Pending restart issue in Patch Compliance report

Hi BigFix masters,

I am stuck in an very critical issue raised by our security Team.

Scenario -

Basically in BigFix platform, when you deploy a patch and if a restart is required for that patch we will be able to see the action status as “Pending Restart” which is the default behavior of the BigFix platform.

Our environment consists of servers and totally we have 2000 plus Windows servers.
Now after deploying the patches on the servers, we have a policy that the reboot of the servers will be taken when we get the approval from the application team (which is at the end of the month), thus patches are deployed in the 2nd week of the month but the reboot of servers are taken at the month end. My security team generates the patching compliance report in the middle of the month before taking the reboot of the servers as they have to submit the patch compliance report to our management.

Now the main issue comes -
When the security team generates the patch compliance report, the systems which are still under pending restart state in the report they show as remediated and 100% compliant even the restart of the server has not happened.

Sometime what happens is after rebooting the server the patch gets failed on the server and now there is difference in the compliance report, where our management gets pissed saying as why there is difference in the report.

Now my security team has started comparing BigFix tool with other tool, where in other tool after deploying the patches on the server until the server is rebooted the patch compliance of the system still shows as not compliant.

My management is demanding the same behavior from BigFix application.

To summaries the issue -

my management is saying that once you deploy the patch on any server and if the server is under pending restart state in the Patch compliance report it should not say as 100% remediated it should still show as applicable, and once the system is rebooted and the patch is applied successfully on the system then the patch compliance report should say as 100% remediated.

Can any one help me in achieving the same. I have tried applying the client setting _BESClient_WindowsOS_BypassPendingRestartRelevance on the server and have tested the same but it is not working properly.

Any help in achieving the same will be helpful,

Thanks in advance,
Regards,
kk

Hoping that I’ve the correct understanding:
We’he defined a custom property “System pending reststart”, just containing relevance “pending restart”.
This property can be added in SCM report or webreport (first add it to SCM in * Computer properties).
Looking at reporting, we the have 3 status:

1. not patched
2. patched and rebooted
3. patched and pending restart after patching
   Ususally we try to automatically reboot a server within defined patch/maintenance window.

I have enabled that same client setting on a few machines that showed no relevant patch fixlets and after doing so, those that were in a pending restart state for a patch did start to report the fixlet of the patch that was pending a restart. I can’t say I’ve explored that setting much though to offer any further info.

I’ve seen cases in the past where pending restart may be set by processes unrelated to patches, eg a printer driver installation, so it can sometimes lead to false results. There is a registry key that the Windows Update agent will create if a restart is required so maybe if no patches are missing but they key exists, that could be an indicator of systems that may not have vulnerabilities fully mitigated. The key is “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired”.

Also the system uptime might be a useful element, say if RebootRequired key exists and the uptime is in excess of 30 days, it’s a good indicator that there could be patches that are not fully applied

Hi @SLB

The Issue which we are facing is after deploying the patches, in the action status in the console which we are able to see is “Pending Restart”. When we generate the patch compliance report for the same patch which is under pending restart where the system is not restarted still the compliance shows as the 100% which should not. Until the system is rebooted and the patch is successfully installed on the system the compliance report should say as 0%.

BigFix uses below registry entry for pending restart-
This entry is created after deploying the patch which requires a reboot
\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\BESPendingRestart

If you have the _BESClient_WindowsOS_BypassPendingRestartRelevance setting applied correctly, then the pending restart by itself will not cause the Fixlet to go non-relevant.

Run the relevance clauses through the Fixlet Debugger (use ‘Client Evaluation Mode’) and you should find one of the other relevance clauses returning False. Let us know which Fixlet and which clause returns False before the restart.

It’s much more difficult to detect when the Windows Registry indicates a patch is installed, and then changes that to not-installed after a reboot & rollback.

Hi @JasonWalker I will definitely evaluate the relevance of the patch and the issue which we are getting is for all the patches cumulative as well as security patches.