My current use case involves being one of the products and one of the clients implementing this tool.
HCL BigFix offers a Unified Endpoint Management platform that enhances security, reduces costs, and simplifies IT operations across hybrid, multi-cloud environments through a centralized control structure.


| Product | Mindshare (%) |
|---|---|
| BigFix | 1.7% |
| Microsoft Defender for Endpoint | 6.8% |
| CrowdStrike Falcon | 5.9% |
| Other | 85.6% |
| Type | Title | Date | |
|---|---|---|---|
| Category | Endpoint Protection Platform (EPP) | Jul 7, 2026 | Download |
| Product | Reviews, tips, and advice from real users | Jul 7, 2026 | Download |
| Comparison | BigFix vs Microsoft Defender for Endpoint | Jul 7, 2026 | Download |
| Comparison | BigFix vs CrowdStrike Falcon | Jul 7, 2026 | Download |
| Comparison | BigFix vs SentinelOne Singularity Endpoint | Jul 7, 2026 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| CrowdStrike Falcon | 4.3 | 5.9% | 97% | 139 interviewsAdd to research |
| Microsoft Intune | 4.1 | N/A | 95% | 378 interviewsAdd to research |
| Company Size | Count |
|---|---|
| Small Business | 23 |
| Midsize Enterprise | 7 |
| Large Enterprise | 59 |
| Company Size | Count |
|---|---|
| Small Business | 354 |
| Midsize Enterprise | 181 |
| Large Enterprise | 655 |
BigFix streamlines enterprise IT management by integrating infrastructure security, endpoint remediation, and employee experience automation within a single platform. It enables IT Operations and Security teams to function efficiently from a unified control plane, managing over 155 million endpoints. Its robust architecture supports continuous compliance and automated vulnerability remediation, closing the gap between detection and fix. It excels in digital employee experience by ensuring proactive monitoring and utilizing agentic AI for self-healing workflows and intelligent automation, thereby reducing manual efforts and enhancing productivity.
What are BigFix's key features?Industries such as telecom, finance, and industrial facilities leverage BigFix for comprehensive patch management, software deployment, and inventory solutions. They benefit from its capacity to support endpoint security, compliance, and diverse operational needs, using it for vulnerability assessment and custom content creation.
BigFix was previously known as Tivoli Endpoint Manager.
US Foods, Penn State, St Vincent's Health US Foods, Sabadell Bank, SunTrust, Australia Sydney, Stemac, Capgemini, WNS Global Services, Jebsen & Jessen, CenterBeam, Strauss, Christian Hospital Centre, Brit Insurance, Career Education Corporation
| Author info | Rating | Review Summary |
|---|---|---|
| Administrator at a tech vendor with 10,001+ employees | 5.0 | I use BigFix for end-to-end patching and automation across diverse systems, praising its excellent stability and scalability. While features like server automation and IVR are valuable, I recommend improving the fragmented patch policy monitoring for better usability. |
| Founder Director at Techsa Services | 4.5 | I've used BigFix for over 16 years, valuing its patch management, compliance, and efficient software distribution, though reporting and application control need improvement. Setup is straightforward, support is reliable, and I highly recommend it for larger organizations. |
| Technical Director at SYSTEX | 5.0 | I find BigFix effective for managing diverse operating systems like Windows and Linux, offering valuable features like inventory and software management. Despite some distribution delays, it outperforms alternatives such as Symantec when handling varied systems. |
| RPA Developer at Hexaware Technologies Limited | 3.5 | I use BigFix for endpoint security management, leveraging its integration capabilities with IBM tools and ILMT. It's effective for capturing inventory, although integration challenges exist. Despite some hardware configuration issues, it has positively impacted audit processes. |
| CEO at Novilis | 4.5 | We use BigFix for security patching and server automation, appreciating its lifecycle and compliance features, especially patching for multiple OS environments. While it enhances efficiency and reduces errors, its interface is less intuitive compared to competitors like SCCM and ManageEngine. |
| Solution Sales Specialist at TD SYNNEX | 5.0 | I've used BigFix for 1.5 months and appreciate its patch management and software deployment features, though pricing could improve. Support is responsive, and I'd recommend it, rating the product 8 out of 10 overall. |
| Security Architect at CDW | 4.5 | I use BigFix primarily for patch management, security templates, and software distribution across companies. Its valuable features include integration with vulnerability scanners and real-time compliance capabilities. However, the console speed needs improvement for a smoother experience. |
