HCLSoftware U Certified Professional-BigFix Platform 1 Questions and Answers
While testing a new Task with the following Action Script you discover that line 5 of the Action Script always fails.
Which of the following reasons is the cause of this error?
Options:
append file is not a valid keyword.
append file can only be moved once per action.
append file cannot be copied to c:\runme.bat because c:\runme.bat already exists.
wait hidden can only be used once per action.
Answer:
CExplanation:
Here is a step by step comprehensive explanation of why this is the case:
- The Action Script you are testing is trying to stop, start, and execute a service using batch commands.
- The first line of the script uses the “appendfile” command to create a new file with the content “net stop myService”.
- The second line of the script uses the “move” command to rename the file created by “appendfile” to “c:\runme.bat”.
- The third line of the script uses the “waithidden” command to execute the file “c:\runme.bat” and wait for it to finish.
- The fourth line of the script uses the “appendfile” command again to create a new file with the content “net start myService”.
- The fifth line of the script uses the “move” command again to rename the file created by “appendfile” to “c:\runme.bat”.
- The sixth line of the script uses the “waithidden” command again to execute the file “c:\runme.bat” and wait for it to finish.
- The error occurs at the fifth line of the script because “appendfile” is trying to copy content to “c:\runme.bat” which already exists due to the previous actions in the script. In BigFix Action Script, “appendfile” is used to create a new file or append to an existing one, but it seems there’s an issue with overwriting or permissions that causes this line to fail.
- To fix this error, you can either delete the file “c:\runme.bat” before using “appendfile” again, or use a different file name for the second “appendfile” command.
Some references that support this explanation are:
- BigFix Action Script guide: 1
- BigFix Action Script reference: 2
- BigFix Action Script examples: 3
- BigFix Action Script best practices: 4
Which BigFix platform component continuously assesses the state of the computer against all subscribed content?
Options:
BigFix Client
BigFix Root Server
BigFix Relay
BigFix Console
Answer:
AExplanation:
- A BigFix Client is a software agent that is installed on every computer that must be managed by the BigFix platform1.
- The BigFix Client continuously assesses the state of the computer against all subscribed content, which includes policies, checklists, and remediation tasks12.
- The BigFix Client communicates with its parent, which can be either the BigFix Server or a BigFix Relay, to report its status and receive new content13.
- The BigFix Client performs most of the analysis, processing, and enforcement work locally, reducing the workload and bandwidth usage of the BigFix Server14.
- The BigFix Client operates with less than 10 megabytes of RAM and can run on various operating systems, such as Windows, Linux, UNIX, and Mac OS1 . References:
- 1: BigFix Platform
- 2: Learning about SCAP
- 3: Relays and Servers
- 4: BigFix Architecture
- : Client requirements
During a BigFix platform upgrade, which of the following version rules must be respected for the various components?
Options:
server version = relay version = client version
server version < relay version >= client version
server version >= relay version <= client version
server version >= relay version >= client version
Answer:
DExplanation:
- To upgrade the BigFix platform components, you need to follow the recommended order and the version rules as documented in the Upgrade Paths and the BigFix Upgrade Best Practices.
- The recommended order of upgrading the components is as follows:1
- The version rules for the components are as follows:12
References:
- 1: Upgrade paths for BigFix 10 - HCL Product Documentation
- 2: Upgrading on Windows systems - HCL Product Documentation
- 3: BigFix Wiki - BigFix Upgrade Best Practices
An administrator is planning a BigFix deployment where 4,000 endpoints will be managed. The BigFix platform components will be installed using the default ports on the servers as follows:
• Server1 - BigFix Root Server, BigFix Client, database, Web Reports, and the WebUI
• Server2 - BigFix Client and Relay
• Server3 - BigFix Client and Relay
Which of the following ports must must be opened by the network team? (Choose two.)
Options:
3443
3033
53211
52311
9031
Answer:
D, EExplanation:
- The default port used by BigFix for communication between servers, relays, and clients is 5231112. This port must be unblocked for TCP/IP and UDP traffic on all internal routers and firewalls1. Therefore, option D is correct.
- The default port used by BigFix WebUI for communication on HTTPS is 90313. This port must be opened to allow access to the WebUI from a web browser. Therefore, option E is correct.
- The other ports listed are not used by BigFix by default, and can be ignored or changed during installation. Therefore, options A, B, and C are incorrect. References:
- Network configuration requirements
- Modifying port numbers
- Network Port Conflicts
A BigFix Administrator will be performing an upgrade in a Distributed Server Architecture (DSA) environment.
Which of the following steps should be taken during this upgrade process?
Options:
Run the BigFix Server upgrade on the secondary servers first, then upgrade primary server.
Run the BigFix Server upgrade on the primary and secondary servers at the same time.
Run the BigFix Server upgrade on the primary server first, then upgrade the secondary servers.
Run the BiqFix Server upgrade on the secondary servers first, then takeaction on the DSA Upgrade Fixlet.
Answer:
CExplanation:
To upgrade a DSA environment, the following steps are required:
- Run the BigFix Server upgrade on the primary server first, following the manual upgrade instructions1.
