With Windows 7 and Windows 2008 coming to the end of support, BigFix network self-quarantine helps you block these devices off your network. If you have an Extended Security Update from Microsoft, you can still patch devices through BigFix. For details, see BigFix offers Fixlets after End of Support for Windows 7 and Windows Server 2008.
If you own the BigFix Compliance module, you can set criteria such as patch level, anti-virus definitions, certain services running, and so on. If they do not meet the defined criteria, BigFix self-quarantines the devices and blocks all traffic but the BigFix one. This article explains how to set up network self-quarantine and keep Windows 7 devices off of your network. You can also learn how to upgrade such devices either by an in-place upgrade or reimage.
- In BigFix Console, go to the BigFix Management domain.
- Select the License Overview Dashboard.
- Enable the BigFix Client Compliance (IPSec Framework) and BigFix Client Compliance Configuration sites.
Note: Allow the sites to gather and you will see a message at the bottom right of the screen in the Console about the gather status.
- Once the gather is complete, click on each site and subscribe all computers to the site.
- Click on BigFix Client Compliance (IPSec Framework).
- Subscribe All computers and click Save.
- Click BigFix Client Compliance Configuration.
- Subscribe All Computers and click Save.
- Click the Endpoint Protection domain.
- Expand the site Network Self-Quarantine and select Client Compliance Policy Wizard.
- Select the Create a new BigFix Client Compliance Document to Deploy option.
- Select Windows 7.
- Enter 1 in Maximum number of relevant critical patches.
Note: Once Windows 7 goes to end of support, BigFix will release a critical Fixlet showing you that it is no longer supported for patching. This patch will force the machine to be out of compliance.
- Click Next. Anti-virus is not in the scope of this exercise.
- Click Finish to create your Compliance.xml Task.
- Click OK to save the Task.
- Deploy the Task to the computers. Select Take Action and Select your Windows 7 Machines.
- Create your quarantine policies.
- Create a policy action for Quarantine – Determine Compliance. Select the Task Quarantine – Determine Compliance and Take Action.
- Run the Task as a policy by taking action on the Task Quarantine - Quarantine Needed - Windows Vista / Server 2008 / 7 / Server 2008 R2 / 8 / 8.1 / Server 2012 / Server 2012 R2 / 10. Target your Windows 7 devices.
If you remote into one of your Windows 7 devices, you will notice that the Windows firewall blocks all the network traffic but the Bigfix port.
You are protected and the unpatched Windows 7 devices are almost unusable on your network. You can still manage the devices through BigFix which means you can use the BigFix in-place upgrade to upgrade them from Windows 7 to Windows 10. For details on how to set that up, see Setting up in-place upgrade. If the in-place upgrade is not an option, you can bare-metal image the machines or reimage your machines. For details, see Setting up bare-metal imaging and reimaging You can still patch Windows 7 or Windows 2008 devices if you have an ESU agreement with Microsoft. For details, see this link. You can also block those devices and force BigFix to upgrade them with in-place upgrades and reimaging. Feel free to reach out for assistance.