BigFix 11.0 Patch 3 is now available!

The BigFix Team is pleased to announce the release of version 11 Patch 3 (11.0.3.82) of BigFix Platform.
The main features in this release are as follows:

Added filtering capability to BigFix Explorer component!
In Patch 2 the new “BigFix Explorer” component was added to allow easier REST API access to BigFix data (see Explorer). When evaluating the Session Relevance using the BigFix Explorer, it is now possible filter the Session Relevance results. For details, see Session Relevance.

It is now possible to start/stop/restart VMs on AWS, Google and Azure via BigFix!
The BigFix cloud plugins now have the ability to manage the cloud instances using power commands. For details, see Cloud plugins Commands.

AWS cloud plugin connection now available in FIPS mode!
The Amazon Web Services (AWS) cloud plugin can be configured to leverage the FIPS mode connection, to comply with encryption algorithms prescribed by the FIPS standard. For details, see Configuring cloud plugins.

You can now configure a persistent connection for a Relay to Relay communication!
BigFix Platform allows you to establish a persistent connection for a Relay with its parent Relay; this will facilitate the BigFix operations in complex network environments. For details, see Relay-Relay persistent connection.

Enabled Microsoft Control Flow Guard on BigFix Server!
The BigFix Server can now leverage the Microsoft Control Flow Guard (CFG) security feature on Windows systems. For details, see Enabling Microsoft Control Flow Guard on BigFix Server.

Added Subject Alternative Name field to the Client Certificate!
The Subject Alternative Name X509v3 standard extension is added to the client certificate of the BigFix Agents. Its value corresponds to the hostname of the computer where the BigFix Agent runs. This allows the BigFix client certificates to adhere to industry standards as it relates to Subject Alternative Name. For details, see Subject Alternative Name.

Added BESAdmin command to return the BigFix certificate bundle!
With the getcertificatebundle BESAdmin command, you can export the complete BigFix certificate bundle. In the bundle, there are all the certificates for all authorized chains in the masthead. This allows the user to provide the full certificate chain to tools or entities that request it for validation. For details, see BESAdmin Windows Command Line and BESAdmin Linux Command Line.

CVEs details in the Server, Relay, Client and Console Upgrade Fixlets!
Starting From BigFix Version 11.0.3, the Fixlets in the BES Support site which upgrade the BigFix Console and BigFix Platform components (Server, Relay and Client) will show a list of CVE IDs. These refer to the vulnerabilities affecting the previous level of the component, and resolved by the current one. This information will be found on the Details Tab, in the CVE ID field.

Microsoft Entra ID configuration using certificates!
BigFix Platform also allows you to configure Microsoft Entra ID as Identity Provider using a certificate instead of a client secret.
For details, see Integrating with Microsoft Entra ID.

Enhanced Agent log file records with date/time stamps!
BigFix Platform allows you to specify the desired Agent log file format, by using a new setting named _BESClient_Log_TimestampsDetail. This will include timestamps in every line of the agent log.
For details, see List of settings and detailed descriptions.

Limit number of targets when submitting action via REST API!
When issuing an action via REST API, the maximum number of targets set in “targetBySpecificListLimit” parameter (default 10000) is considered; if exceeded, a “HTTP 413 Content Too Large” error response is returned. For details, see Action .

On new clients, avoid the creation of client settings referring to deleted NMO’s!
New clients will no longer create settings that refer to Non-Master Operators that have already been deleted, so reducing the workload on these clients and avoiding useless references in their log.

Audit Trail Cleaner update!
The Audit Trail Cleaner tool was updated to allow you to remove the old files uploaded by the Archive Manager on the BigFix Server.
For details, see Audit Trail Cleaner.

Improved user experience in Web Reports as it relates to reauthentication!
The number of reauthentication operations needed in Web Reports is now reduced.
The behavior can be controlled via a new configuration setting named ReAuthenticationEnabled. For details, see Performing the reauthentication.

Removal of obsolete Fixlets and Tasks from BES Support!
Obsolete Fixlets and Tasks were removed from the BES Support content.
For details, see Removal of obsolete Fixlets and Tasks from BES Support content.

