I was first introduced to BigFix in late 2012 - at first I complained at the choice to implement their own query and action languages over using known OS specific languages.

​It took me too long to realize the benefits of BigFix - My goal here is to be BigFix Positive instead of comparing faults of other tools.  I also don't want to get into all the features of BigFix just the ones that have me recognizing it's power.

​BigFix Relevance language combined with Powershell/VBS/Command Prompt
Recent Example:​

• Cisco Remote Code Execution Vulnerability in WebEx browser add-ons and extensions
  • I was tasked with identifying the machines with the extension installed in Chrome and then forcing them to upgrade to the latest version.
  • In BigFix I created an analysis that used a Relevance query to look at all of a machines user profiles, find the chrome appdata directory, look through any chrome profiles, for the folder matching the GUID of the WebEx Extension and retrieve the version. In about 1-2 hours I had perfected the query and had the results from majority of the enterprise's online clients (~8000 machines)
  • Next using the same query I created a Fixlet that used the query as relevance, and portions of the query intermixed with BigFix ActionScript to insert Registry Values for the affected machines to make the Cisco WebEx Extension an Administrator enforced extension so that on next launch of chrome the latest version of the Extension would be downloaded and installed despite any user changes to settings that might have prevented an automatic update. 
  • By the end of the afternoon I started to see the affected client counts drop and I had a great analysis that I could report that showed the dispersion of versions of the Chrome WebEx plugin that I could easily pass on to security and management over the coming few days as clients relaunched chrome.  (we did not force terminate chrome on users)

​BigFix works with third-parties to provide easy to deploy updates

• ​One of the really nice built-in no fuss solutions from Bigfix is that when new versions of software are released to fix vulnerabilities BigFix within a day has a package available to deploy to update.
  • Examples: Adobe Flashplayer, Reader, Google Chrome, Microsoft Windows, Office, Notepad++, etc.
  • With Chrome we do have customizations to apply post install.  The original author of our Chrome update job had about 200 lines of commands and scripts that handled 32-bit and 64-bit separately because he wasn't using Relevance to the full extent.
  • With Relevance language and making use of it's parameters (variables) I got the install script down to about 80 lines of code.  When Google and BigFix released an updated package we could copy all but the first 4 lines that specify the download locations and version to get the new version in place.  

Smart Clients - Dumb Servers

• ​This concept was another difficult one for me to wrap my head around at first.
• When you query a client - you query the client not information stored on the server about the client.  So even if the server has information about the client in it's database it isn't used for new queries...you have to wait for the client to report it's information.
• The reason why is that it provides for a less complex infrastructure and more accurate results
• Clients check with the server to get the logic it needs to process and then reports the results back.  The infrastructure is very simple to setup.  Install top level server, attach a database, install relays (which can also be clients), and then push the clients out.  No need for lots of services to be installed, AD Scheme changes.  

Managing clients with/without AD

• Using relevance it was easy to logically organize computers based on attributes, names, users, programs installed, registry values, flag files.  No changes were made to AD: no new groups created, no reliance on location in OU's.  It was incredibly flexible.  
• Ability to read/parse XML, INI, JSON files using standard document navigations native to each in order to build action relevance and to make changes via action script.

​Enforcing Policies with/without AD

• Where we used BigFix we used very little Active Directory Group Policies.  We created Policies in BigFix that would evaluate on our schedule and if it found that reg values, files, permissions, services, etc were not in the configured state - run the job and correct the configuration.  No delays at logon while group policies refreshed, no worrying about machines having issues processing group policy.

http://​support.bigfix.com  - Inspector Relevance - has great documentation on the relevance language and links to the documentation for BigFix ActionScript.  The Fixlet debugger may be downloadable without a login from BigFix and you can experiment with the language and power of it (some items won't work without a BigFix client installed which requires a license).  

At my current company I started as a contractor that was given pretty free reign to evaluate the state of things and design and prototype solutions to improve the environment.

