Enabling Microsoft Control Flow Guard on BigFix Server
Starting from BigFix version 11.0.3, the BigFix Server implements the Microsoft Control Flow Guard (CFG) security feature on Windows systems; the BigFix Server executables:
- BESAdmin.exe
- BESRootServer.exe
- FillDB.exe
- GatherDB.exe
For more details about the Microsoft Control Flow Guard feature, see Control Flow Guard for platform security.
When you install or upgrade to BigFix version 11.0.3, the Microsoft Control Flow Guard feature on the above executables is disabled by default.
You can enable the feature either using the Windows Exploit Protection as described in Configure system-level mitigations with the Windows Security
app or using the new BigFix Administration Tool command line options named
checkcontrolflowguard
and setcontrolflowguard
as described
in BESAdmin Windows Command Line.
The Use strict CFG option is not supported; when enabled, Windows OS is expecting that all the libraries loaded by the executable are built with CFG parameter, producing unpredictable behaviors.