If you haven’t noticed, there is a new patch site available for Lifecycle and Compliance customers called “Updates for Windows Applications Extended” and it currently has over 100 titles covered. I wanted to explain a bit about the site in general and cover some frequently asked questions.
How do I get the site?
If you are a Lifecycle or Compliance customer, as a Master Operator, look to enable the site
Updates for Windows Applications Extended in the License Overview dashboard in the Windows Console. This only needs to be done once. You will then have to set which computers are subscribed to the site once the first gather has completed.
This YouTube video shows the process, but be aware, the site will now show up as the full name, not like it does in the video at the time: https://www.youtube.com/watch?v=LtS_pWlBeao
What is the target platform?
Windows 10 64bit or later is the platform specifically targeted, but that also includes Windows Server of similar version. That said, most of the content COULD work on Windows XP 64bit or later in many cases, and SHOULD work on Windows 7 64bit or later in basically all cases.
If you have trouble with an update NOT working on something older than Windows 10, let us know, but the fix is very likely to be that we add relevance to exclude older operating systems unless there is a simple fix that could be made to the actionscript.
What about Windows 32bit?
We do not intend to create 32bit software updates when there is a 64bit version available from the vendor. That said, if there is only a 32bit version available, then that update is written to work on both 32bit and 64bit versions of Windows, but it is only tested on Windows 64bit.
If you have a lot of 32bit Windows out there and can make a compelling case for it, then I’m interested to hear about it, but this is not a current priority.
Will you make a 32bit update fixlet for software where a 64bit version is available?
In most cases, no.
There are exceptions, particularly things like JRE/JDKs where you need both a 32bit and 64bit version depending on what kind of software is using it.
For most other software, the 64bit update should be relevant on systems that have the 32bit version installed and it should upgrade from the 32bit installed version to the 64bit installed version. That said, this has not been tested in all cases and may fail or may result in both versions being installed. We may need to publish content in the future to help handle this case and transition from the 32bit version to the 64bit version.
If you have very specific use cases where you absolutely need the 32bit version of a certain software update, I’d be curious to hear about it, but it will be a case by case basis.
What software will you consider including in the future?
Any software that has a publicly available download (no login required) and can be silently installed per machine for all users. Software that can only be installed per user might be done as a rare exception, but not the typical case. Software that requires a login to download might be possible to address in the future, but it will require a download plugin to be configured for each vendor on the root server or top level relays, which is not ideal.
Ideally the software has a version specific download URL available so that when a new version is released, the older version is still available for download. There are those that do not appear to have a version specific download but they in fact do, so it isn’t always obvious. That said, we will make exceptions to this depending on the software, but just be aware, if the vendor updates their software before you have actioned one of them and before we have updated it, then the prefetch will have a hash mismatch and will not work until we update. We are looking at options to help with this situation in the future, but our current solution is just updating more often. If you were to deploy a WebUI Patch Policy that auto refreshes content from this site to test machines, then you should be less likely to run into this problem as long as your root server has a large enough cache configured. I would generally recommend at least a 100GB root server cache, especially as the size of this site grows over time. See more info on the setting
How often will you update content in the site?
We intend to update at least once a week, but we will generally update more often than that and are working on making it more frequent over time. Generally not more often than once a day.
How many versions of each title are available to update?
We only keep around the newest version of each software. That could include multiple long term servicing branches of some software in the cases where each branch is getting actively maintained in parallel, in which case there will be fixlets for each. Software that is end of life or has not received and update in over 2 years is not generally going to be considered, though there could be exceptions.
You can make custom copies of the fixlets if you want to maintain specific versions.
What if a vendor stops providing the download?
Then the fixlet for the vendor will stop being updated, marked as deprecated, and then removed after a time.
How do I request new software be added?
NOTE: Federal customers should contact Devaughn Rackham instead of using the Ideas Portal.
Please submit an Idea to the section currently labeled “Content” in the HCL BigFix Ideas Portal with the name of the software, the webpage you download the software from, and an example link to the actual downloaded file. MSI installers preferred when available.
This section may be renamed from “Content” in the future.
Also, please vote on existing ones that you would like to see.
What about CVE Metadata in the update fixlets?
We don’t currently provide CVE Metadata. We are looking into options for providing it in the future, but may come in the form of metadata outside of the update fixlets themselves.
The content DOES include CPE metadata tags. In some cases those tags might not match the corresponding CPE tag in NVD, but we are working to correct that over time. These tags can be used to correlate with data in NVD.
What is the value to the site? What is the overall goal?
The goal of the site is to provide update fixlets for as many software titles as possible. The ideal main value of the site is the quantity of software titles covered. The content will not have as thorough descriptions with version specific information. It will not have metadata that cannot be figured out automatically. We will put info in the descriptions where needed in general where a particular content is different than other examples in the site, but it is not the main focus.
Look for the amount of titles covered to grow in the near future.