Windows patching - beginner questions

Beinish 2021-02-24 08:52:11 UTC #1

Hello everyone,
I want to start patching our Windows servers and was wondering what would be some best practices.
We only have the most basic BigFix modules (BF management + Patch Management) so if it matters, please take it into consideration in your answer.

The biggest issue for me currently is that I don’t know where to begin. Here are a few questions that I have:

Assuming I want to start patching, do I simply create a new baseline and insert all of the Windows related fixlets into it? For example, I want to use critical and important updates only, so I just pick them and deploy that baseline to a certain group of computers? If so, my next question is also a followup.
What if I don’t want to patch all of my DCs at once? What can I do spread out the patching phase between certain critical servers? Do I just create more groups and deploy only to them? Then when I want to patch the next group, I just manually go in again and deploy again?
What do I do about new updates? Let’s say I want to deploy updates once a month. When does BigFix usually release new updates after patch Tuesday? When are they available in the client.
When I create a baseline, I’m offered to choose an action, and the default action is action1 always. Where can I learn more about what it does? I don’t have any actions created and my setup is pretty vanilla as we only installed bigfix not too long ago.

Any other help on the matter would be great. I read a few articles but can’t quite find my way around this product.

Thank you.

cmcannady 2021-02-24 13:51:36 UTC #2

@Beinish, welcome to BigFix. Since you’re new to BigFix, I’d recommend looking at the Patch Policy feature within the WebUI interface. This feature greatly simplifies the patching process for your endpoints. Please review the following documentation links and then post additional questions here.

With respects to best practices, please review the following documentation links.

Best Practices for BigFix Patch

Additionally, I’d highly recommend subscribing to and reviewing the available videos from the BigFix Tech Advisor YouTube channel.

To address your specific questions:

You can create monthly baselines of applicable Microsoft patches for your endpoints, however I’d recommend setting up Patch Policies within WebUI if your organization permits.
I would create two or more automatic groups in your Master Action or main custom site that logically divides your DCs and other critical infrastructure so that Patch Policy or baseline targeting is simplified in this example. Alternatively you could leverage Server Automation, but that’s a more advanced topic.
Patch Policies have a “refresh” option to pickup new content between schedules. This is just one of many reasons I prefer patching via Patch Policies. If you go the baseline method, then you’ll need to leverage the Baseline Synchronization Dashboard to ensure that your patch baselines are in-sync with the patch content. However this does not remove your monthly time-spend of managing the baseline components, etc.
Please see the documentation for more information on Actions, Taking Actions and Taking a default action as part of the deployment of a Fixlet or a task.

Finally, please take some time and review Getting Started guides on the BigFix Developer website. I hope the above helps.

Beinish 2021-02-25 07:43:35 UTC #3

Thank you, this is super helpful.
So if I got it right, I can create a patch policy from the WebUI that will download updates on a monthly basis AND deploy them to a specific group of computers?

For example, here’s a scenario that I can perform to make sure I’m not missing updates:

Create a few dynamic groups, give each group some maintenance window of my choosing.
Create a patch policy from the WebUI that will downloaded critical+important updates every patch tuesday or maybe a day or two after.
Deploy that policy to the groups I created in step 1. That way each month those groups will be updated during their maintenance window.
Done?

cmcannady 2021-02-25 15:22:25 UTC #4

Effectively, yes. Please note that your initial round of patching may be a little rougher vs. following months. This is typically due to unknown patch states across a given environment in conjunction with endpoints being in a pending restart state. I would recommend utilizing some content to understand what endpoints you have in pending restart state.

Please note that additional steps are required if patching Linux distributions. In some cases it’s necessary to setup the distribution specific Download Plugin and/or Download Whitelist. If you’re just patching Windows endpoints, then you should be good to go.

One last consideration, you may wish to have an external policy action from the Patch Policy that raises the CPU Utilization of the BESClient before the maintenance window. This will allow the BESClient to consume more CPU during the patch cycle. You’ll have to turn this back down at the end of the maintenance window, but it definitely helps with older hardware or slower VMs.