BESAdmin Windows Command Line
The installation automatically downloads the BigFix Administration Tool program
BESAdmin.exe
, in the %PROGRAM FILES%\BigFix Enterprise\BES
Server
directory.
BESAdmin.exe
to perform additional operations. To
run this script from the command prompt, use the following
command:.\BESAdmin.exe /service { arguments}
where
service can be one of the following:audittrailcleaner
checkcontrolflowguard
checkdbindexfrag
checkdbinfo
checksqlserverparallelism
converttoldapoperators
createexplorercredentials
createwebuicredentials
findinvalidactions
findinvalidsignatures
getcertificatebundle
minimumSupportedClient
minimumSupportedRelay
propagateAllOperatorSites
propertyidmapper
removecomputers
reportencryption
resetDatabaseEpoch
resignsecuritydata
revokeexplorercredentials
revokewebuicredentials
rotateexplorercredentials
rotateserversigningkey
securitysettings
setcontrolflowguard
setproxy
setsqlserverparallelism
syncmastheadandlicense
updatepassword
<path+license.pvk>
used in the command syntax that is
displayed across this topic stands for
path_to_license_file/license.pvk
.arguments
:- audittrailcleaner
You can run this service to remove historical data from the bfenterprise database that is stored to serve as an audit trail. This audit trail slowly increases in size over the lifetime of a BigFix deployment. The audit trail contains deleted and earlier versions of Fixlets, tasks, baselines, properties, mailbox files, actions, and analyses. The audit trail is not used by BigFix in any way and can be deleted to reduce the database size. BigFix recommends that you create a historic archive of the current database and save it to a secure location before you run this tool to preserve the audit trail, thus removing it from the product database, but not completely deleting the history.
The service can count and delete the following sets of data:
- Older Versions of Custom Authored Content
(
/oldcontent
): Every edit to Fixlets, Tasks, Baselines, and Analyses creates a new version, the earlier versions can be deleted. - Older Versions of Actions (
/oldactions
): Any time that you stop or start an Action, a new version is created; the earlier versions can be deleted. - Older Versions of relay.dat
(
/oldrelaydatfile
): Any time that you install or uninstall a new relay, a new version is created; the earlier versions can be deleted. - Older uploaded files
(
/deleteolduploadedfiles
): Removes the old files uploaded by the Archive Manager on the BigFix server. This option deletes the old files after an expiration period (default 180 days) from when they were uploaded. - Deleted Custom Authored Content (all versions)
(
/deletedcontent
): When you delete a Fixlet, Task, Baseline, and Analysis using the console, the data is marked as deleted in the database and preserved. The deleted content, including all of the earlier versions, and the corresponding client reports can be deleted. - Deleted Actions(all versions)
(
/deletedactions
): When you delete an action using the console, the data is marked as deleted in the database and preserved. The deleted actions, including all of the earlier versions, and the corresponding client reports can be deleted. - Useless Action Results
(
/uselessactionresults
): Earlier versions of BigFix might cause clients to report ActionResults that were not used in any way but would use up space in the database. These useless ActionResults can be deleted. - Orphaned sub-actions (
/orphanedsubactions
): From multiple action groups that were deleted. - Hidden Manual Computer Group Actions
(
/hiddenactions
): Manual Computer Groups create hidden actions that add and remove computers to and from groups and the actions can build up over time. This option deletes actions after an expiration period (default 180 days) from when they were created. - Older Version of Mailbox Files
(
/deletedmailbox
): Deleted Mailbox Files are stored in a table in the database and can be removed. - Synchronizing BES Consoles (
/syncconsoles
): The BigFix Console maintains a local cache of the database that becomes not synchronized when data is removed with this tool. To avoid such inconsistencies, the tool sets a flag in the database to force all BigFix Consoles to reload the cache when the Console is started up. - Removing data older than (
/olderthan
): Removes data earlier than a specified date. - Batched deletion (
/batchsize
): Deleting large sets of data causes the SQL transaction log to quickly increase in size, the log temporarily becomes larger than the data being removed until the database is shrunk. Batched deletion removes results in sets.