- Verify that the primary server is upgraded successfully and that all the services are running.
- Run the BigFix Server upgrade on the secondary servers, one at a time, following the same manual upgrade instructions1.
- Verify that the secondary servers are upgraded successfully and that all the services are running.
- Verify that the DSA replication is working properly and that the data is consistent across all the servers.
References:
- Manual upgrade - HCL Product Documentation
- BigFix Wiki - BigFix Upgrade Best Practices
- Deploy newer version of BigFix Server on DSA, viable?
A single BigFix Enterprise Server can support up to how many endpoints?
Options:
5,000
200,000
500
300,000
Answer:
DExplanation:
- A BigFix Enterprise Server (BES) is the central component of the BigFix architecture that manages and communicates with the BigFix agents and relays1.
- The BES consists of several subcomponents, such as the root server, the console, the web reports, the web UI, and the server API1.
- The BES can support up to 300,000 endpoints in a single deployment, depending on the hardware configuration, network bandwidth, and workload2.
- The BES capacity planning document provides guidelines and recommendations for sizing and scaling the BES components based on various factors, such as cores, memory, network, storage, cloud, and concurrent users2.
- The BES capacity planning document also provides examples of typical deployments and best practices for optimizing the BES performance and stability2. References:
- BigFix Platform Overview
- BigFix Capacity Planning
How is the Site Administrator key generated?
Options:
It is generated during installation.
It is generated through the Bigfix License Portal.
It is generated by BigFix Support and attached to your license.
It is generated at the command line using openssl.
Answer:
AExplanation:
- The Site Administrator key is a private key that is used to perform site-level tasks such as setting global system options, editing mastheads, and administering Distributed Server Architecture (DSA)1.
- The Site Administrator key is generated during the installation of the BigFix Server, when the site administrator is prompted to enter a password to encrypt the key2.
- The Site Administrator key is stored in a file named license.pvk in the BigFix Enterprise\BES Server folder on the BigFix Server3.
- The Site Administrator key is required to run the BESAdmin.exe tool, which is used to manage the BigFix Server configuration and settings.
- The Site Administrator key is also required to create the masthead file, which is a file that contains the digital signature and configuration information of the BigFix deployment.
- The Site Administrator key is different from the Master Operator key, which is used to access the BigFix Console and create other operators.
References:
- 1: The Site Administrator
- 2: Admin site key for installation
- 3: Site administrator responsibilities
- : Using the BESAdmin Tool
- : Creating the Masthead
- : BigFix Site Administrator and Console Operators
Which of the following protocol is used to notify BigFix Clients of new content?
Options:
TCP
UDP
ICMP
ISMTP
Answer:
BExplanation:
- BigFix Clients are the endpoints that run the BigFix Agent software and communicate with the BigFix Server or Relays.
- BigFix Clients periodically check for new content from the BigFix Server or Relays, such as Fixlets, Tasks, Actions, or Analyses.
- The default interval for checking new content is 15 minutes, but this can be configured by the BigFix Administrator.
- To reduce the network traffic and latency, BigFix also uses a notification mechanism to inform the BigFix Clients of new content as soon as possible.
- The notification mechanism uses the UDP protocol, which is a connectionless and lightweight protocol that does not require a handshake or acknowledgment.
- The BigFix Server or Relays send UDP packets to the BigFix Clients on port 52311, which is the default port for BigFix communication.
- The UDP packets do not contain any content, but only serve to notify the BigFix Clients that there is something new for them to gather.
- Upon receiving a UDP notification, the BigFix Client initiates a TCP connection to the BigFix Server or Relay to gather the new content over a secure and reliable channel.
- The UDP notification mechanism can be enabled or disabled by the BigFix Administrator, and it can also be configured to use different ports or multicast addresses. References:
- BigFix Architecture
- BigFix Client Settings
- BigFix Notification Guide
How can the Relay Diagnostics page be secured?
Options:
Set the client setting _BESRelay_Diagnostics_Disable to a value of 1.
Configure the relay proxy to only allow internal connections.
Create an .htaccess file to redirect the diagnostics url.
Assign a value to the _BESRelay_Diagnostics_Password client setting.
Answer:
DExplanation:
- Starting from V9.5.6, the relay diagnostics page is disabled by default and can be protected by a password when enabled.
- To enable the relay diagnostics page, you need to set the client setting _BESRelay_Diagnostics_Enable to a value of 1 on the relay computer. You can do this using the BigFix Console, the registry editor, or a custom fixlet or task.
- To protect the relay diagnostics page with a password, you need to assign a value to the _BESRelay_Diagnostics_Password client setting on the relay computer. You can do this using the same methods as above.
- After setting the _BESRelay_Diagnostics_Password, the URL to the relay diagnostics page must use the https protocol instead of http, otherwise the browser will show the “403 forbidden” error and the relay diagnostics page will not display.
