Before following the procedure in the KB article, we assume that you have already followed the steps described in the CPM Automatic Update setup process here.

After running the CPM automatic update setup script [CPMAutoUpdateSetup.vbs] check the following to ensure each successfully completes:

On the BigFix Server

1. Check in BESAdmin that the CPM custom operator was created. If the default username was used in the setup script, this will be 'cpm_admin'.
2. Check that the propagation credentials and site authorization is created for the custom operator:
   
   
   • Propagation credentials folder for the custom cpm operator
   • Location: C:\Program Files\BigFix Enterprise\TrendMirrorScript\Credentials
   • publisher.crt
   • publisher.pvk
3. Authorization file allows the custom cpm operator to write to the custom cpm site:
   • Location: C:\Program Files\BigFix Enterprise\TrendMirrorScript\
   • FileOnlyCustomSiteAuthorization_CPMAutoUpdate
4. Check existence and correctness of automatic update related registry entries.
   
   Note: PropagationUser and PropagationPassword are the default values.
   • [HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\server]
   • "PropagateManifest"=dword:00000001
   • "ManifestSiteName"="FileOnlyCustomSite_CPMAutoUpdate"
   • "PropagationUser"="cpm_admin"
   • "PropagationPassword"="trendmicro"
   • "PropagationDSN"="bes_bfenterprise"
   • "CredentialsPVK"="C:\\Program Files\\BigFix Enterprise\\TrendMirrorScript\\Credentials\\publisher.pvk"

After the above criteria are satisfied, a pattern-set will be published to the CPM custom site the next time a recurring policy action from task 'Set ActiveUpdate Server Pattern Update Interval' runs. To verify that new pattern-sets are successfully published check the following:

1. CPM Automatic Update custom site folder Location: C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfsites\CustomSite_FileOnlyCustomSite_CPMAutoUpdate_10
   
   Files contained in the CPM custom site folder:
   • filelist_srv.txt: referenced in the 'Apply Automatic Updates' task to determine if the CPM client has any out-of-date patterns
   • server.ini: used by the CPM client updater component
   • manifest.ini: metadata containing information about this pattern-set
2. Each time a new pattern-set is downloaded, a corresponding folder named 'CustomSite_FileOnlyCustomSite_CPMAutoUpdate' is created. There may exist multiple versions of the same folder, each appended with an incremental number. Each folder corresponds to the number of times the CPM custom site has been published. The folder with the highest number contains the most recently published pattern-set information.
3. We can use the information contained in the manifest.ini to verify what pattern-set version is currently served for automatic updates at the BigFix Server.

1. If there is more than one CustomSite_FileOnlyCustomSite_CPMAutoUpdate_## folder, open the most recent one (signified by the highest incremental value appended to the folder name).
2. View the manifest.ini in a text editor and examine the 'version' field: version="20090803_170903"
   
   This value corresponds to the pattern-set version that is currently available for automatic updates.
3. Cross-check the automatic update pattern-set version with the most recently available pattern-set stored in the pattern-set cache on the BigFix Server. You can check this in two places.
   
   Note: This pattern-set cache is the same source that is used to deploy manual updates.

1. Pattern Updates Wizard:
   
   CPM Dashboard > Updates > Update/Rollback Patterns > New Pattern Update/Rollback
   
   When the wizard loads, the most recent pattern-set will display at the top of the pattern-set list.
2. BigFix Server file system:
   
   C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\cpm\patterns\20090803_170903

On the BigFix Client

How can we tell if the client machine has automatic updates enabled?

After the automatic update process is validated on the BigFix Server, we can check whether the BigFix Client has the most recent pattern-set information available.

After deploying task 'Core Protection Module - Enable Automatic Updates - Endpoint', it will subscribe the BigFix Client to the CPM automatic update custom site

Similar to any other BigFix site, you can find it at the following location:

C:\Program Files\BigFix Enterprise\BES Client\__BESData\CustomSite_FileOnlyCustomSite_CPMAutoUpdate

When automatic updates are setup properly, this folder will contain the same contents as the most recent verion of the custom site on the BigFix Server.

• filelist_srv.txt: Referenced in the 'Apply Automatic Updates' task to determine if the CPM client has any out-of-date patterns
• server.ini: Used by the CPM client updater component
• manifest.ini: metadata containing information about this pattern-set

On the BigFix Client view the manifest.ini file and search for the version field. This value should be the same and represent the latest pattern-set that is available on the server. You can cross check this value with that on the BigFix Server. Please refer to Step 3 in the previous section.

Now that automatic updates are enabled on the BigFix Client, how can we tell if it is setup properly?

The task 'Core Protection Module - Apply Automatic Updates' references information in the 'filelist_srv.txt' file in its applicability relevance to determine if the CPM client has outdated components or pattern files. Specifically, Relevance statement 6 of the 'Apply Automatic Updates' task that ultimately determines the clients applicability. There are client session inspectors used within that relevance that restrict it from evaluation within the Relevance Debugger.

A sample tool that allows manual testing of the relevance locally on the client machine is the BigFix Session Relevance Editor. You can view and download it from BigFix Labs. Copy and paste Relevance statement 6 into the Client API tester. If it evaluates true, then the CPM client has outdated components whereas false indicates all components and patterns are up-to-date with respect to that pattern-set that is currently available.