.\BESAdmin.exe /audittrailcleaner { /displaysettings | /run [delete_data_options] | /schedule [delete_data_options] [scheduling options] | /preview [delete_data_options] [preview options] }
.\BESAdmin.exe /audittrailcleaner /displaysettings
.\BESAdmin.exe /audittrailcleaner /run [ /oldcontent ] [ /oldactions ] [ /oldrelaydatfile ] [ /deleteolduploadedfiles ] [ /deletedcontent ] [ /deletedactions ] [ /hideUI ] [ /uselessactionresults ] [ /orphanedsubactions ] [ /hiddenactions=<days> ] [ /deletedmailbox ] [ /syncconsoles ] [ /olderthan=<days> ] [ /batchsize=<size> ]
.\BESAdmin.exe /audittrailcleaner /sitePvkLocation=<path+license.pvk> [ /sitePvkPassword=<password> ] /schedule [ [ /oldcontent ] [ /oldactions ] [ /oldrelaydatfile ] [ /deleteolduploadedfiles ] [ /deletedcontent ] [ /deletedactions ] [ /uselessactionresults ] [ /orphanedsubactions ] [ /hiddenactions=<days> ] [ /deletedmailbox ] [ /syncconsoles ] [ /olderthan=<days> ] [ /batchsize=<size> ] [ /cleanstarttime=<yyyymmdd:hhmm> [ /cleanperiodicinterval=<hours> ] ] | /disable ]
where:.\BESAdmin.exe /audittrailcleaner /preview [ [ /oldcontent ] [ /oldactions ] [ /oldrelaydatfile ] [ /deleteolduploadedfiles ] [ /deletedcontent ] [ /deletedactions ] [ /uselessactionresults ] [ /orphanedsubactions ] [ /hiddenactions=<days> ] [ /deletedmailbox ] [ /olderthan=<days> ] | [ /scheduled ] ]
-
displaysettings
shows the settings that are previously set with theschedule
action. -
run
runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using thepreview
action. Use option/hideUI
to avoid pop-up windows notifying action results. schedule
schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use thedisable
option.preview
shows the number of database rows affected by the specified settings. If no setting is passed to the preview option, the preview performs the count by setting all options to true and using the default values for dates. Use thescheduled
option to preview the scheduled settings.
For more information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.
- Older Versions of Custom Authored Content
(
- checkcontrolflowguard
- You can use this service to retrieve the Microsoft Control Flow Guard (CFG)
enablement of the program specified by the
/binaryName
parameter.The syntax to run this service is:.\BESAdmin.exe /checkcontrolflowguard /binaryName=<programName.exe> [/hideUI]
Use the
/hideUI
option to avoid pop-up windows notifying action results.For more details about the Microsoft Control Flow Guard (CFG), see Enabling Microsoft Control Flow Guard on BigFix Server.
- checkdbindexfrag
- You can use this service to to list and filter the indexes fragmentation of
the BigFix database on your SQL Server. In the BigFix Administration Tool
panel the top five indexes matching the filter are displayed, the full list
can be found in the BESAdminDebugOut.txt log file.The syntax to run this service is:You can specify the following optional parameters to filter the result:
.\BESAdmin.exe /checkdbindexfrag [/fragPercent=<integer>] [/pageCount=<integer>]
/fragPercent=<integer>
specifies the the minimum percentage fragmentation value to search for. Default is 10./pageCount=<integer>
specifies the minimum page count value to search for. Default is 1000.
- checkdbinfo
- You can use this service to list the main configuration settings of the
BigFix database on your SQL Server, such as DB version, server memory,
compatibility level, and so on.The syntax to run this service is:
.\BESAdmin.exe /checkdbinfo
- checksqlserverparallelism
- You can use this service to check for common SQL Server configuration issues
in your database instance with regard to the effective use of multiple CPU
cores. Some of these issues can be fixed by simply changing configuration
parameters, others may require more advanced configuration changes to be
fully solved. When executed without additional options, this service only
checks if the MaxDoP and CTFP settings are set to the recommended values on
the given environment.The syntax to run this service is:
You can specify the following optional parameters:.\BESAdmin.exe /checksqlserverparallelism [/extraChecks] [/extraInfo] [/ctfpTolerance=<0.0 .. 1.0>]
/extraChecks
performs additional checks, to detect additional issues, such as "under-utilization of licensed cores" and "uneven distribution of used cores"./extraInfo
is an optional flag to show more information, such as the number of used cores per NUMA node and the number of hardware NUMA nodes./ctfpTolerance=<0.0 .. 1.0>
specifies a tolerance margin for the CTFP setting; if not specified, it defaults to 0.1, i.e. a CTFP within 10% of the generally recommended value is considered acceptable.
To run this command, you must have these permissions on the database:- The
view server state
permission is required. - In addition, when using the
/extraInfo
option, it is also required that 'master' is mapped among the databases that can be managed (User Mapping) and has theexecute permission
to run thesys.xp_readerrorlog
procedure.
