Dear All
I have third party device that integrate with BigFix, and currently the third party agent able to detect BigFix agent running based on services (Bes Client). In addition, I also need to check if the endpoint already patch from BigFix, is there any Registry Key or Registry String that I could check on the endpoint part?
Please help me to solve this issue,
Thank you
Hello!
I’d suggest taking a look at the BigFix Client Compliance API for this scenario. You can define (in very granular detail) what sort of Patch (or other) checks you’d like to occur.
Hello Aram
I think you are the right person i need to ask, i’m using third party agent that required to get registry key for BigFix Agent that show that endpoint already patch or get an update from BigFix.
I found that at Registry Editor List of registry key for BigFix
May i know which of this list that show that the endpoint already got an update from BigFix?
Please help.
Thank You
Dear @Aram based on your suggestion i think most suitable way for my third party agent to check is based on registry, but which one that show that endpoint receive patch from BigFix ya?
There’s no Registry key that indicates patch status on the client.
Dear @JasonWalker okay understood. but at the registry list is there a registry that show the endpoint last communication with BigFix if have ?
Thank You
The ‘Last Report Time’ is not maintained in the registry…nor is it an indication at all as to whether or not the BigFix Client patched or updated the machine.
Let’s maybe dig into more details on what you mean by:
What does your patch process with BigFix look like? What specifically would you like to check as it relates to ‘patch from BigFix’? (given that new patches are released all the time, what should this logic look like?) Asked maybe a different way, what specific questions would you like to be able ask the BigFix Client? For instance, one question might be: Are there any outstanding critical OS patches from the last 60 days?
At a high level, I see at least 2 potential paths for what I think you’re trying to do:
I had a similar use case where there was a third-party network security tool that checked basic machine compliance before allowing it on the corporate network, otherwise it would only allow joining the guest network.
One of these validated the presence of BigFix agent and the other the patched state.
I created a BigFix property that would check if the machine had been patched within the last 30 days. The compliance check then had to satisfy two things:
1: The BigFix agent was installed and running
2: The registry key showed true for patched within the last 30 days. (Local evaluation of the property against Microsoft patch registry keys, evaluating every 15 minutes)
Other things to consider for the use case I described (in case yours is similar) - ideally the systems need to have the ability to fall back and communicate with BigFix over a public Relay, to avoid machines stuck in limbo and allow patching to happen off the corporate network.
Patches installed within the last 30 days does not necessarily mean the system is fully patched or is pending a restart - we had other mechanisms deployed via BigFix to ensure this and cover all bases. The compliance check was more belt and braces and a minimum threshold.
Dear @GwyndafDavies
True, your use case are similar with mine, but on my side I already perform checking whether the endpoint is install and running based on File repository and Services at third party Agent.
As for the Patch checking I didn’t manage to find it at registry to check if the endpoint is patch (event minor patching consider comply) or not. Could you able to highlight to me at which registry key showed true for patched ya ?
Thank You
