Patch using both Bigfix and Build-in Windows Updates

greeks516 2022-06-23 01:14:14 UTC #1

Hi,

I would like to ask around if anyone in this forum at enterprise level ever try updating their machine patches using bigfix in company, while at home uses windows updates to patch? What are the pros and cons?

My company are on certain proxy setting then will only allow communication back to Bigfix.

FatScottishGuy 2022-06-23 14:17:53 UTC #2

I’m not sure I get what you are asking, could you re-phrase what you are looking to do?

Are you talking about your personal / work laptop? Using both methods to patch?

trn 2022-06-23 15:01:17 UTC #3

This is something I would try to avoid.

You will lose control of which patches are applied where/when.
If a given patch causes issues in your environment, a laptop that goes home and patches there will apply patches that you have explicitly chosen not to install until the issues are ironed out.

You should instead look at the option for direct download. This would allow patching via Bigfix, but enable off-site clients to download direct from source and not your Bigfix infrastructure

D.Dean 2022-06-23 15:03:05 UTC #4

Your question is a little confusing but I believe you are asking if a remote user is at home, they use Windows Update but in office they use BigFix?

First, if you are going to use windows update, your control of when patches deploy is more difficult to control.

We patch 30,000 + systems with several thousand remote systems and use Internet Facing Relays to make this work. When a user is in the office, they patch using our internal relays and when they are remote, they use our internet facing relays.

SLB 2022-06-23 16:57:32 UTC #5

What is the reasoning to use Windows Update vs internet facing DMZ relay?

A relay in a DMZ allows internet connected endpoints to still receive content and new fixlets, actions etc via your Bigfix infra. You can also leverage the direct downloads feature, which has also been enhanced in 10.0.7, to reduce the amount of traffic on the DMZ relay so you the maintain a single patch process but the endpoints on the internet will get content from Micrsooft via the users ISP instead of it hitting your own infra.

greeks516 2022-06-29 07:15:18 UTC #6

Is for work laptop, yes using both methods.