- converttoldapoperators
- You can convert local operators to LDAP operators, so that they can log in
with their LDAP credentials. Optionally you can use the
mappingFile
argument to specify a file, the mapping file, where each line has the name of the user to convert, followed by a tab, followed by the name of the user in LDAP/AD. Specify the name using the same format that the user will use to log into the console, domain\user, user@domain, or user. If you do not specify a mapping file, all users are converted assuming their name in LDAP/AD is the same as their local user name.The syntax to run this service is:.\BESAdmin.exe /convertToLDAPOperators [/mappingFile:<file>]
- createexplorercredentials
- Use this service to create a BigFix Explorer certificate for the input
hostname, in a similar way as the one for the WebUI certificate. The
following files will be created in the output folder:
- The certificate file of the ExplorerCertificate "authentication": auth_cert.crt
- The key file of the ExplorerCertificate "authentication": auth_key.key
- The certificate file of the ExplorerCACertificate "authentication": ca.crt
- The certificate file of the WebUICACertificate "authentication": apica.crt.
This service generates a folder named cert_explorerHostname in the path specified by the explorerCertDir option..\BESAdmin.exe /createexplorercredentials /sitePvkLocation:<path+license.pvk> /sitePvkPassword:<password> /explorerCertDir:<path> /explorerHostname:<BigFixExplorerHostnameOrIP> [ /f ]
- explorerCertDir
- Specifies the path to the parent folder of the new folder containing the certificates. This folder must exist.
- explorerHostname
- Specifies the hostname or IP address of the computer that will host your BigFix Explorer.
- createwebuicredentials
- Use this service to generate the certificates used as WebUI credentials. Use
the following syntax to run the
command:
This service generates a folder named cert_WebUIHostnameOrIP in the path specified by the webUICertDir option..\BESAdmin.exe /createwebuicredentials /sitePvkLocation:<path+license.pvk> /sitePvkPassword:<pwd> /webUICertDir:<path> /webUIHostname:<WebUIHostnameOrIP>
- webUICertDir
- Specifies the path to the parent folder of the new folder containing the certificates. This folder must exist.
- webUIHostname
- Specifies the hostname or IP address of the computer that will host your WebUI.
Note: If you need to generate WebUI credentials certificates, but you have no WebUI in your deployment, then set:- webUICertDir
- To the BigFix server folder. For example, BigFix Enterprise\BES Server.
- webUIHostname
- To the BigFix server IP address or hostname.
- findinvalidactions
- You can check for invalid actions in the database by specifying the
following parameter:
- (Optional) -deleteInvalidActions: Deletes invalid actions.
.\BESAdmin.exe /findinvalidactions [ /deleteInvalidActions ] /sitePvkLocation=<path+license.pvk> [ /sitePvkPassword=<pwd> ]
- findinvalidsignatures
- You can check the signatures of the objects in the database by specifying
the following parameters:
- -resignInvalidSignatures (optional)
- Attempts to resign any invalid signatures that
BESAdmin
finds. - -deleteInvalidlySignedContent (optional)
- Deletes contents with invalid signatures.
The syntax to run this service is:.\BESAdmin.exe /findinvalidsignatures [ /resignInvalidSignatures | /deleteInvalidlySignedContent ]
- getcertificatebundle
- You can export the certificate bundle (PEM) used by the current version of
BES Admin. In the bundle, there are all the certificates of all the
authorized chains in the masthead. So, for example, with SHA384 forced, in
the bundle there is only the SHA384 chain. The generated file, named
bundle.pem, is located in the folder specified by the
bundleCertDir=<path> option.The syntax to run this service is:
.\BESAdmin.exe /getcertificatebundle /sitePvkLocation=<path+license.pvk> [ /sitePvkPassword=<pwd> ] /bundleCertDir=<path>
- minimumSupportedClient
- This service defines the minimum version of the BigFix Agents that
are used in your BigFix environment.
Note: Based on this setting, the BigFix components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations that are imposed by this setting.The currently allowed values are:
- 0.0 that means that no activity issued by BigFix
Agents with versions earlier than V9.0, such as archive files
and reports uploads, are prevented from running or limited. This
behavior applies also if the
minimumSupportedClient
service is not set. - 9.0 that means that:
- Unsigned reports, such as the reports sent by BigFix Clients earlier than V9.0, are discarded by FillDB.
- The upload of an unsigned archive file that is generated on a BigFix Client earlier than V9.0, by an archive now command for example, fails.