| Freelance Senior IT Consultant at smak | 4.0 | BigFix provides stable, scalable, single-console management for inventory, compliance, and patching. I appreciate its simplicity and effectiveness, though I wish it supported more databases. New users should get initial support. |
| Global Tech Delivery Lead Win & EUC at Mondelēz International | 4.0 | I find BigFix to be strong security-wise and highly customizable, though it's not beginner-friendly. Its most valuable feature is patching, but improvements are needed for cloud capabilities and content delivery. Previously, I used Microsoft SCCM and evaluated Microsoft Engine. |
| Security Administrator at Dev Information Tech Pvt Ltd | 5.0 | As a BigFix administrator, I manage infrastructure tasks including patch deployment and vulnerability assessment. BigFix excels in real-time endpoint detection and prevents redundant deployments, though its console can be slow. It supports custom scripting for flexible deployments. |

My current use case involves being one of the products and one of the clients implementing this tool.
I use BigFix to provide the customer with end-to-end patching and automation. All features are very useful from the client perspective, but the server automation feature is particularly valuable. Server automation provides full automation for whatever users want to do on the server end, including patching and other tasks. We have integration with ServiceNow, which enables end-to-end automation including change creation, change implementation, and automatic email notifications to users upon completion and validation.
BigFix supports all kinds of operating system flavors and third-party applications as well as middleware applications. Patching is the most preferable feature that users choose BigFix for, making it a very important component.
Software distribution is also a key feature. When users want to place any server or file on any endpoint, software distribution can be used. Package creation is another feature that allows deployment of packages and files to multiple servers in one action, targeting thousands of servers simultaneously.
Intelligent Vulnerability Response (IVR) is a module recently integrated with BigFix. This feature provides vulnerability mitigation and can be integrated with tools like Qualys for vulnerability assessment scanning. When reports are generated, BigFix can remediate vulnerabilities and address OS-related or application-related vulnerabilities.
BigFix Console provides a good unified interface where users can see the status of devices, actions, and software distribution actions. The console provides an absolute view allowing users to see the status of every action and every software component.
There is one feature in BigFix called the automation patch policy that requires enhancement. When an action is initiated through the patch policy, it appears on the console but arrives in chunks. When targeting hundreds of servers from the patch policy, the actions come in chunks such as ten out of six, ten out of nine, or ten out of fifteen. This fragmented approach creates a significant challenge for the patching team to monitor the action status. I would recommend that the development team provide a single action or one to two actions instead of multiple actions requiring individual monitoring. A broad status update could be provided to the client indicating the overall progress of the patch policy implementation rather than requiring monitoring of every individual action. This would reduce the bandwidth required by the team to track multiple actions on the console.
I have been using BigFix for four years.
I rate the stability of BigFix as ten.
BigFix has excellent scalability. It supports approximately two to three hundred thousand endpoints, demonstrating significant scalability capabilities.
HCL owns this tool and provides the support. The support team is part of our organization.
I switched from another tool and now work on BigFix automation tool.
The setup process for BigFix is very simple. Once resources are allocated to the team, it is straightforward to create the environment and does not require much time.
I rate the price for BigFix as medium, neither low nor high.
There are many competitors in the market against BigFix, but I have not seen any competitor challenging this tool.
BigFix provides tremendous benefits to users and clients. It provides a comprehensive view and broad features for users. End-to-end automation allows anyone to perform server operations without logging into the console or directly accessing the server. Without BigFix automation, users would need to log into each server individually and perform tasks manually. When managing hundreds of servers, this tool provides essential automation and eliminates direct user interaction on servers. I rate this product a ten overall.

BigFix has been serving us and our customers effectively, doing it for very large customers, banking customers, and stock market customers.