Inspector Updates
• New client inspectors named “case insensitive posix regex”, “case insensitive posix regular expression”, “posix regex” and “posix regular expression” were added to fully support POSIX compliant Regular Expressions. They will use the Boost library version 1.78.0, both for Windows and UNIX operating systems, since Boost is declared to be POSIX-Extended compliant. For details, see regular expression.
• New client inspector propertie “rtt of” was added to the round-trip time (RTT) of the TCP socket connections in the “ESTABLISHED” state. For details, see socket.

Added Support for BigFix Agent
Added support for BigFix Agent running on:

  • macOS 15 ARM/x86 64-bit
  • Ubuntu 24.04 LTS
  • Raspberry Pi OS 12 32-bit

Library and driver upgrades

  • The libcURL library was upgraded to Version 8.9.1.
  • The Microsoft ODBC Driver was upgraded to Version 17.10.6.
  • The OpenSSL library was upgraded to Version 3.2.2.

Additional information about this release

References

Pre-Upgrade Considerations

Important considerations to keep into account before upgrading to BigFix Platform Version 11 are:

  • BigFix Version 10.0.7 is the minimum version supporting the upgrade of the BigFix server components to Version 11
  • You must enable the “Enhanced Security” before upgrading BigFix Platform to Version 11
  • The minimum TLS supported protocol in BigFix V11 is TLS 1.2
  • The SHA1 hashing algorithm for content and action signature will no longer be supported. SHA1 is still supported for file download in actionscript. For details, see the BigFix Platform V11 Overview Page
  • The unixODBC RPM package is a prerequisite for the Server components on Linux systems. This applies to installations with a DB2 database.
  • The msodbcsql17 RPM package is a prerequisite for the Server components on Linux systems. This applies to installations with a MSSQL database. For details, see Upgrade paths (Windows) and Upgrade paths (Linux)
  • For detailed information on the specific changes to minimum supported versions of operating systems and databases for BigFix 11, see Detailed system requirements.
  • Before getting started with the upgrade process, stop any active application that is connected to the BigFix database (such as Web Reports, WebUI, BigFix Inventory, or BigFix Compliance).

Useful links

A blog that discusses the benefits of BigFix 11 is available here

Upgrade Fixlets are available in BES Support version 1495 (or later).

– HCL BigFix – Platform Team

9 Likes

Just upgraded our Dev instance, which was running 11.0.2 on Win2019 + onbox SQL 2016, and it went smoothly. About 15minutes start to finish.

Cloud plugin update went fine from WebUI, but afterwards the WebUI is saying I have no plugin’s installed but I had at least 1 before I hit upgrade. Now awhile back, I did have one of my multiple plugins disappear as well but was still trying to auth and update in the background, just wasn’t showing in UI and when trying to install again would fail. I ever opened a ticket for that and it could be related or it could be something new, since all plugins are gone.

That said, later on (probably after a complete sync) the plugin did come back. :slight_smile:

That happened to me before but it’s just a matter of waiting for the analysis that report the Plugin’s configuration to refresh the info. Perhaps that happened to you, in the back end the agent where the plugin(s) are installed took a while to re-evaluate and report back.

2 Likes

Is there an updated ServerKeyTool.exe for 11.0.3 and if not, can we get one made?

We found it here but it is 11.0.2, Welcome to Wikis

This looks like a good update with plenty of new features! Thanks for continuing to improve on things. Hopefully this update will take care of my old deleted non-master operator accounts that keep showing under the gather status area when checking the health checks area.

@cody_gregg I had something similar - I’ve opened a support ticket with the Support, and they provided a way to identify the deleted operators and how to create an action which will remove them from the client that still think they exist.

1 Like

Interesting. Are you able to provide the general steps they gave you? I have also had a ticket open for this before and they never could get it cleared. We tried a number of things clear those opsite errors from deleted operators.

Hello, there is no update to the tool for 11.0.3. The one in the wiki page is valid for this version as well. Thank you

Can we simply then copy the 11.0.2 as 11.0.3 so no one else has a question on this?

As well as future releases. Add a checklist item for any release going forward to always check the wiki article and update it.

There is a statement in the wiki that reads:
“valid for all BigFix versions”, and there is no mention of the specific tool build number in the wiki. I think that should be sufficient.
Thank you