If you ran a fresh installation of BigFix V9.5.6 or later using a BES Authorization file, by default all the BigFix Clients earlier than V9.0 are prevented from joining your environment because the
minimumSupportedClient
service is automatically set to 9.0.The value assigned to this service, if set, remains unchanged:- If you upgraded to V9.5.6 or later.
- If you installed BigFix V9.5.6 or later using an existing masthead.
The current value<VALUE>
assigned in your environment to theminimumSupportedClient
service is displayed in the linex-bes-minimum-supported-client-level: <VALUE>
of the masthead file. You can see the current value by running the following query on the BigFix Server, using the Fixlet Debugger or the BigFix Query Application available on the BigFix WebUI:Q: following text of last ": " of line whose (it starts with "x-bes-minimum-supported-client-level:" ) of masthead of site "actionsite"
The syntax to run this service is:.\BESAdmin.exe [/sitePvkFile=<path+license.pvk>] [/sitePassword=<password>] /minimumSupportedClient=<version>.<release>
If you omit
[/sitePvkFile=<path+license.pvk>] [/sitePassword=<password>]
, you will be requested to enter the site key and password in a pop-up window.For example, if you want to state that Agents earlier than V9.0 are not supported in your BigFix environment, you can run the following command:.\BESAdmin.exe /minimumSupportedClient=9.0
- 0.0 that means that no activity issued by BigFix
Agents with versions earlier than V9.0, such as archive files
and reports uploads, are prevented from running or limited. This
behavior applies also if the
- minimumSupportedRelay
- You can use this service, added with BigFix V9.5.6, to
enforce specific criteria that affects the BigFix Agent
registration requests. If this service is enabled, V9.5.6 Agents can
continue to register to the V9.5.6 BigFix environment if
their registration requests are signed and sent across the Relays hierarchy
using the HTTPS protocol. Note: Based on this service, the BigFix components can decide when it is safe to enable newer functions across all the component in the deployment. Individual agent interactions might be rejected if they do not comply with the limitations that are imposed by this setting.The currently allowed values are:
- 0.0.0 that means that the BigFix
Server accepts and manages:
- Signed and unsigned registration requests coming from BigFix Agents.
- Registration requests delivered from BigFix Agents that use the HTTP or the HTTPS protocols.
minimumSupportedRelay
service is not added automatically to your configuration during the upgrade. Consider that this value is not displayed when you run the query to see the current value that is assigned in your environment to theminimumSupportedRelay
service. - 9.5.6 or later, which means that:
- The BigFix Server enforces that registration requests coming from BigFix Agents V9.5.6 or later must be properly signed.
- The BigFix Server and the Relays V9.5.6 or later enforce the use of the HTTPS protocol when exchanging BigFix Agent registration data.
- BigFix Agents earlier than V9.0 cannot send registration requests to the BigFix Server because they cannot communicate using the HTTPS protocol.
- Because BigFix Relays with versions earlier than V9.5.6 cannot handle correctly signed registration requests, any BigFix Client that uses those Relays might be prevented from continuing to register, or might fall back to a different parent Relay or directly to the Server.
If you ran a fresh installation of BigFix V9.5.6 or later using a License Authorization file, be aware that the side effects that are listed apply to your BigFix deployment because, in this particular installation scenario, the
minimumSupportedRelay
service is automatically set to 9.5.6 by default.The current value<VALUE>
assigned in your environment to theminimumSupportedRelay
service is displayed in the linex-bes-minimum-supported-relay-level: <VALUE>
of the masthead file. You can see the current value by running the following query on the BigFix Server, using the Fixlet Debugger or the BigFix Query Application available on the BigFix WebUI:
This query displays a value only whenQ: following text of last ": " of line whose (it starts with "x-bes-minimum-supported-relay-level:" ) of masthead of site "actionsite"
<VALUE>
is set to 9.5.6; if it is set to 0.0.0, it does not display a value.The syntax to run this service is:.\BESAdmin.exe [/sitePvkFile=<path+license.pvk>] [/sitePvkPassword=<password>] /minimumSupportedRelay=<version>.<release>.<modification>
If you omit
[/sitePvkFile=<path+license.pvk>] [/sitePwkPassword=<password>]
, you must to enter the site key and password in a pop-up window.For example, if you want that only the registration requests that are signed and carried through HTTPS are managed by your BigFix Server, you can run the following command:.\BESAdmin.exe /minimumSupportedRelay=9.5.6
- 0.0.0 that means that the BigFix
Server accepts and manages:
- propagateAllOperatorSites
- This service forces the server to propagate a new version of every operator
site. This command is useful after a server migration because you can be
sure that data are available for clients to gather and it prevents from
failures. This is the command
syntax:
.\BESAdmin.exe /propagateAllOperatorSites
- propertyidmapper
- This service creates, updates, and deletes a table (PropertyIDMap) in the
BFEnterprise database that maps retrieved property names for the SiteID,
AnalysisID, PropertyID used to reference properties in the QUESTIONRESULTS
and LONGQUESTIONRESULTS tables. It creates the PropertyIDMap table if it
does not exist (requires table creation permissions). This service must be
run after creating or deleting a property to update the PropertyIDMap table
with changes.