Thinking back these are some of the things I found and worked on:







Windows Imaging (Adding support for Windows 7 and beyond):

When I got there they were using Windows XP primarily and deploying these year after year re-sysprepp'd thick images using Altiris Imaging tools (Symantec Ghost+).

Solution:

I brought in Microsoft Deployment Toolkit (MDT) 2012 with all of my knowledge from my previous employer plus some additional research.  Our MDT solution is really well built now and easy to maintain.  All Reference (Gold) images are 100% automated, super clean, and can be updated by nearly anyone on the team with little instruction.  The imaging spans our 73 different divisions with their distributed software deployment servers, custom naming, the works.  I've even built my own custom Wizard UI's (without SCCM) to make really lite-touch deployments.  Last year I updated to have a One touch In-Place Windows XP to Windows 7 Upgrade/Refresh.

Various HTA's

There were a number of HTA's they used to create dashboards for the sales people that were getting the HTML elements replaced and updated every Quarter and someone had to go and relink all the data, rebuild the formatting, and various other tedious tasks - it was quite a poor use of a technicians time for 10+ hours. 

Solution

I modernized the HTA's and have them programmatically loading the data to display from XML documents.  The use of the XML allowed us to keep the previous months data available when we roll out new sets of advertising material to the sales team.  Also allowed us to create different views for sorting data.  The biggest plus was I was able to provide a spreadsheet to the marketing department to fill in that we could quickly evaluate, touchup and then run a script against to generate the XML data for the various HTA's.




Screensaver

The Screensaver is the one that has me a little annoyed today.  The original screensaver in use still today - was "developed" by a third party and is a simple picture of our newly re-branded trucks rolling across the screen at various different areas.  The Flash screensaver doesn't work if Flash Player is not installed or is broken, or if there happens to be a broken Shockwave player.  When I got there they were deploying Flash player and Shockwave Player (way past the end of Shockwave player) to every machine.  Because of the old images that were old and reused year after year with more problems installed over top to add support for new models, the Shockwave player seemed to break a lot.  The flash animation is not smooth and is quite jagged with v-sync issues, blacks out any 2nd, 3rd, nth monitors and runs in a 4:3 box on the primary monitor.

Solution:
Having the love for programming I set out one night to rebuild the screensaver in Windows Presentation Foundation since that will make use of hardware acceleration and DirectDraw resulting in smooth animations.  It also allowed us to deploy a computer and not have to worry about whether flash was installed or not.  The advantage I liked the most was being able to use the full aspect ratio of the monitor and have the truck drive across multiple monitors.  The screensaver's only requirement was .NET framework 4.0 client profile - which was in the process of being rolled out to the enterprise.  I couldn't get the guy I reported to at the time to take action on the screensaver because he was afraid of me taking his job when I got converted from contractor to direct employee.

Screensaver 2:

A project was brought to me by my director where there was a possible major rebranding.  Marketing went to a third party again and came back with some "Screensavers" and a Desktop Background.  What they sent was four 1600x1200 JPG's all labeled "Screensaver_" + Something.  I wasn't sure what I was supposed to make of them since they were all Grayscale images with a few accent colors  on logos but the gray scale was really white washed out ... So I have these 4 pictures that were mostly white.  Right Screensavers...

Solution:

I stared at these terrible files and emailed back and forth trying to figure out what it was...after getting nothing new...I took the elements of the images given and came up with a way to animate them and create a loop using my existing screensaver template.  I tried to keep to their grays but made it darker.




Screensaver 3:

This week I was asked about looking into Screensaver for a new potential rebranding project.  I was excited because I thought I was going to be making the screensaver.  Find out Corp marketing went to a third party again and the third party this time was going to be building a flash animation and then using some $40 (most likely) software to compile into a screensaver file.  They confirmed that it wouldn't change aspect ratio and it wouldn't span monitors, as well as still keep dependencies on a system installed Flash Player.




Solution:

Told my director - he wants me to build the screensaver and is trying to convince the marketing director to let the 3rd party work on design but let me do the actual building of the screensaver.



Kiosks:

The kiosks in use when I was brought in were ghost images that were applied to machines but were less maintained so drivers would need applied to the newer machines manually after build - or they had to select really old machines for Kiosks.  Kiosks required a fair amount of technician configuration each time.