These implementations are mainly focused on patch management, compliance, and security configuration, including compliance reporting regarding whether the system is compliant to configurations and the latest updates.
Patch Compliance and Configuration Compliance of endpoints will see a dramatic increase once the BigFix solution is operational.
BigFix supports something known as Patch Policies, which allows users to define that whenever critical patches are released, they should get evaluated against machines and automatically deploy them.
Their software distribution is very efficient because they use a pull mechanism rather than a push mechanism, allowing each machine to download from the closest repository and install themselves.
The same assessment mechanism applies for real-time vulnerability remediation, allowing identification, evaluation, and automatic remediation across machines.
Compliance metrics typically measure the patch percentages deployed against the number of endpoints, which could be various device types including virtual machines and mobile devices.
Measurements are taken against each device type, looking into compliance percentages for browsers such as Chrome and Edge based on their versions.
The reporting still needs improvement since customers want specific reporting, such as N-1 month patching reports.
In addition to reporting improvements, there should be a feature for application control to allow or disallow certain applications from being executed on endpoints.
BigFix has been in use for over 16 years.
Technical support from HCL is satisfactory unless there are customization requirements, for which we engage with professional services.
Positive
Implementation was absolutely straightforward since we have been doing this for many years.
Typical implementation timing depends on the customer's environment; for 500 machines it could take about a week, while for 50,000 machines it could be a month.
The pricing is pretty good and now follows a subscription model similar to other major software solutions, making it easier for customers to subscribe and unsubscribe.
We will be starting with AppScan soon, but we continue to remain a BigFix partner.
I have been both partner and reseller of HCL.
I recommend BigFix for companies with over 500 endpoints.
We don't deal with any company smaller than a 500 count.
On a scale of 1-10, I rate BigFix a 9 out of 10.
A typical use case for BigFix involves managing a diverse range of clients, such as Windows, Linux, and various versions of Red Hat. My clients use BigFix since it is particularly beneficial when a company has many different types of operating systems. If a user has only one type, like just Windows, the benefit may not be as clear compared to other vendors. However, BigFix is a good solution for companies with diverse systems.
The BigFix features that have proven most effective include inventory, software delivery, software distribution, software catalog, and both software and hardware management. BigFix is a very powerful tool if you want to know how many clients are in your enterprise and control or distribute software effectively.
Implementing a business solution with BigFix has some issues, primarily concerning the time required for distribution to clients if there are too many.
Building a management console is quick and simple, taking only one to two hours for setup. However, a demo or trial may take over a week or two for completion.
I have worked with BigFix since 2011, which gives me over a decade of experience.
I would rate the stability of BigFix highly. On a scale from one to ten, with ten being the highest stability, I believe BigFix can handle large solutions effectively. It is suitable for installations in very small sizes of two hundred computers and medium sizes of up to fifteen thousand.
Budget considerations need to be accounted for, but the architecture is reliable for both small and large deployment needs.
I rate technical support from BigFix very highly. On a scale from one to ten, with ten being the highest quality, enterprise support provides timely responses, typically within four to eight hours. The response time is quick for test responses, and the quality is very good.
Positive
I have worked with solutions like Symantec alongside other endpoint collection tools. Many free or third-party providers offer these utilities. For enterprise solutions, Microsoft provides alternatives. This is my perspective, and other scenarios are similar, requiring a similar range of products.
In my experience, the initial setup of BigFix is very quick and simple.
I think BigFix is a very good solution, and I rate it ten out of ten.
I use BigFix for endpoint security management in my industry. It is an integrated solution that I use in collaboration with BigFix and IBM tools. I have integrated BigFix with ILMT and utilize it for operational purposes.
I use BigFix to capture the latest hardware and software information from all the endpoints and push that information to ILMT dashboard.
It has been reliable for endpoints that give accurate information. It has been effective in many cases. It has saved us from audits, so it has been effective in our use scenario.
I still work with BigFix. HCL Notes has been some time, more than eight to nine months now. I have been working with BigFix for more than seven years.