The general syntax of this service is the following:
.\BESAdmin.exe /propertyidmapper { /displaysettings | /run [property_idmapper_options] | /schedule [property_idmapper_options] [scheduling options] }
The syntax of this service changes depending on the action you specify:
.\BESAdmin.exe /propertyidmapper /displaysettings
.\BESAdmin.exe /propertyidmapper /run [ /createtable ] [ /removetable ] [ /lookupproperty=<propertyname> ] [ /hideUI ]
where:.\BESAdmin.exe /propertyidmapper /schedule [ /createtable /starttime=<yyyymmdd:hhmm> [ /interval=<hours> ] | /disable ]
-
displaysettings
shows the settings that are previously set with theschedule
action. -
run
runs the tool with the specified settings. Use option/hideUI
to avoid pop-up windows notifying action results. schedule
schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use thedisable
option.
For more information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.
-
- removecomputers
- The service runs database operations for the following sets of data:
- Expired Computers (
/deleteExpiredComputers
) Marks computers as deleted if they have not reported in recently. - Deleted Computers (
/purgeDeletedComputers
): Physically deletes the computer related data from the database for computers that are already marked as deleted and have not reported in for a long time. It deletes the data related to an agent (such as the action results or the properties, and so on), not the agent itself that remains logically deleted (IsDeleted = 1) on the database. Therefore, as a consequence, if the same agent becomes active again, it is recognized and will reuse its previous computer ID. - Duplicate Computers
(
/deleteDuplicatedComputers
): Marks older computers as deleted if a computer exists with the same computer name. - Removal of deleted Computers
(
/removeDeletedComputers
): Physically deletes the computer information from the database for computers that are marked as deleted (IsDeleted = 1) since at least the indicated number of days (minimum 7) or the indicated number of hours (minimum 24). It deletes the information of the agent itself ( such as the computer ID, and so on). Therefore, as a consequence, if the same agent becomes active again, a totally new computer ID will be assigned to the agent. - Removal of uploaded Files
(
/removeDeletedUploads
): Physically removes from the database the definition of uploaded files that are marked as deleted. It does not apply to non-native agents. - Removal of uploaded files of removed computers
(
/eraseUploadFilesForRemovedComputers
): Physically removes from the BigFix server file system all files uploaded by clients whose definition has been removed from the database. It does not apply to non-native agents. - Removal of Computers by name
(
/removeComputersFile
): Accepts a text file with a list of computer names that are separated by new lines and removes them from the deployment.
Depending on the action, you specify, the syntax changes as follows:.\BESAdmin.exe /removecomputers { /displaySettings [display_settings_options] | /run [remove_computers_options] | /schedule [remove_computers_options] [scheduling options] | /preview [remove_computers_options] [preview options] }
.\BESAdmin.exe /removecomputers /displaySettings [ /name=<TaskName> ]
.\BESAdmin.exe /removecomputers /run [ /deleteExpiredComputers=<days> ] [ /removeDeletedComputers=<days> ] [ /removeDeletedUploads ] [ /eraseUploadFilesForRemovedComputers ] [ /purgeDeletedComputers=<days> ] [ /deleteDuplicatedComputers [ /duplicatedPropertyName=<PropertyName> ] ] [ /removeComputersFile=<path> ] [ /batchSize=<batch size> ] [ /hideUI ]
.\BESAdmin.exe /removecomputers /schedule [ [ /name=<TaskName> ] [ /agentType=<AgentType> ] [ /deleteExpiredComputers=<days> ] [ /purgeDeletedComputers=<days> ] [ /removeDeletedComputers=<days> ] [ /removeDeletedUploads ] [ /eraseUploadFilesForRemovedComputers ] [ /deleteDuplicatedComputers [ /duplicatedPropertyName=<PropertyName> ] ] [ /batchSize=<batch size> ] [ /removeStartTime=<YYYYMMDD:HHMM> [ /removePeriodicInterval=<Hours> ] ] | [ /disable -name=<TaskName> ] | [ /delete -name=<TaskName> ] | [ /list ] | [ /update [ /name=<TaskName> ] [ /deleteExpiredComputers=<days> ] [ /purgeDeletedComputers=<days> ] [ /removeDeletedComputers=<days> ] [ /removeDeletedUploads ] [ /eraseUploadFilesForRemovedComputers ] [ /deleteDuplicatedComputers [ /duplicatedPropertyName=<PropertyName> ] ] [ /batchSize=<batch size> ] [ /removeStartTime=<YYYYMMDD:HHMM> [ /removePeriodicInterval=<Hours> ] ] ] ]
