Eliminating duplicated computers in BigFix running the agent on Citrix PVS / VDI
?? In complex virtual environments like Citrix PVS/VDI, managing BigFix deployments can pose unique challenges. One such challenge is the recurring issue of duplicated computers in the BigFix Console, causing headaches for administrators and impacting system performance.
?? The Challenge: When the BigFix agent is installed on virtual images and replicated across multiple VMs, each VM is assigned a new computer ID upon restoration from the original image. This results in duplicate entries in the BigFix Console, despite having the same hostname.?
?? The Solution: Inspired by discussions on the BigFix community forums and leveraging insights from HCL's documentation, I've developed a script that automates the cleanup process and ensures a seamless experience for administrators.
?? Key Steps
Preparation: Configure BESAdmin.exe settings and ensure VMs have a Persistent Drive.
1- Add the ClientIdentityMatch parameter into the Advanced Options in BESAdmin.exe: Go to?Start?>?BigFix Administrative Tool?>?Advanced Options?and set the value of the ClientIdentityMatch parameter to 100.
2- The VMs should have a Persistent Drive where the registries/files/folders can be backed up. In this drive it is mandatory to have read/write access and it is not restored with the VM to the original image.
3- Stop the BES Client service and set it to start manually:
4 - Create a Task in the Task Scheduler, configured to execute at the startup.
Choose the System account or any other account with admin privileges in the Security Options.
In the Triggers tab choose at startup:
In the Actions tab select the Action “Start a program” and provide the path of the BAT script in the following step. Click Ok and save it.
??? Script Execution: Utilize a BAT script to clean up registries, files, and folders, while also backing up essential data.
@echo off
REM -----------------------------------------------------------------------------
REM Backup Computer ID Script v1.2
REM Description: This script performs configuration tasks for the BigFix Client.
REM - Backup and restoration of ComputerID and endpoint certificates
REM - BESClient Startup Control
REM - Log creation for tracking
REM -----------------------------------------------------------------------------
REM Defining the log variable
set "LocalLogFilePath=E:\Backup_BigFix\log.txt"
REM Setting the destination backup path
set "BackupRegPath=E:\Backup_BigFix\"
set "DestinationFolder=E:\Backup_BigFix\KeyStorage"
REM Defining other variables
set "RegistryPath=HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\GlobalOptions"
set "DriveLetter=E:"
set "SourceFolder=C:\Program Files (x86)\BigFix Enterprise\BES Client\KeyStorage"
REM Extracting the log directory path
for %%I in ("%LocalLogFilePath%") do set "LogDirectory=%%~dpI"
REM Creating the log directory, if it doesn't exist
if not exist "%LogDirectory%" mkdir "%LogDirectory%"
echo [%date% %time%] Log start >> "%LocalLogFilePath%"
REM Cleaning up client certificates
echo [%date% %time%] Cleaning up client certificates... >> "%LocalLogFilePath%"
if exist "C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData" (
rmdir /s /q "C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData" >> "%LocalLogFilePath%" 2>&1
)
if exist "C:\Program Files (x86)\BigFix Enterprise\BES Client\KeyStorage" (
rmdir /s /q "C:\Program Files (x86)\BigFix Enterprise\BES Client\KeyStorage" >> "%LocalLogFilePath%" 2>&1
)
REM Cleaning up the client registries
echo [%date% %time%] Cleaning up registries with the computer ID... >> "%LocalLogFilePath%"
reg delete "%RegistryPath%" /v RegCount /f >> "%LocalLogFilePath%" 2>&1
reg delete "%RegistryPath%" /v ComputerID /f >> "%LocalLogFilePath%" 2>&1
reg delete "%RegistryPath%" /v ReportSequenceNumber /f >> "%LocalLogFilePath%" 2>&1
REM Checking if the backup directory exists and creating if necessary
if not exist "%BackupRegPath%" mkdir "%BackupRegPath%"
REM Checking if the backup registry file exists in the backup folder
