I am evaluating Bigfix as a replacement for Update Expert.
Big fix looks at machines from a vulnerability standpoint - i.e. it shows all relevant fixlets that need to be patched.
Update expert showed in one screen what was vulnerable (i.e. the patch would not green icon) and what was NOT vulnerable (i.e. the icon was green indicating it had the patch.)
In one screen I got an overview of my patch status from both aspects.
Is there a way to generate a report in Bigfix that shows the PATCHED status of machines - even if Bigfix did not patch it?
Basically, if Big fix says I have 5 machines requring patch A - I want to see if other machines have already been patched - either by Bigfix, a previous test product or even by windows update. If it has been patched in some other fashion then I know its ok to continue that rollout.
I’ve tried looking at all fixlets, but I only get the what I’m vulnerable from view.
The BigFix interface is definitely oriented towards showing you what problems you currently have (rather than what problems you used to have). This is by-design, but it doesn’t mean the data isn’t there.
If you go into web reports, open up a “Single Computer Report” (under “Create” > “All Computers”), then you can see all the relevant AND remediated Fixlets. The remediated Fixlets will include things that were fixed outside of BigFix (i.e., windows update, other systems, etc.)… But note that BigFix Agent will only report on things that were remediated after it was installed.
If you go into web reports, open up a “Single Computer Report” (under “Create” > “All Computers”), then you can see all the relevant AND remediated Fixlets. The remediated Fixlets will include things that were fixed outside of BigFix (i.e., windows update, other systems, etc.)… But note that BigFix Agent will only report on things that were remediated after it was installed.
Ben
Hello Ben. I´m working in a proyect to evaluate bigfix for a customer in Spain.
They have a policy for patching deployment in basically 3 steps:
Report with the original patch status (like the systeminfo o psinfo report)
Apply patches
Report with the new patch status
but of course they want to see the info of any patch in the system, installed by any process (bigfix, WSUS, windows update, etc).
It´s posible to get this report with bigfix? what´s up with the patches installed before agent deployment?
I´m thinking in use the pre & post execution action script to run some tool like psinfo and send the report by email.
I would encourage you to look at the computer from the standpoint of “what is needed” rather than “what is installed”. “What is installed” is poorly defined… For example, what if you install 3 patches, then install a service pack that installs the 3 patches and 20 other patches? Most of the time, the 3 patches are actually removed by the SP so should you consider the 3 patches installed or not?
So my suggestion would be:
Run a single computer report.
Apply all the patches.
Run a single report again.
This will tell you what is needed and you will see the difference in the before / after (including any patches done by other systems)…
But… if they demand to see a list of the installed patches (even before BigFix arrived on they system), you can look at the “installed applications” analysis and I believe that it will contain the KB numbers of the patches that are installed… Again, I don’t recommend you explore this option because we believe that looking at what is installed is the wrong way to do patch management (because you should be looking for what is missing)…
I agree with you. But for their “auditing policies” we need to save a “photo” from the system after & before. I made a simple script to run as pre & post action and they are testing now.