Solution:

Created scripts that could be run on my new Windows XP and Windows 7 images that will take a normal build and then apply all the lock downs to any existing accounts (including default user) except the Administrator.  Leaving the Administrator account untouched allows technicians to logon work on the machine but all other accounts would get configured in a locked down state.  This allowed any machine to become a kiosk and allowed for a better technician experience with less configuration needed.   The scripts also would installs other scripts in the system, any other software needed, creation of user accounts, disabling services, installing hotfixes, and setting up auto logon.

Microsoft has provided a very powerful tool when it comes to deploying and customizing it's operating systems and I cringed when I walked into my current company in August of 2012 and saw they were using Altiris' Image Deploy which is a glorified ghost tool. 

Image deployment was something I saw that I could improve right away by implementing MDT.  I have used MDT since 2008 and have learned many different best practices and got this opportunity to start clean.

I've written over 100 pages of documentation on how I setup MDT and the best practices implemented (lots of pictures).  After having customized and deployed to our 70ish remote locations our company finally made the decision to eliminate out-of-support Operating Systems from the environment about 2 months ago.  The company looked at multiple outside contractors to do the work but I was able to sell my Director on using MDT with User State Migration Tools (USMT) to help upgrade our remaining clients (previously we were not using USMT).

MDT was the simple part the tricky part was writing the logic and tools to get our software deployment tools to reinstall the users software automatically after the upgrade process completed.  We have been using Altiris DS for doing most software installations but this Windows XP migration to Windows 7 has really driven us to move our software deployments to IBM Endpoint Manager (aka Tiviloi Endpoint Manager and inside our company as BigFix).

High-Overview of process

Windows XP is live and running:
     • Zero-Touch process is started
     • Information about the machine is gathered
     • Programs are cataloged and relics are made to indicate programs for reinstall.
     • Office, Credant, Our In House Sales tool, and Lotus Notes detection takes place
     • (If detected) Credant Encryption Data is gathered
     • Windows Pre-installation Environment (WinPE) is applied to the machine
     • Computer reboots to WinPE
Windows PE is live and running (total elapsed time so far: 10 minutes)
     • Reconnects with Division Deployment Server
     • Captures User State with Hard Link Migration
     • Cleans excess data from the Hard drive
     • Applies Windows 7 32-bit
     • Customizes image - Applies patches, configures Unattend.xml
     • Reboots
Windows 7 is booting (total elapsed time so far: 25 minutes)
     • First boot drivers are installed and configured
     • Windows auto logs into Administrator account with disabled shell.
     • Joined to domain
     • Applications installed (Sep, Altiris Dagent, HP/Lenovo utilities, etc.)
     • If needed Lotus Notes reinstalled
     • If needed Office 2007 reinstalled
     • User State Restored – Profiles recreated, data put back, etc.
     • If Credant Encryption Needed
         • StateStore Backup of Hard-Links is removed
         • Encryption Indexes are scanned and repaired
         • Credant Encryption is reinstalled to recognize files already encrypted.
     • BigFix Agent reinstalled
     • Corporate Customizations reapplied
     • Reboot
Windows 7 Reboots and stays at Ctrl+Alt+Del (total elapsed time so far: 45 minutes)
     • Users can logon most base build applications are already there
     • BigFix starts installing patches, chrome, remote controller
     • BigFix installs programs required for upgrade based on the existence of relics.
     • BigFix completes upgrade installs and prompts the user to Reboot.



So I had the opportunity to write a script to parse the system find programs we wanted to reinstall, create a file on the system that would be migrated by USMT.  One of the last steps in our Upgrade MDT Task Sequences was to create a final relic file that tells BigFix the upgrade has completed - this triggered BigFix to scan for relics and install software based on the existence of the relics.

The Script determines how to create relics based on Application Definition XML file.  The script parses the XML and compares against Sysinternals PSInfo (with /s) output as well as any custom definitions, like the existence of files or folders, to create the application relics.