi KTM,

Having multiple actions should not be a problem for the system and if there is a problem there, support can investigate with you… But my recommendation was to create two actions: one targeted to your current deployed computers and one to your new computers. The reason you need to issue two actions is because you have two different sets of action configurations and those are fundamentally part of the action…

Ben

(imported comment written by ktm_200091)

Hi Ben,

How would one differentiate between a newly built workstation and an existing? Wouldn’t that require a flag on the workstation and then make copies of all fixlets and target them based upon that flag?

The real objective of this is to empower a tech which does not have access to the big fix console to immediately patch all approved fixlets on only the workstation he/she is sitting in front of or remoted into.

This is a relatively simple task when using WSUS, open a dos box and type wuauclt /detectnow and hit enter

(imported comment written by BenKus)

Hey ktm,

One common way to differentiate between new systems and deployed systems is to put a registry flag in the image and then remove it before you move the system to production (which can be done through BigFix).

WSUS is a “batch system” that only checks periodically whether to deploy patches, but the BigFix Agent is “real-time” and it checks in the background and doesn’t require you to tell it to check.

Perhaps you can work out a scheme using client offers… You can have a baseline that does lots of patching/fixes and have it triggered by the local tech… you can maybe use the “NoTray” mode and tell the techs to run “triggerclientui.exe”… More info:

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=441

Ben

(imported comment written by ktm_200091)

Ben, you are oblivious of the point that I’m trying to make here…

The current design of the Big Fix product is heavily restricted to centralized administration and has a high administration overhead because of that.

All of your recommendations are adding to administrative overhead.

(imported comment written by BenKus)

Hey ktm,

As you say, the key point here is that BigFix is a centrally-controlled and policy-based system. If you want to give users the ability to do certain tasks, they you can do that by enabling a policy to allow users to control things (but you do need to take the steps to allow them to do it). I also tried to give you other tools that you could use and other schemes you might consider. But to answer your question directly: No. There is no equivalent of BigFix.exe /UpdateAll that can be run from the local computer and we have no current plans to build this functionality at this time.

Ben