.\BESAdmin.exe /removecomputers /preview [ [ /deleteExpiredComputers=<days> ] [ /removeDeletedComputers=<days> ] [ /removeDeletedUploads ] [ /eraseUploadFilesForRemovedComputers ] [ /purgeDeletedComputers=<days> ][ /deleteDuplicatedComputers [ /duplicatedPropertyName=<PropertyName> ] ] | [ /scheduled ] [ /name=<TaskName> ] ]
where:-
displaySettings
shows the settings that are previously set with theschedule
action. -
run
runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using thepreview
action. Use option/hideUI
to avoid pop-up windows that notify the action results. schedule
schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use thedisable
option.preview
shows the number of database rows that are affected by the specified settings. If no setting is passed to the preview option, the preview performs the count by setting all options to true and using the default values for dates. Use thescheduled
option to preview the scheduled settings.
Note: When using option/removeDeletedComputers
, the number of days must be not less than 7 or the number of hours must be not less than 24.For information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.
- Expired Computers (
- reportencryption
- You can generate, rotate, enable, and disable encryption for report
messaging by running:
where:.\BESAdmin.exe /reportencryption { /status | /generatekey [/privateKeySize=<min|max>] [/deploynow=yes | /deploynow=no /outkeypath=<path>] /sitePvkLocation=<path+license.pvk> [/sitePvkPassword=<password>] | /rotatekey [/privateKeySize=<min|max> ] [/deploynow=yes | /deploynow=no /outkeypath=<path> ] /sitePvkLocation=<path+license.pvk> [/sitePvkPassword=<password>] | /enablekey /sitePvkLocation=<path+license.pvk> [/sitePvkPassword=<password>] | /disable /sitePvkLocation=<path+license.pvk> [/sitePvkPassword=<password>] }
- status
- Shows the status of the encryption and which arguments you can use for that status.
- generatekey
- Allows you to generate a new encryption key.
- rotatekey
- Allows you to change the encryption key.
- enablekey
- Allows you to enable the encryption key.
- disable
- Allows you to put the encryption key in PENDING state. If you
run again the
reportencryption
command with thedisable
argument, the encryption changes from PENDING state to DISABLED. - deploynow=yes
- Deploys the report encryption key to the server for decryption.
- deploynow=no -outkeypath=<path>
- The encryption key is not deployed to the server but it is saved
in the
outkeypath
path.
- resetDatabaseEpoch
- To clear all console cache information in BigFix Enterprise
Service. After you run this command:
subsequent console logins reload their cache files..\BESAdmin.exe /resetDatabaseEpoch
- resignsecuritydata
- You must resign all of the users content in the database by entering the
following command:
if you get one of the following errors:.\BESAdmin.exe /resignSecurityData
when trying to login to the BigFix console. This command resigns security data by using the existing key file. You can also specify the following parameter:class SignedDataVerificationFailure HTTP Error 18: An unknown error occurred while transferring data from the server
The complete syntax to run this service is:/mastheadLocation=<path+/actionsite.afxm>
.\BESAdmin.exe /resignsecuritydata /sitePvkLocation=<path+license.pvk> [ /sitePvkPassword=<password> ] /mastheadLocation=<path+/actionsite.afxm>
- revokeexplorercredentials
- Use this service to revoke the BigFix Explorer certificate associated to the
given hostname. Use the following syntax to run the
command:
If an authentication certificate is issued for the specified.\BESAdmin.exe /revokeexplorercredentials /sitePvkLocation:<path+license.pvk> /sitePvkPassword:<password> /explorerHostname:<BigFixExplorerHostnameOrIP>
hostname
, this certificate is revoked and the BigFix Explorer instance running on thatexplorerHostname
can no longer connect to the root server.After revoking the credentials for a BigFix Explorer host, it will no longer connect to the root server. You can either remove the BES Explorer installation, or generate new credentials for that host, and replace the old certificate files on that host.