It is reasonable to have other endpoint management. BigFix was previously owned by IBM. I use this mainly to capture inventory for IBM products, and as BigFix was part of IBM, it gets easily integrated with IBM solutions.
While performing integration, we face many issues with IBM solution. We need detailed information about those issues that can help users to mitigate them.
The problem was related to the hardware configuration and hardware specifications. BigFix requires some minimum configuration requirements. It was not a critical issue, but we managed to resolve it.
I have been working with BigFix for more than seven years.
While performing integration, we face many issues with IBM solution. We need detailed information about those issues that can help users to mitigate them.
The problem was related to the hardware configuration and hardware specifications. BigFix requires some minimum configuration requirements. It was not a critical issue, but we managed to resolve it.
I am no longer working with anything by HCL or associated with that.
It has been effective in many cases. It has saved us from audits, so it has been effective in our use scenario.
I do not have experience with these.
I have not come across any difficulties. I integrated it with ILMT (IBM License Metric Tool).
It lets us identify all software being used in my organization with BigFix. It provides input of all types of software being used, including details and information about hardware specifications. I am more involved in software licensing and procurement, so I utilize this tool for procuring more licenses if needed for our company.
After integration, we get different dashboards showcasing our IBM infrastructure, highlighting various issues in our environment that we can mitigate.
I recommend BigFix to others. I rate BigFix a seven out of ten.

First, we use it for security patching on Windows and Linux.
Second, we use it for server automation procedures.
Third, we use the remote control feature of this solution.
The solution is very good and very advanced. It has so many elements that the other solutions don't have. For example, for organizations that are heterogeneous in their environment, BigFix is the best solution. For example, we don't only use Windows environments. We're using other environments, too. This is the reason why BigFix is better than SCCM.
We use the elements of lifecycle and compliance. First of all, the patching feature is very crucial.
First of all, the patching feature and the third-party patching feature. BigFix is one of the solutions that provides this not only for Windows but for other environments like Linux and Unix. This is very crucial for us. We are not using only Windows.
Secondly, there are always security breaches and so on. So whenever every vendor releases a patch, we don't have to worry as an organization. We receive the patches automatically, and BigFix spreads them automatically to our endpoints. This is the idea.
Moreover, we are aware that there are AI elements in BigFix that enhance endpoint management capabilities in the new version called Workspace Plus and Enterprise Plus. We are looking at it, and probably we will go for it in the next renewal. So the idea is in the plans.
From the perspective of the team that's handling the environment, it's not so user-friendly compared to other solutions, the competitors.
We hire new teams from time to time, and they are complaining, look, although BigFix is very robust and cross-platform, it's not so fun to work with. The user interface for the technical teams is not so advanced. It's not so intuitive compared to SCCM, compared to ManageEngine. And this is the fact that they have, with the teams, because they have the rejection.
The look and feel of the system are old-fashioned. For new employees, it's less easy to find someone I don't need to educate on how to work with BigFix.
Although it's easy, it's not as intuitive as the other solutions, and the functionality of the other solutions is less advanced. Let's summarize: The user interface has to be changed from the perspective of the teams that are managing the product. It's old school.
I have been using it for five years. We currently use version 11.
I would rate the stability a nine out of ten.
It is very stable. I don't have any complaints about the stability.
I would rate the scalability a nine out of ten. It is quite scalable. There are around 300 end users in the company.
We don't plan to increase further usage. It depends more on the organization's growth.
The initial setup is difficult for first-timers because the user interface for IT people is not so intuitive.
I would rate my experience with the initial setup a five out of ten, with ten being easy and one being difficult because of the user interface.
Deployment is quite fast if you know what you are doing. It can take one to two days.
I'm a manager. I was not the one who configured the system.
Regarding ROI, first of all, we use less human hours to do these procedures for our use cases. So this is the main cost-effective issue here. Less manpower, skilled manpower doing this.
There will also be fewer mistakes. Why? Because from time to time, the team forgets something or doesn't have enough time to do the right patching. So this solution reduces the manpower hours and mistakes. This is the idea of human manpower. This is perfect.
