Is there any way round to install all previously installed patches automatically to nodes that are subsequently added to the network. i know it might be possible by using a baseline and make it a policy, but i have scenario that i deployed Microsoft critical patches on aprox 20 desktop machines. i want to make a policy that on wards if any new desktop arrive in my network it get patched. how it is possible?
Secondly can anyone suggest me how to achieve tem console on web ? is that possible ?
As far as I see the only way to provide new systems with patches and do a catch-up is using a policy action based on a patching baseline, like you indicated. Relevance for one or more patches in the baseline will take care of the rest and patches can even be re-applied when they become relevant again. New patches can be periodically bundled in a new baseline at regular intervals (montly, quarterly). Modifying the original baseline by adding new patches will have no effect until you put it out as a new action (like is with source fixlets changing) but will soon bloat your baseline. The question will always be, however, how long to keep the baseline(s) in effect. A normal lifecycle will include a regular image update in order to make the amount of patches in the baseline(s) not too large. Can’t hurt to have some version management as well. Right now I am in the middle of sorting out patching myself and it can be a real pain…
but if i make it the policy on a baseline then rest of the pc which exists in my environment get the patches too. i want to limit it to 20 pc and new upcoming pc’s in network. how it can be possible ?
Not exactly sure what you mean here but did these other clients not went through the same baseline also? If not and you do not want these to have the patches you will have to seperate the particular clients by means of relevance of some sort. Perhaps start working with a version number client setting?
@usman - You can deploy patches to all machines and the relevance will cause it to only run on the machines that need the patches. If a computer already has the patch from Windows Update, or a previous BigFix(TEM) action, or WSUS, or manual installation, then it will not get the patch.
This is only true if the relevance for the patches are written correctly, which the IBM patches generally are. If you made a patch by hand and you did not include complete relevance, then you could get into a situation where the patch applies to systems which it should not apply to.
I’m working on a solution to automate patching baselines, which should help solve some of these issues.
Right now I am focused on the case of Windows OS patches only and will expand from there once that gets refined a bit.
So here is the idea:
You have 1 and only 1 patching baseline for Windows Patches. This baseline gets stopped and a new one gets created every week. It automatically includes all currently relevant Windows Patch tasks to at least 1 computer in the environment.
The reason you don’t need to keep around old baselines to “catch up” older machines / images that come online, is because the next time the patch baseline is generated, it will automatically include all of the patches those machines are missing, so they will get patched on the next cycle automatically anyway.
To answer your actual question more directly, When you deploy a set of patches using BigFix/IEM/TEM, make a baseline and deploy it to a set of machines. Then when a new set of machines come online, you can deploy that baseline to those machines as well. You can also make it a policy action targeting all computers and it will patch all computers that need them, but will not patch those that already have them.
Ok I got your point, but one more thing if a new client is installed on a machine which havent got patched before and joins a bigfix network then all those patches can be applied to it automatically or not? mentioning if I choose a policy on previous baselines which were completed . Is a newly installed client get all those patches ??
It depends on how you work the Opt-in vs Opt-out and how you deploy your baselines. (there are many options)
If you want non-servers to automatically get patched, then you could have them be Opt-Out but have servers be Opt-In.
There are many ways to control how things happen, but it would be harder to implement something that works well with the baselines you already have open actions for.
You could create all of your baselines in a site called “Patching” and only subscribe the clients to that site that should be patched. The site subscription could be controlled by an automatic group with various relevance to allow clients to be opted-out and servers to be opted-in.
Another option is that all patching is opt-in, but you have a task deployed as a policy that opts-in all non-servers by default.