Welcome to the Career of Computer Support!
I feel your pain, but it’s not caused by BigFix per se. It sounds like the systems you need to manage have never really been properly managed before. If they are missing lots of patches, it can take a while to get everything up to where it should be.
First thing to understand about BigFix … the content it provides is NOT going to match Windows Update exactly for a couple reasons.
-
BigFix provides more than just Microsoft content. There is content from Adobe, Sun, etc. Even the Patches for Windows site will not match WU exactly because IBM occasionally includes content requested by customers. Things like Hotfixes. Because of this, you will see content in BigFix that you will not see in Windows Update.
-
Windows Update (WU) provides more than just Security Patches. It includes some stability patches as well. IBM really only commits to providing the Security Patches on a timely basis. Because of this, you will sometimes see content in WU that is not in BigFix.
You don’t indicate which OS’s you are supporting.
IBM relies on Vendor documentation (i.e. Microsoft) when creating the Fixlets that deliver the patches to your computers. Very (very, very when you consider how many Fixlets they provide) rarely IBM gets the Relevance wrong, but there are enough of us using the product that they get notified and fix the issues promptly.
Sometimes, Microsoft makes a mistake with a patch, or with the documentation for the patch. When they publish corrections, IBM usually catches it and corrects their Fixlets within 12/24 hours.
In the end, BigFix is a tool. If you can’t implement processes to protect the computers you have to manage, I don’t care if you use BigFix, WSUS, or SCCM, things will get broken occasionally.
I’ve been supporting Windows computers since the days of DOS and Windows 3.1. The biggest lesson I’ve learned that applies here is that automation tools without appropriate policy and procedure just turn into faster ways to break systems.
You need to talk with your Management and help them to understand this, and to let you implement some testing procedures. Even if all it amounts to are a handful of computers you can push patches to BEFORE you push them more globally. That way you can install some of the more common or critical apps on them and have a better feel for what might go wrong, before you break a critical (or Senior) system.
Personally, I have a very high level of trust in what BigFix reports to me. I currently use it to patch and manage Windows, Macintosh, Red Hat, CentOS, AIX, and Solaris systems.
In every case when someone has tried to blame BigFix for “breaking” something, or providing bad information, I’ve been able to track it back to a Person doing something they shouldn’t have, or something odd on a specific computer (misconfiguration, glitch, etc).
In the end, BigFix is really just a highly configurable remote scripting tool, with a high level of visibility into endpoints and a fairly effective file delivery system.
I can use a hammer to build a house, or tear it down. It’s all how the tool is applied.
BTW: I’m NOT an IBM employee. I’ve just used BigFix since 2003, and have never found a better tool for my environment of +46k endpoints.