It reduces human mistakes and the time of manpower. I need less team. We are putting less workers' effort on this patching element or server automation element. We're reducing cost this way.
If you buy the whole package right now, this is what we are considering: the workspace and the enterprise. The cost of the whole package, the biggest package with the full functionality, is not high.
But if I use only the patch element, it's somehow expensive. Because the other solutions are quite cheap. But when we go higher to the fullest functionality, BigFix provides us with a better solution, even pricing-wise.
Overall, I would rate it a nine out of ten.
My advice: First of all, look at BigFix not only from the perspective of patching functionality. Most organizations, when it comes to BigFix, think about patching. This was the first functionality that BigFix came out with. You should consider BigFix as a total solution, replacing more than three or four tools. For example, do not purchase the solution as a patching solution only. Consider it for the whole offerings that BigFix offers you. This BigFix solution replaces more than three or four other products. For example, we are considering replacing our current remote control product and use BigFix functionality for remote control instead. And there are other solutions. So, you should look at BigFix from a wider perspective. Look, purchase it for the whole bundle, not only patching. Although there's still the option to purchase only patching, it's not wise. In my opinion, look at it and purchase the whole bundle.
I have been working at Tech Data for the last 12 plus years.
BigFix's patch management automation feature is impressive. The real-time vulnerability remediation feature regarding BigFix's software distribution effectiveness across large networks is valuable. BigFix's unified console for software deployment is a strong asset.
I have concerns about BigFix's pricing, which I find to be slightly on the higher side. While it may not be the most affordable or competitive option, there is room for improvement. Additional features could enhance the product further. I would rate BigFix as an 8 out of 10 as a product.
I have been using the solution for one and a half months.
Whenever we need any kind of support, the BigFix team is present and available. They help us effectively with our needs.
Positive
I would definitely recommend BigFix if I were in sales. I cannot say that BigFix is not the best option on the market. When I am selling this product, I would rate it on a higher side because I would not rate a product I am selling to a partner or end customer on a lower side. BigFix needs more promotion to increase awareness. The people who know this product are well-versed about it, but additional promotion is necessary to penetrate further into the market. Every market needs continuous promotion to grow. My overall rating for this review is 8 out of 10.

Our primary use cases for BigFix range from patch management and security templates to software distribution. These are essential tasks for endpoint management across various companies.
The tool's most valuable features are patching and integration with vulnerability scanners.
The compliance module in BigFix helps to maintain security compliance. It addresses standards such as CIS, DISA STIG, NIST, GDPR, and others, providing real-time capabilities to ensure adherence to these security templates.
The tool streamlines the endpoint patch management process through one console and agent. It's straightforward to deploy patches and policies, making the entire process intuitive.
The solution needs to improve console speed. I would like to see one console that does everything. It doesn't need to have a big client console.
I have been working with the product for 15 years.
The solution is very stable.
BigFix can support deployments ranging from as few as five hundred endpoints to as many as three hundred thousand endpoints on a single server. For larger deployments, additional servers can be added as needed. I rate its scalability a nine point five out of ten. My company has 50,000 users. Our clients are enterprise businesses.
The solution's support is good. The support is from India, and it's a challenge to get the right person.
Neutral
The solution's deployment is straightforward. However, implementation can be a challenge. Once everything is deployed, it is easy. The deployment process involves several steps: first, opening a firewall port; second, configuring antivirus exclusions; third, installing a database such as SQL Server or DB2. These tasks must be completed before deploying the solution. The overall process takes two days to complete.
The solution's deployment is done in-house.
You can see a quick ROI when you start exploring all the features.
The tool's price continues to go up. The cost per endpoint can vary, ranging from approximately 30 to 80 dollars per year. Compared to other products, pricing is in the middle. You need to buy an additional database license, but most users already have it.
When considering BigFix, I recommend exploring its capabilities beyond managing enterprise endpoints. It's beneficial to leverage its integration with mobile endpoints and compatibility with vulnerability scanners and platforms like ServiceNow.
