I have an on going effort to deploy all missing patches, as I’m sure you all do … : )
currently, I have a baseline built for each month of microsoft security updates, and there are a number of them that have relevant targets in them. I have a nightly wake-on-lan notification going out. I’d like to be able to have the baselines reattempting on a nightly basis, so I can cover for some of the targets that will take multiple days to find available during the patch window, and so that I can generate a list of machines that I’m never reaching (to resolve later.)
I know how to configure a recurring attempt at applying a single baseline, but what if I wanted to do more than one? what if I had five of them re-attempting nightly? if I told them all to reattempt every night at midnight to 4am, would this be safe? I imagine if an action is already in progress, the first baseline to check in will secure priority until it’s finished, and the rest will either fail, or wait until it becomes available… or would it be a train wreck waiting to happen? my end goal is really just to have it keep trying without having to constantly fiddle with targets, baselines and schedules, I’m hoping this is feasible?
As long as the overall window of the attempt is wide enough (an hour or more) you shouldn’t have any problem doing this.
You could have dozens of baselines occur during this window. The important thing to keep in mind is that most of your machines won’t have any missing patches so the time to process the baseline will be essentially nil.
Only the machines missing lots of patches may end up taking longer than a single evening to finish patching but once they are caught up it won’t be an issue at all.
The only thing I would do is set your expectations that if you have a machine missing 100+ patches it may take a couple of days to finish patching!
You could easily use the, “Download files before action constraints are satisfied” or pre-cache the fixlets so that when the time comes they can just start installing and don’t have to worry about downloading the patches.
1 Like
thanks - I was mostly concerned that they’d try to run at the same time and get into a weird state, it’s good to hear that this method doesn’t create issues. I think my expectations are in line with it taking several passes to get everything out!
Something else to note is that other things may become relevant only after certain patches are installed. Meaning, if you have a lot of patches missing, and you patch what those machines were applicable to, you may have another 10-20 new patches come up relevant after that baseline runs and you may have to create another baseline for those. This happened to me when I first stood up bigfix and was catching up on years of bogus patching methods. Only time will tell, particularly if your environment is not consistent and patching is all over the place.
If you’ve got a four hour window you should be in great shape even if you’re missing a ton of patches!
Bigfix agent for the most part does things one at a time – you can have hundreds of actions applying to a client and you’re still in great shape.
Please post if you have any other questions or if you run into any issues!
Only one action will execute at a time, so there won’t be a problem of multiple setup.exe or wusa.exe executing at the same time.
Multiple baselines can be active, but only one component action actually executes. Within a baseline the components run in order. What I mean is that the install sequence could actually occur like
baseline1-patch1
baseline2-patch1
baseline2-patch2
baseline3-patch1
baseline1-patch2
baseline2-patch3
…etc but only one patch runs at a time.