While performing the Security Update / Patch using the BigFix Fixlets on targeted windows servers / any platform. the action will perform the tasks based on by validating if the Fixlet is relevance to the target machine or not. if its relevant then the action will be performed (Installation begins). Once the installation is completed then the action state become completed but the action does not validating the real outcome of the action.(If the concern patch is installed or not)
We have situation here, We are using bigfix to manage 400+ Servers and 3000+ endpoints for patching. Post patching we are validating the patching compliance using BigFix action and the BigFix Web Report. Where we have noticed the unusual, In BigFix Web Report and Action it shows “Completed and Compliance” but when we have physically logged in with the server the particular patch / Security update is not Installed.
To Validate the same, We have developed an Analysis to find the particular Patch is installed or not (KB) article for Windows server and Found 200+ Servers are not installed with latest Patch / Security Update which we have deployed using BigFix Fixlet/action. (This particular Analysis or the validation / Impact of the action provides more reliable result) And the same the product must have.
To figure out the more on this, we have created the Priority 1 Ticket with HCL BigFix - CS0980393 Based on detailed investigation and multiple remote sessions and even involving with R&D, Developers team they have identified it is BUG in the Product where its not showing the actual result.
And they have shared this link to initiate the idea to the portal for further enhancement of the product.
To reproduce the same scenario, we have deployed the multiple relevant action to the targeted server where we can able to see Compliance in BigFix Web Report and Completed in Action but actually its not installed on the targeted machines.
To Address this,
– We should have a validation mechanism to validate of the applicable fixlet / Patch is successfully installed or not.
– If the Action is performed on the target machine thats not exactly mean the fixlet is installed as expected we should have additional layer of validation if its properly installed or not.
– BigFix Web Report also shows the machine is compliance state and the relevant fixlet is installed but actually its not Compliance.
It become security threat for the organization where we trust, we have performed the security update and met compliance but actually not.
The BigFix product must have this feature enabled to validate the certain patch is installed or not as a default.
I believe you are not understanding the BigFix product correctly or are having some issues with the way you are auditing the system.
If you think there’s an error, please include the specific KB numbers you are expecting to find on the system after installation, and which Fixlet you used to deploy it. A screenshot from “Installed Updates” in Add/Remove Programs, showing install date.
What’s very likely is that Microsoft’s confusing method of showing “wrapper articles” with a KB number, that then install any number of different KB number patches based on OS or application config, has confused you into searching for the wrong KB.
BigFix Relevance already performs the kind of validation for which you appear to be asking.
Another useful data point might be to try reinstalling the missing patch, manually, and see whether it gives a message that it’s already installed, or installs and adds an entry to Add/Remove Programs.
As @JasonWalker said, “wrapper articles” are very common in .Net patches.
Also, are these systems being rebooted before evaluating success? A patch may show completed and compliant after the pre reboot, post patching process but it is not complete until the reboot occurs and the patch survived the reboot. I notice, as you did, that it will not show as installed while logged into the OS, if the patch installed and is waiting for a reboot.
Thanks for sharing your insight on this. But, however we have done those research and data point along with bigfix internal technical team and even with their R&D, Developer team.
They have found the GAPS in between status tagging “Completed/ Compliance” both BigFix console and BigFix Web Report.
We have done multiple experiment on patching Windows Servers with Cumulative and security updates and found,
The bigfix console shows its completed and same replicated on bigfix web report as compliant.
Note: we have initiated the patch using bigfix and rebooted the machine through bigfix also we have noticed the machine is successfully rebooted.
But when we are really look into the machine by login and found the particular patch is not installed.
This is not just a simple statement by myself but this is agreed by the OEM and working on the same.
Meanwhile we are validating the patch compliance by creating the custom analysis and it provides an more reliable status.
We needs to look deep into this and address it, if am I alone facing these issue or all the admins.
Again, I’d have to ask you for the specific KB numbers that seem to be giving you an issue.
What you are describing is not expected behavior. It’s possible there is some configuration issue either in the Fixlet relevance or something specific to your platform triggering a false-negative but the way you describe seems an unlikely edge case. I’ve not seen behavior like that in other customers, but you haven’t given me much to look for yetml.