Who's stopping the BigFix Service?

Is there a way we can tell which user stopped the BigFix Service? I’m finding several of my company’s laptops and desktops with the BigFix Service (besclient) stopped or disabled. I’m wondering if there is an analysis that tells me which user is doing this.

Any help would be appreciated.

Thanks,
SnoJack

Can you retrieve it from the Windows Event Log? You’ll need to have sufficient auditing turned on. Find the event log name and event ID containing the record, and we may be able to help you craft an analysis to check.

3 Likes

ok, thanks a lot Jason. I’ll consider that option.

I could have sworn there was a built-in fixlet that did something around making sure the BES Client service was always running, but I can’t seem to dig it up. In any case, check out the solution in this thread: Client Self Health Check

You can push out a PowerShell script via GPO or other method. You could use a similar approach, or maybe a policy action that would run on the machine before a user disabled BigFix, that would create a local task to run a script to make sure the service is started on some interval.

There once was a “BES Client Helper Service” that did something like that, but I don’t know whether it’s maintained or even whether it’s out-of-the-box. It used the Task Scheduler, I think, to restart stopped clients.

BES Client Helper and User the task scheduler are different fixlets (approaches). There’s kind of a technote for avoid the ‘tampering’ BF clients in windows, if you have users with much initiative I recommend it, that works well. Let me try to find that.

Here’s the article
Preventing Tampering with BigFix Agents

3 Likes