Registry Key at endpoint Device

fahmi 2023-01-06 14:31:31 UTC #1

Dear All

I have third party device that integrate with BigFix, and currently the third party agent able to detect BigFix agent running based on services (Bes Client). In addition, I also need to check if the endpoint already patch from BigFix, is there any Registry Key or Registry String that I could check on the endpoint part?

Please help me to solve this issue,
Thank you

Aram 2023-01-06 15:36:37 UTC #2

Hello!

I’d suggest taking a look at the BigFix Client Compliance API for this scenario. You can define (in very granular detail) what sort of Patch (or other) checks you’d like to occur.

fahmi 2023-01-07 08:04:16 UTC #3

Hello Aram

I think you are the right person i need to ask, i’m using third party agent that required to get registry key for BigFix Agent that show that endpoint already patch or get an update from BigFix.

I found that at Registry Editor List of registry key for BigFix

May i know which of this list that show that the endpoint already got an update from BigFix?

Please help.
Thank You

fahmi 2023-01-10 01:32:16 UTC #4

Dear @Aram based on your suggestion i think most suitable way for my third party agent to check is based on registry, but which one that show that endpoint receive patch from BigFix ya?

JasonWalker 2023-01-10 01:52:21 UTC #5

There’s no Registry key that indicates patch status on the client.

fahmi 2023-01-10 02:57:19 UTC #6

Dear @JasonWalker okay understood. but at the registry list is there a registry that show the endpoint last communication with BigFix if have ?

Thank You

Aram 2023-01-10 14:01:44 UTC #7

The ‘Last Report Time’ is not maintained in the registry…nor is it an indication at all as to whether or not the BigFix Client patched or updated the machine.

Let’s maybe dig into more details on what you mean by:

What does your patch process with BigFix look like? What specifically would you like to check as it relates to ‘patch from BigFix’? (given that new patches are released all the time, what should this logic look like?) Asked maybe a different way, what specific questions would you like to be able ask the BigFix Client? For instance, one question might be: Are there any outstanding critical OS patches from the last 60 days?

At a high level, I see at least 2 potential paths for what I think you’re trying to do:

Likely the better approach: Leverage the Client Compliance API I reference above in order to be able to ask very specific and granular questions as to the state of compliance of the device (could be patch-related compliance, could be other things included such as Endpoint Protection status, or a combination of things, etc…). The answer to these questions can be made available to you via the BigFix Client Compliance API to inform your 3rd-party agent.
Alternatively, you could make some adjustments to your patching processes within BigFix to output a value in the registry (perhaps a timestamp?), either on an on-going basis as a policy, or after a patch attempt (or even a successful patch attempt with a bit more work).

GwyndafDavies 2023-01-11 11:58:21 UTC #8

I had a similar use case where there was a third-party network security tool that checked basic machine compliance before allowing it on the corporate network, otherwise it would only allow joining the guest network.
One of these validated the presence of BigFix agent and the other the patched state.
I created a BigFix property that would check if the machine had been patched within the last 30 days. The compliance check then had to satisfy two things:
1: The BigFix agent was installed and running
2: The registry key showed true for patched within the last 30 days. (Local evaluation of the property against Microsoft patch registry keys, evaluating every 15 minutes)

Other things to consider for the use case I described (in case yours is similar) - ideally the systems need to have the ability to fall back and communicate with BigFix over a public Relay, to avoid machines stuck in limbo and allow patching to happen off the corporate network.
Patches installed within the last 30 days does not necessarily mean the system is fully patched or is pending a restart - we had other mechanisms deployed via BigFix to ensure this and cover all bases. The compliance check was more belt and braces and a minimum threshold.

fahmi 2023-01-12 06:04:54 UTC #9

Dear @GwyndafDavies

True, your use case are similar with mine, but on my side I already perform checking whether the endpoint is install and running based on File repository and Services at third party Agent.

As for the Patch checking I didn’t manage to find it at registry to check if the endpoint is patch (event minor patching consider comply) or not. Could you able to highlight to me at which registry key showed true for patched ya ?

Thank You