I rate the overall product a nine out of ten. BigFix is integrating with AI through its new digital end-user experience feature. This capability automatically resolves issues such as performance problems and service restarts.

Our customers mainly use BigFix for inventory, compliance, patch management, and software deployment. We also use it with the IBM License Metrics Tool. Our customers are mostly in the telecom and financial sectors.
The solution has many useful features. Its main advantage is simplicity - you can do everything from one console, regardless of the task. It supports many operating systems and is scalable to up to 250,000 clients.
The solution is great for automation. It uses relevant language, and each client can send requests for information about files or other data. Based on the results, you can set up analyzers and actions. For example, in patch management, you can automatically deploy patches to clients that don't have the newest version.
For improvements, it would be good if BigFix supported more databases. Currently, it only supports DB2 and Microsoft SQL. Adding support for other databases like Oracle would be beneficial.
I have been working with the product for 15 years.
The tool is stable. I rate it a ten out of ten.
With BigFix, I've had customers manage from just one client to 80,000. I rate its scalability a nine out of ten.
The support from HCL is very helpful.
Positive
You need to consider network and firewall settings during deployment. But once you know what to do, it's quite simple - click through. I'd rate the setup process seven out of ten for ease.
The deployment process for BigFix, whether cloud or on-premises, takes about 3-4 hours. To deploy it, you first install the database and need a license file from HCL. The download is free and open to everyone. There's an installation generator for Windows, and you just run the download and set up.
I haven't faced challenges with BigFix, probably due to my 15 years of experience. I can usually handle any issues during installation or upgrades.
For those considering using the tool, I recommend having someone who can support you at the beginning of the implementation and installation. It's a quick learning process, but it's very important to understand how BigFix works at the start. Once you get that, you'll see it's quite good.
I rate the overall product an eight out of ten.

We have found that the solution is good security-wise. It’s customizable; however, you need good knowledge of the tool. It’s not for beginners.
In terms of compliance, we utilize compliance checklists and templates to ensure success. These templates help us evaluate the compliance and rating of our devices. For devices that do not meet compliance standards, we generate actionable items to address and fix the issues. Our security posture is improving by utilizing compliance analysis for all our devices.
I’ve found patching to be the most valuable feature of the solution.
The product should become cloud-based. Also, the peer nesting ability of the product is a little backward. It has a Peer messaging capability, like a peer-to-peer feature, but it's a bit backward compared to Microsoft's content delivery gateway. The content delivery needs to improve to accommodate new technology and move away from the old ways of deploying content.
In future releases, BigFix should become a complete cloud solution.
Regarding stability, I rate the solution a seven on ten. The solution requires a lot of customization. So, if you’re making a small change, you’ll need to ensure that everything is aligned with the change.
If you make a small mistake, then it's gonna be a problem.
The solution is not user-based but device based. We have 46,000 devices running 24/7. Since it’s a management tool, we manage it 24/7. We use it to its maximum capacity.
In terms of scalability, I would give the solution an eight on ten. It is scalable, but we need to purchase additional licenses. From a technical perspective, I would say eight. However, from a financial standpoint, it may be considered lower. Adding more devices requires purchasing more licenses, so in terms of the financial aspect, I would rate it around six or seven.
The customer service and support team is pretty good.
Positive
I used Microsoft System Center Configuration Manager (SCCM) before this solution. I switched because of CPO detection in the said solution.
I would rate my experience with the initial setup a seven out of ten, where one is difficult and ten is easy to set up. It's not straightforward.
We work with HCL directly. The solution was implemented through them. We installed it ourselves, from scratch, with the vendor shadowing us. We had to build servers and set up the infrastructure. The solution is currently deployed on-premises. That's why it's not straightforward, as we have to build the infrastructure.
That's why a cloud-based solution would be better, where everything is provisioned like a SaaS-based solution, similar to Microsoft.
The deployment took us around six months to complete the entire project, with multiple deliverables. Even with the features from BigFix, it took us at least a year for preparation and deployment.
We deployed the BigFix agent, and from there, we could deploy various fixes, logs, commands, and scripts. So, in simple terms, we just deployed the BigFix agent.
