Resetting reporting interval won't stick

I’m working on some content that will update “_BESClient_Report_MinimumInterval” if they are on the DMZ. We do have other content setting our default to 4 hours, but I want 10 minutes for our road warears (for a few reasons).

My problem is, I have disabled the default policy that pushes 14400, and try changing the value to 600… but for some reason it keeps getting set back to 14400. I’m tailing the logs and I don’t see anything in the logs showing it getting set back to 14400 via any other action. I can only tell the setting has changed by checking the _BESClient_Report_MinimumInterval registry setting.

Is there some other way values can be enforced that would not show up in the logs?

I have also enabled debugging mode and the only changes to _BESClient_Report_MinimumInterval were for the 600 value change. Nothing with the 14400 change.

Anything weird with the “effective date” of the values?

1 Like

There would have to be an action somewhere performing this. You can look at the action history on the endpoint (its in the sqlite file) and see what is happening but there is nothing that will automatically set a value to something else built into the platform.

The only issue would be if the setting was outside the legitimate range it would refuse to set the value but neither of those values are outside the range.

I sort of found a breadcrumb. I started up Process Monitor to watch that key. It’s being updated by wmiprvse.exe. I’m not sure what’s spawning it, but I can see my DMZ policy and the process fighting over that registry value. Still digging.

1 Like

Could this be from GPO or some other mechanism that is setting the value?

4 hours? wow, that seems high. I’d expect this to not be higher than once every hour in the extreme case.

Yea, I am thinking to lower it. I inherited this beast!

Good call, wmiprvse sounds like a GroupPolicy.

You should be able to see if that’s the case using gpresult /h c:\report.htm, then open the output file in a browser. This would likely show up as ‘additional registry settings’

1 Like

I see nothing that I can recognize from GPOs that manages the keys for any BigFix registry settings.

1 Like

Hmm could also be Remote Registry or Task Scheduler then.

Any other monitoring tools in place that might try to enforce configuration settings?

1 Like

Well there, you, go…

Turns out the desktop team has a script messing with these values. Now I need to work with them. :-/

Thanks for your help guys.

3 Likes

Hahaha, nice. I think we’ve all been there. Good work figuring it out!

If their goal was to reduce the impact / footprint of BigFix on the end user, then this value is not what I would change.

I would strongly recommend this setting, especially for laptops and VMs:

It causes bigfix to pause the evaluation loop for 10 minutes if it does not detect any changes in applicability, then it will do the eval loop again, then if nothing changes, pause for another 10 minutes. This drastically reduces the ongoing idle CPU usage of the client. 10 minutes is the default interval, which can be changed.

I now use this setting everywhere and recommend it.

2 Likes

They were actually turning up the interval based on an imaging and some other things, then turning it back to “defaults” (which I want to change). It was that turning to defaults that was messing with me.

They actually don’t need part of that code any more. LONG story on why we got to that point. Maybe we can chat at Think.

1 Like