- revokewebuicredentials
- You can revoke the authentication certificate of a specified WebUI
instance.The syntax to run this service is:
If an authentication certificate is issued for the specified.\BESAdmin.exe /revokewebuicredentials /hostname=<host> /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<pvk_password>
hostname
, this certificate is revoked and the WebUI instance running on thathostname
can no longer connect to the root server.After revoking the credentials for a WebUI host, it will no longer connect to the root server. You can either remove the WebUI installation, or generate new credentials for that host, and replace the old certificate files on that host.
- rotateexplorercredentials
- Use this service to rotate one BigFix Explorer certificate associated to the
given hostname, or the whole BigFix Explorer CA. Use the following syntax to
run the command:
You can either rotate one BigFix Explorer certificate, by hostname, if the certificate associated to that given hostname was compromised. The files of the new certificate will be copied in the <explorerCertDir> path..\BESAdmin.exe /rotateexplorercredentials /sitePvkLocation:<path+license.pvk> /sitePvkPassword:<password> /explorerCertDir:<path> /explorerHostname:<BigFixExplorerHostnameOrIP> | /rotateCA
Or you can rotate the BigFix Explorer Certificate Authority and all BigFix Explorer certificates. The files of the new certificates will be copied in a new dedicated folder, in the <explorerCertDir> path, for each BigFix Explorer instance that had a not yet revoked certificate before the command was run. The command
will:.\BESAdmin.exe /rotateexplorercredentials /sitePvkLocation:<path+license.pvk> /sitePvkPassword:<password> /explorerCertDir:<path> /rotateCA
- Stop the Root Server
- Revoke each BigFix Explorer certificate created until that moment.
- Delete the ExplorerCACertificate and ExplorerCAKey files on the Root Server and in the Admin Fields database table.
- Start the Root Server that will recreate the files and entries of the previous point.
- Recreate all the certificates for the previous BigFix Explorer instances.
- rotateserversigningkey
- You can rotate the server private key to have the key in the file system
match the key in the database. The command creates a new server signing key,
resigns all existing content using the new key, and revokes the old
key.The syntax to run this service is:
.\BESAdmin.exe /rotateserversigningkey /sitePvkLocation=<path+license.pvk> [ /sitePvkPassword=<password> ]
- securitysettings { /status }
-
You can view the status of the security settings set in your BigFix environment.
The syntax to run this service is:.\BESAdmin.exe /securitysettings /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<password> { /status }
- securitysettings { /requireSHA384Signatures [ /requireSHA256Downloads ] }
You can enable the security option that adopts the SHA-384 cryptographic digest algorithm for all digital signatures. You can ensure that data has not changed after you download it using the SHA-256 algorithm.
The syntax to run this service is:.\BESAdmin.exe /securitysettings /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<password> { /requireSHA384Signatures [/requireSHA256Downloads] }
- securitysettings { /allowSHA256Signatures | /requireSHA256Downloads | /allowSHA1Downloads}
-
You can ensure that the file download integrity check is run using the SHA-256 algorithm. You can ensure that data has not changed after you download it using the SHA-256 algorithm. You can ensure that the file download integrity check is run using the SHA-1 algorithm.
The syntax to run this service is:.\BESAdmin.exe /securitysettings /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<password> { /allowSHA256Signatures | /requireSHA256Downloads | /allowSHA1Downloads}
- securitysettings { /hideFromFieldFromMasthead | /showFromFieldFromMasthead }
- You can specify if you want to show or hide the value displayed by the From
field in the masthead which contains the email address of the license
assignee. During a fresh installation the value is hidden and the option
"hideFromFieldFromMasthead" is set to 1. During an upgrade the value remains
unchanged.The syntax to run this service is:
.\BESAdmin.exe /securitysettings { /hideFromFieldFromMasthead | /showFromFieldFromMasthead } [/sitePvkLocation=<path+license.pvk>] [/sitePvkPassword=<pvk_password>]
Note: You can modify the "hideFromFieldFromMasthead" option from the BESAdmin command line only. Doing it from the BESAdmin interface is not supported because the masthead will not be regenerated when modifying the settings from the advanced settings panel of the interface. - securitysettings { /testTLSCipherList | /setTLSCipherList | /listTLSCiphers | /removeTLSCipherList }
-
To test if a TLS cipher list is compatible with the BigFix components, run the following command:
.\BESAdmin.exe /securitysettings /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<password> /testTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>
After identifying a suitable TLS cipher list, you can set it by running the following command:
