Error with Office 365 Version 16.0.14430.20234 fixlet

Slots of SHA1 issues with the various cabs and .dats in that fixlet
Fixlet ID 36509987 Microsoft Important. 9/28

The hash values & sizes would probably have been correct when the fixlet was created, but MS do keep updating the files (whilst keeping the version number unchanged!).

Once you have the files cached, all is good, but I find that a custom copy of the fixlet, updated to have the hash values and file sizes corrected to reflect the current MS reality is often needed.

The alternative is for HCL to keep issuing new fixlets, thereby throwing any existing baselines out of sync.

Agreed, but even with a corrected copy, in our environment with multiple departmental admins responsible for their own groups of machines taking their own actions using one centrally generated baseline, they still have to kill an existing action using that baseline and re-issue it regardless of whose original fixlet is in that baseline do they not?

We don’t experience that - once we have started deployment of a baseline all the downloads are cached and they then remain in the cache while the baseline is still active.

If I have to create a fixlet to roll Office 365 back to a prior version I will probably have to recalculate the file sanity details, but otherwise the fixlets survive a full patch cycle without any mid-term fettling.

The alternatives (such as they are) in a case like this is to send out Action 3 instead - “download with nohash”.

This option disables hash-checking on the downloaded files, so it does raise your risk slightly (since we don’t validate the downloaded files, there is a potential for MITM attack). That risk should be reduced in this case, since we don’t execute the download files, we execute the already-installed ClickToRun updater and point it at these files as data, and ClickToRun should reject an update if it isn’t digitally signed, but in general, ‘add nohash prefetch’ is to be used with care, or not used at all.

There’s also the consideration that we only perform the download to the Server once for the action - if you send the action today, the files are downloaded now; if Microsoft changes the download binaries tonight, and you have a machine come online tomorrow and execute the action, it will still be using the “old” version of the files. And if you copy the action later, the new copy would get the new download files

1 Like

I have had to use the nohash option for this exact reason. Be warned though, the amount of files downloaded to the endpoint is going to be in the region of 5GB as the fixlet uses prefetch so both x86 and x64 files will be prefetched before the actions runs.

I have submittted an ideas suggestion to change that behaviour if you would like to upvote it :wink:

Votes to modifiy how Office 365 content is downloaded by fixlets