Don’t know why but struggle to create simple query that will query fixlets with category “Critical Update” or “Security Update” and create custom baseline that will contain all those updates.
Tried few following queries but all of them pop errors for me. I would really appreciate help here.
number of relevant fixlets whose (fixlet flag of it AND (category of it = “Security Update” OR category of it = “Security Hotfix” OR category of it contains “Critical Update”)) of sites
number of relevant fixlets whose (display name of site of it = “Patches for Windows” AND fixlet flag of it AND (category of it = “Security Update” OR category of it = “Security Hotfix” OR category of it contains “Critical Update”)) of members of bes computer group whose (name of it = “xxx”)
unique values of names of relevant fixlets whose (display name of site of it = “Patches for Windows” AND fixlet flag of it AND (category of it = “Security Update” OR category of it = “Security Hotfix” OR category of it contains “Critical Update”)) of members of bes computer group whose (name of it = “”)
It looks like you’re mixing the two, and I’m not sure whether you’re trying to run this on the client (in an Analysis / Fixlet Debugger) or in a server session (Web Reports, Dashboard, REST API )
If you’re trying to run this on the client, the ‘fixlet’ type is more limited than in Session Relevance. There are no ‘fixlet flag’ or ‘category’ properties. What we do have on the client though are ‘headers of fixlet’ which we can use to apply the same kind of filters. In the Fixlet Debugger, this must be run in client context (Evaluate -> Evaluate Using -> Local Client):
q: number of relevant fixlets whose (value of header "X-Fixlet-Type" of it = "Fixlet" AND value of header "X-Fixlet-Category" of it is contained by set of ( "Security Update"; "Security Hotfix" ; "Critical Update")) of sites
A: 1
T: 0.033 ms
If you’re trying to do this in Session Relevance (API, Web Report, Dashboard, etc.) then we can use the ‘bes fixlet’ properties for ‘fixlet flag’ and ‘category’; but there is no ‘relevant fixlets’ property, because this queries against all computers and a fixlet may be relevant on one computer and not relevant on another; instead I’ll check for ‘exists applicable computers of it’. This query should work in a Web Report or REST query:
number of bes fixlets whose (fixlet flag of it and exists applicable computers of it and category of it is contained by set of ( "Security Update"; "Security Hotfix" ; "Critical Update"))
Thanks for tip about changing evaluation for Local Client, your query works great, I have adjusted it a bit and got names of fixlets instead of number, however not getting expected output, like I lack a lot of patches, for example security patches from this month are missing, if I query against local client will that show me fixlets/patches which are only applicable for this computer from where I’m running bigfix fixlet debugger? What I need here are all available not superseded fixlets for Windows Servers Patches, same list that I can see from bigfix console, any clue how can I achieve that ?
Yes, if you’re using the Fixlet Debugger and evaluating the first query, at the client, then you’ll only see the fixlets applicable to that machine. The client doesn’t know about any of the other computers in the deployment.
If you want to report across all computers, you’d need to use Session Relevance. See the post I linked about the differences between Client Relevance and Session Relevance. Session Relevance will need to be sent through the REST API, or embedded into a custom Web Report, since it evaluates on the server instead of on a client.
ok Got you, have a bit different requirement here, don’t want to run this query against specific machine or machines, what I need here is something (probably relevance) that will query bigfix directly, and will give me list of all available fixlets based on search criteria where this criteria are windows security patches and then create baseline that will contain all fixlets from this search. Is it even possbile to do something like this?
Ah, ok, I think I understand it now.
First I want to ask, whether you’re familiar with how to navigate these in the Console? You may not need to build a custom query at all.
Navigate to Computer Groups and select a group. In the bottom right pane, select the “Relevant Fixlets” tab. Then you can navigate the tree by Site, Severity, Category to filter fixlets. Select the Fixlets, right-click, and Add to New Baseline.
Another option is to use the Patch Management Domain (selected from the bottom-left of the Console Tree) which gives more options for navigating the fixlets by Vendor, Category, Severity, etc. – and only Relevant fixlets are shown. You can use CTRL-Click in the left tree to select multiple Categories or Severities, then select fixlets in the right pane, right-click, and ‘Add to New Baseline’
Yes this is how we do it now, and here is problem we do it manually every month, want to have it automated, idea here is to have task with relevance scheduled as Action that will run every second Tuesday of month when Microsoft patches are published and this action would query for fixlets and will create baseline for us with all new patches
Is it a good way to achieve that? with a task that would be scheduled as action? and under this task there will be relevance to query what we need + baseline creation
@orbiton this sounds awesome, would you be able to share some examples from your code? from a quick look I thought it won’t be possible to do it via PS and API, probably missed something @DerrickD not sure what are patch channels, google dosent say much about them, tbh never heard about them, would you be able to elaborate on this more?
Looks like HCL needs to do some updates around here on their content Some of the links are broke.
There have been a couple of webinars/events with demos. HCL doesn’t seem to have a way to search past webinars and not sure how to search BigFix Days recordings either. Even the forum isn’t turning up much for “Patch Channels”
thanks @orbiton for your comment, you showed be correct way for this, via REST API. Was hitting a wall with my head trying to combine this queries using bigfix debugger. Thanks @JasonWalker for explaining in details how debugger is working in background.
Managed to create PS script that query fixilets and create custom copy of them to custom site, here is query:
(id of it, name of it) of fixlets whose( (Category of it is “Security Update” OR Category of it is “Update” OR Category of it is “Critical Updates” OR Category of it is “Service Pack”)
AND name of it does not contain "superseded"
AND name of it does not contain "SharePoint"
AND name of it does not contain "Visual Studio"
AND name of it does not contain "Lync Server"
AND name of it does not contain "Exchange Server"
AND name of it does not contain "Office Web App"
AND name of it does not contain "Office"
AND name of it does not contain "Access"
AND name of it does not contain "OneDrive"
AND name of it does not contain "Excel"
AND name of it does not contain "Update rollup"
AND name of it does not contain "Hyper-V"
AND name of it does not contain "OneNote"
AND name of it does not contain "Microsoft Defender"
AND name of it does not contain "Hyper-V"
AND name of it does not contain "Skype for Business"
AND name of it does not contain "Microsoft Project"
AND name of it does not contain "Microsoft PowerPoint"
AND name of it does not contain "Microsoft Publisher"
AND name of it does not contain "Microsoft Visio"
AND name of it does not contain "Microsoft Outlook"
AND name of it does not contain "Microsoft Word"
AND name of it does not contain "MDM client"
AND name of it does not contain "UPDATE:"
AND name of it does not contain "Install"
AND name of it does not contain "Upgrade"
AND name of it does not contain "Uninstall"
AND applicable computer count of it > 0
) of bes sites whose(name of it = “Enterprise Security”)
and then another script that will create baseline, with components groups including those patches. Everything works like charm. 2 hours manual work done in 30 seconds.
Some of the links are broke.