.\BESAdmin.exe /securitysettings /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<password> /setTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>
To list all the TLS ciphers that are currently enabled, run the following command:
.\BESAdmin.exe /securitysettings /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<password> /listTLSCiphers
To remove a TLS cipher list from the deployment masthead and return to the default cipher list, run the following command:
.\BESAdmin.exe /securitysettings /sitePvkLocation=<path+license.pvk> /sitePvkPassword=<password> /removeTLSCipherList
- securitysettings { /enableLocalOperators / disableLocalOperators }
- You can specify if you want to enable or disable the login to the BigFix
environment (BigFix Console, Web Reports, Rest API and Web UI) of the local
operators. The enabled/disabled choice will be stored in the BFEnterprise
database. After disabling the login of the local operators, access will be
granted only to LDAP users.The syntax to run this service is:
.\BESAdmin.exe /securitysettings { /enableLocalOperators | /disableLocalOperators } [/sitePvkLocation=<path+license.pvk>] [/sitePvkPassword=<pvk_password>]
Note: The local operators are enabled by default.Note: When trying to disable the local operators, if the "REST API credentials for BES Server Plugin Service" are set and if the configured user is a local operator, an error message is displayed and the option is not set.Note: When trying to disable the local operators, if the "SOAP API credentials for BES Server Plugin Service" are set, a non-blocking warning message is displayed and the option is set. - setcontrolflowguard
- You can use this service to overwrite the Microsoft Control Flow Guard (CFG)
system enablement for the program specified by the
/binaryName
parameter, where <programName.exe> is one of the following BigFix Server executables:- BESAdmin.exe
- BESRootServer.exe
- FillDB.exe
- GatherDB.exe
These are the only BigFix binaries generated with the needed Microsoft Control Flow Guard (CFG) build options; enabling a binary not built with the correct flag is ignored by Windows OS.
The syntax to run this service is:.\BESAdmin.exe /setcontrolflowguard { /enable | /disable | /remove } { /all | /binaryName=<programName.exe> } [/hideUI]
- The
/enable
or/disable
parameters overwrite the OS Windows system settings; the/remove
parameter removes an overwrite previously set. - When passing the
/all
parameter, the command changes the Microsoft Control Flow Guard (CFG) enablement of all the BigFix Server executables described above. - Use the
/hideUI
option to avoid pop-up windows notifying action results.
For more details about the Microsoft Control Flow Guard (CFG), see Enabling Microsoft Control Flow Guard on BigFix Server.
- setproxy
- If your enterprise uses a proxy to access the Internet, you must set a proxy
connection to enable the BigFix server to
gather content from sites and to do component-to-component communication or
to download files.
For information about how to run the command and about the values to use for each argument, see Setting a proxy connection on the server.
- setsqlserverparallelism
- You can use this service to change a few SQL Server configuration parameters
on your database instance for a more effective use of multiple CPU cores.
You can pass
"auto"
as the parameter value to let BESAdmin calculate and set an appropriate value for the parameter.The syntax to run this service is:
You need to specify one or more of the following parameters:.\BESAdmin.exe /setsqlserverparallelism { [ /maxdop={<integer>|"auto"} ] [ /ctfp={<integer>|"auto"} ] }
/maxdop={<integer>|"auto"}
specifies the MaxDop value./ctfp={<integer>|"auto"}
specifies the CTFP value.
The value set for MaxDoP and CTFP must be a natural number (an integer >= 0).
To run this command, you must have these permissions on the database: either
sysadmin
or theserveradmin
server role permissions are required. - syncmastheadandlicense
- When you upgrade this product, you must use this option to synchronize the
updated license with the masthead and resign all content in the database
with SHA-384. Use the /hideUI option to avoid pop-up windows notifying
action results.
The syntax to run this service is:
.\BESAdmin.exe /syncmastheadandlicense /sitePvkLocation=<path+license.pvk> [/sitePvkPassword=<pvk_password>] [/hideUI]
- updatepassword
You can modify the password that is used for authentication by product components in specific configurations.
The syntax to run this service is:
where:.\BESAdmin.exe /updatepassword /type=<server_db|dsa_db> [/password=<password>] /sitePvkLocation=<path+license.pvk> [/sitePvkPassword=<pvk_password>]
- type=server_db
- Specify this value to update the password that is used by the
server to authenticate with the database.
If you modify this value, the command restarts all the BigFix server services.
- type=dsa_db
- Specify this value to update the password that is used in a DSA configuration by a server to authenticate with the database.
/password
and/sitePvkPassword
are optional. If they are not specified in the command syntax, their value is requested interactively at run time. The password set by this command is obfuscated.