if exist "%BackupRegPath%\BESClient.reg" (
echo [%date% %time%] Restoring the KeyStorage and ComputerID backup... >> "%LocalLogFilePath%"
reg import "%BackupRegPath%\BESClient.reg" >> "%LocalLogFilePath%" 2>&1
xcopy "%DestinationFolder%" "%SourceFolder%" /E /C /H /R /K /Y /Q /I >> "%LocalLogFilePath%" 2>&1
echo [%date% %time%] Starting BESClient... >> "%LocalLogFilePath%"
net start BESClient >> "%LocalLogFilePath%" 2>&1
echo [%date% %time%] Import of BigFix records and folders successful >> "%LocalLogFilePath%"
) else (
echo [%date% %time%] Configuring the machine for the first time... >> "%LocalLogFilePath%"
echo [%date% %time%] Starting BESClient... >> "%LocalLogFilePath%"
net start BESClient >> "%LocalLogFilePath%" 2>&1
echo [%date% %time%] Waiting for 300 seconds for the BESClient to Startup successfully and generate _BESData and KeyStorage folders... >> "%LocalLogFilePath%"
timeout /t 300 /nobreak
reg export "%RegistryPath%" "%BackupRegPath%\BESClient.reg" /y >> "%LocalLogFilePath%" 2>&1
xcopy "%SourceFolder%" "%DestinationFolder%" /E /C /H /R /K /Y /Q /I >> "%LocalLogFilePath%" 2>&1
echo [%date% %time%] Backup of BigFix records and folders completed successfully >> "%LocalLogFilePath%"
)
echo [%date% %time%] BESClient startup script executed successfully >> "%LocalLogFilePath%"
echo [%date% %time%] Log end >> "%LocalLogFilePath%"
exit
?? Verification: Confirm the script behavior and observe the results in the BigFix Console and the logs of BigFix agent.
What should be the behavior of the script??
1 - At the first run, it should erase all the current content related to the computer ID and the client certificates, then it will start the BESClient Service and backup the registry and required files to the Persistent Drive, in this example it will save on the E: drive.
After finishing the execution, it will create the log into the folder defined in the log variable, you can check if all the process run without any errors.
On the E: drive it should contain the folder defined in the variable log, the KeyStorage folder, the log and a registry file named BESClient.reg
In the BESClient log you should find this entry where the BigFix is setting the Computer ID for the first time:
Path: C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__Global\Logs
Scheduling client reset; Computer id changed to 3006950
2- On subsequent executions it will verify if the Persistent Drive does have the content backed up and will import the good registries/files and will start the BESClient.
In the BESClient log you will see the following entry; take a look in the BODY parameter, it will contain the same ID created by the first execution.
RegisterOnce: Attempting secure registration with 'https://BESSERVER:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.8.37&Body=3006950&SequenceNumber......
What should you see in the BigFix Console?
The computer will appear duplicated for the final time, and you can verify that the latest computer reporting contains the ComputerID observed in the BESClient log.
??? Fine Tuning
Every environment may have unique configurations, including default paths and drives. As such, don't hesitate to adjust the variables to suit your environment's requirements. However, ensure thorough testing is conducted before deploying the script in a production setting.
Moreover, a particular line in the script determines the duration, in seconds, before initiating the backup process following the BESClient startup. This duration may fluctuate based on the environment. While it may execute seamlessly in some instances, it might require up to 5 minutes in other environments for the __BESData and KeyStorage folders to generate.
timeout /t 300 /nobreak
?? Benefits:
?? Next Steps: If you're facing similar challenges in your environment or have insights to share, let's connect! I'm also exploring variations of this script for environments without a Persistent Drive, so stay tuned for updates.?
?? Reference Links
?? #BigFix #CitrixPVS #VDI #SystemManagement #VirtualMachine #GoldImage #EndpointManagement