Around 20 people, including the vendor, were involved in the deployment process. It's like an entire project management team. You would have a project manager, a delivery lead, a technical delivery architect, and then you would have support teams for layers one to three.
There is regular maintenance required to fix any issues that arise. Currently, we have 20 people from HCL for day-to-day support.
Currently, I would rate seven on ten for the ROI of the solution, where one is zero percent, and ten is 100% ROI.
However, I will need another two to three years to probe the ROI.
From a technical standpoint, it's strong in security and flexibility, but it requires a lot of customization. It's not straightforward. If we compare it to Azure and ForceWise, it might be considered a bit costly. I'm not sure how to articulate it, but it's costly because I have to build my own infrastructure, whereas with other SaaS solutions, I don't need to do that.
So, the pricing is slightly more expensive than the others. I have to keep buying licenses every time I add a new device. If I require 1000 devices, I’ll need 1000 more licenses. So, the price mainly depends on the number of devices.
I evaluated Microsoft Engine before choosing this option. Overall, I would rate the solution an eight out of ten.
I’d like to advise them to learn, be certified, and hold a lot of discussions with the vendor.
Overall, I would rate the solution an eight out of ten.
I am supporting a client and serving as an administrator of BigFix. My responsibilities include taking care of the whole infrastructure, patch deployment, vulnerability scanning, vulnerability assessment, third-party application vulnerability mitigation, generating reports, and ensuring compliance with security standards such as the CIS checklist. We handle all the security standards related to BigFix.
BigFix has several good features. Firstly, its client on the endpoints consumes less than 2% of CPU memory. Unlike other solutions like CrowdStrike or Tenable, where clients communicate with the database once a day or collect data every two days, BigFix offers real-time detection of endpoints. For example, if we have predefined conditions for monthly OS patches on various operating systems like AIX, Windows, Linux, and Mac, BigFix provides its own external sites where patches released by Microsoft or Mac are stored. These patches and content are integrated with the BigFix network. Each patch or package has relevant conditions that continuously evaluate the endpoints to determine if they are applicable. When creating software packages, we ensure that relevant conditions are met to prevent redundant deployments. This is important as continuous patching without checks can lead to system corruption or device issues.
We are currently managing more than a hundred devices. So, upon creating a package with the relevant condition in place, there are already thousands of devices that have that specific package deployed. The condition checks to ensure that the package is not redeployed to those devices, avoiding any potential issues that can arise from repeated deployments.
In some internal solutions, continuously deploying patches to an endpoint can lead to system corruption, device hang-ups, or other problems. However, BigFix prevents such issues by evaluating the relevance of each patch and ensuring it is only deployed when necessary.
BigFix is an endpoint customer solution that offers various capabilities. It enables compliance management, pack management, software and OS deployment, and power management. You can also integrate One Ready scanning tools like Qualys or Tenable, allowing vulnerability feeds to be directly evaluated within BigFix.
If BigFix does not have a pre-existing solution, we can create our own scripts using its action script and relevant language. The platform supports multiple scripting languages, including PowerShell and Python, providing flexibility for deployments.
One aspect that could be improved is the speed of the console. Sometimes it can be slow, which is something that needs to be addressed. When compared to other solutions like Tenable or CrowdStrike, BigFix constantly communicates with the database in real time, which can cause some slowness.
I have been working dedicatedly with BigFix for the past five years. We are currently using version 10.0.4 of BigFix.
BigFix is stable overall. However, like any software, you may encounter occasional issues, but they are manageable.
It is a scalable solution. Scalability is relatively easy to achieve with BigFix. We already have a capacity planning guide in place that outlines predefined steps to check and scale the environment. It provides guidelines for designing the infrastructure to meet scalability requirements.
Currently, I'm working with a large enterprise that uses BigFix.
The technical support for BigFix is really amazing. There are dedicated technical support engineers available, and you can open tickets or seek help through the BigFix forum. Additionally, there are technical solution architects who can assist you. Just open a ticket with the Excel support team, and they will be there to help you.
