Replacing Prefetch URL in a MS Fixlet

jacob.fierberg 2022-05-10 16:37:11 UTC #1

Can the URL in a prefetch statement be replaced with the local SHA1 URL instead of the http://download.windowsupdate.com…url? Our BigFix servers are not internet facing and i want to remove references to outside sites to speed up patch downloads.

brolly33 2022-05-10 16:46:49 UTC #2

File sha256 and sha1 should match for the prefetch, regardless of if file is on internet or in a local folder.

Example.
April prefetch command. If you precache the file internally, the sha1 and sha256 should still be the same, and the BigFix server can use that local file if you copy it into the cache area on the BigFix server, without needing to modify the prefetch command in the action.

windows10.0-kb5012119-x64-ndp48_1bb9197b286cb2f7eba4667942abf6bd12fcf3f5.msu sha1:1bb9197b286cb2f7eba4667942abf6bd12fcf3f5 size:83996604 http://download.windowsupdate.com/c/msdownload/update/software/secu/2022/03/windows10.0-kb5012119-x64-ndp48_1bb9197b286cb2f7eba4667942abf6bd12fcf3f5.msu sha256:3e6da10a65945855e0f56346005c530114fd1c5785d2742e7e780552cad28a3d

More information about caching files on the Bigfix server manually:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0023289

jacob.fierberg 2022-05-10 16:48:13 UTC #3

Gotcha. So if I paste the SHA256 file into the SHA1 folder, the fixlet will find it without trying the external URL. Is that accurate? This is what we have been doing, I am just confirming the process.

brolly33 2022-05-10 16:51:41 UTC #4

Yes - if BES Server or BES Relay has a copy of the file in it’s cache
C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfmirror\downloads\sha1 folder
(default location) then it will not try to download the file from the URL. sha1/sha256 still have to match to insure the file was not tampered with, of course.

You can also use the tooling for AirGap to automate this use case. More info on that here:
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_airgap_tool_overview_new.html

jacob.fierberg 2022-05-10 16:52:24 UTC #5

thanks for the good confirmation. We use the AirGap tool each month.

jacob.fierberg 2022-05-11 16:40:15 UTC #6

One more question: When installing Windows Updates, does the wusa.exe installer app reach out to windowsupdate on the internet?

brolly33 2022-05-11 17:28:46 UTC #7

@jacob.fierberg default configuration is that BESClient reaches out to BESRelay and requests the file.BESRelay provides the file to the client if it is in relay cache or asks BESRootServer for the file.
BESRootServer, which gets it from the internet (or it’s local cache)

There is a setting you can set on the client to allow wusa.exe to get the file directly from the internet in a direct download if you don’t want to use the relay chain to get the file.
_BESClient_Download_Direct

more info here:
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_managing_downloads.html