The support is generally excellent, but there may be occasional delays due to their workload.
Positive
When it comes to the root server, you have the option to use either Windows or Linux. Deploying the root server is a straightforward process. Deploying the root server is the first step. After that, if you're considering deploying the complete infrastructure, you'll need to follow the capacity planning guidelines. It will help determine the appropriate infrastructure requirements. For instance, if you have 10,000 devices, it is recommended to use a server with at least 128 GB of RAM, 32-core processors, and a robust server configuration. You can choose to host it in a cloud-based environment or a dedicated environment, but it should meet the necessary specifications in terms of RAM and processor capacity.
Once you have the server set up, you will define your release strategy. This involves setting up top-level releases and renewal releases. The reason for having multiple releases is to distribute the load and avoid overburdening the root server. Top-level releases communicate with the root server and receive data from it, which they then distribute to the lower-level releases. These releases, in turn, distribute the data to the endpoints.
As for the installation process, it is quite straightforward. Once the root server is installed, you need to install the console. Once the console is installed, you can proceed to deploy clients or agents on the endpoints.
BigFix provides a built-in client deployment tool called the Data Tool. Using this tool, you can leverage your active directory credentials to scan and analyze your network, identifying devices that have or do not have BigFix installed. Once the scanning process begins, the tool will start deploying the agents to the appropriate endpoints. The installation of the agents does not require a reboot. However, when deploying the infrastructure itself, a reboot may be necessary. But for clients deployed on agents or endpoints, whether it's servers, Windows 10 machines, or Linux machines, the agent installation does not require a reboot.
Once the agents are installed, they automatically refresh themselves every 15 minutes. They communicate with the nearest relay to check if any new content needs to be deployed to that particular endpoint. The agent keeps checking with the relay and deploys content if there is any to be received.
For the complete infrastructure deployment, you need to follow capacity planning guidelines. This will help determine the required infrastructure.
Recently, we have set up new infrastructure, and capacity planning is a time-consuming process. Depending on the client and their requirements, it can take a couple of days to two weeks to finalize the agreement, especially if there are cost constraints. Companies often have limitations on project expenses. Once everything is finalized, it takes just one day to get the entire infrastructure up and running.
As for the endpoints, when we start deploying agents on laptops or desktops used by end users (not servers), it can take up to 30 days. This is because the agents are deployed as the endpoints come online intermittently. We keep the deployment policy open for five business days to accommodate this.
So, to summarize, infrastructure installation is typically completed within six to eight hours. After that, the network team checks the network utilization and load, and if necessary, they adjust the bandwidth. Deployment of agents onto clients usually takes about a week, but in server environments with a large number of servers (e.g., 5,000 servers), all the clients can be deployed within an hour or two. Once the entire infrastructure is up and running, we need to monitor the dashboards to ensure that BigFix is performing as expected. This monitoring period lasts for 30 days. Once everything is set up and functioning properly, we can start using BigFix.
For the basic setup of BigFix, you would typically require two architects: one familiar with Windows and another familiar with Linux. Additionally, networking expertise is needed to enable and disable certain ports. The involvement of various teams is necessary, especially the network team, which handles port opening and tunnel creation. For environments larger than 20,000 endpoints, two architects are needed. However, if the environment has around 5,000 to 10,000 endpoints, one architect is sufficient. Apart from the architects, you would also need two sole operators to manage all the modules within BigFix, such as inventory, compliance, cash management, and lifecycle management, which includes package deployment and patch deployment.
Currently, we have two people managing the maintenance of over a thousand devices. However, we recently increased the team to three members. They provide 24/5 support and handle various issues, including configuration and web application problems. If you require 24/5 support, it's recommended to have two architects and two operators who have a good understanding of BigFix. During peak times, the architects are available, and during off-peak hours, the operators can handle the tasks.
I would say that with great power comes great responsibility. As a BigFix admin, it is crucial to be careful and use the tool wisely. You have the ability to bring positive outcomes, but one incorrect deployment can have severe consequences and potentially disrupt the entire network.
Overall, I will give BigFix an alpha ten out of ten.