- To access the relay diagnostics page, open a browser and type in the address field: https://
:52311/rd or https:// :52311/RelayDiagnostics, where is the address of the workstation where the relay that you want to check is installed. You will be prompted to enter the password that you set for the _BESRelay_Diagnostics_Password client setting. - On the relay diagnostics page, you can gather information about your environment settings, relay status, console user authorization, site gathering, and client registration. References:
- Relay and Server diagnostics
- How can I enable _BESRelay_Diagnostics_Enable" = “1”
- Relay diagnostics
A request has been made by management to create a property so that managed endpoints can be associated with specific patching groups based on the host name. How is a new retrieved property created in BigFix?
Options:
This property is created by a Master Operator in an Analysis and stored in the BES Support site.
From the BigFix Console, select Computers, choose the target computer(s) from the list, then right-click and select Edit Computer Settings from the context menu.
From the WeblH select Devices select the Manage Computer Properties button then click Add New and enter the property name and valid Relevance expression
From the .BigFix Console, select Manage Properties from the Tools menu, click Add New, then enter a name for the property and valid Relevance expression.
Answer:
DExplanation:
To create a new retrieved property in BigFix, the following steps are required:
- From the BigFix Console, select Manage Properties from the Tools menu. The Manage Properties dialog is displayed.
- You can filter the properties by using the left filter panel to select a subset of the properties to view on the right. If you cannot find what you want in this list, create a new property: click Add New, then enter a name for the property and a valid Relevance expression. This can access hardware characteristics, registry entries, and even data in specific files on the client computers.
- After you define the new property, the Clients automatically compute the value of the corresponding relevance expression and return it to the Database. Click the OK button.
- The new property will be available in the column headers of computer listings, allowing you to sort and filter on its values. It can also be used to target Fixlet actions and generate Web Reports.
References:
- Creating Retrieved Properties
- Adding new properties under “By retrieved properties”
Which of the following statements regarding Baselines are true? (Choose two.)
Options:
Baseline components are pointers to their corresponding source Fixlets.
Baseline components can get out of synchronization with their source Fixlets.
Baselines can only be created by Master Operators.
Baselines cannot include more than 100 components.
Baselines can include other Baselines as components.
Answer:
A, BExplanation:
- Baselines are collections of Fixlet messages and Tasks that can be deployed to a group of endpoints with a single command.
- Baseline components are pointers to their corresponding source Fixlets or Tasks, which means that they do not contain the actual content, but only reference the original source.
- Baseline components can get out of synchronization with their source Fixlets or Tasks, which means that the source content may change or become obsolete, while the Baseline component remains unchanged. This can cause issues such as incorrect relevance, missing downloads, or failed actions.
- To avoid these issues, Baseline components should be synchronized with their source Fixlets or Tasks regularly, either manually or automatically. Synchronization updates the Baseline components with the latest content from the source Fixlets or Tasks, and also removes any components that are no longer available or relevant.
- Baselines can be created by any user who has the permission to create content in a custom site. This includes Master Operators, who have full permissions to manage all aspects of the BigFix environment, as well as Non-Master Operators, who have limited permissions to manage specific sites or domains.
- Baselines can include more than 100 components, but this is not recommended for performance and usability reasons. The optimal number of components for a Baseline depends on various factors, such as the size of the deployment, the complexity of the content, the frequency of the updates, and the network bandwidth. Generally, it is advisable to keep the Baseline components as few and simple as possible, and to group them logically by function or category.
- Baselines can include other Baselines as components, which allows for creating nested or hierarchical Baselines. This can be useful for organizing and managing complex or large-scale deployments, such as patching multiple operating systems or applications. However, nesting Baselines also adds more layers of complexity and potentialsynchronization issues, so it should be done with caution and proper planning. References:
- Introducing Baselines
- Creating or Customizing Baselines
- Baselines
Where is all the data stored that is retrieved by the BigFix Client?
Options:
On the BigFix server
In the BigFix database
On the local endpoint
On the relay server that manages the endpoint
Answer:
BExplanation:
- To reconfigure a proxy server on a Windows BigFix Root server, the administrator needs to run the command BESAdmin.exe /setproxy from the BES Server folder with the appropriate parameters1.
- The command BESAdmin.exe /setproxy allows the administrator to edit the proxy configuration settings after installation by specifying the proxy host, port, user, password, exception list, secure tunneling, authentication methods, and downstream notification1.
- The command BESAdmin.exe /setproxy can also be used to delete the existing proxy settings by using the /delete parameter1.
- The command BESAdmin.exe /setproxy is only available on Windows systems. On Linux systems, the equivalent command is BESAdmin.sh -setproxy2. References:
- Setting a proxy connection on the server - HCL Product Documentation
- Configuring the proxy - HCL Product Documentation
What is the default port used for BigFix Web Reports to connect?
Options:
Port 443
Port 52311
Port 8083
Port 80
Answer:
CExplanation:
According to the BigFix Platform documentation, the default port used for BigFix Web Reports to connect is 8083, as of version 9.5.2. This is because the HTTPS configuration is automatically enabled on port 8083 when Web Reports is installed. If you want to use a different port or switch to HTTP configuration, you need to customize the Web Reports settings manually or using the BigFix Console12.
The other options (A, B, and D) are not correct because:
- Port 443 is the default port for WebUI to use HTTPS, not Web Reports3.
- Port 52311 is the default port for BigFix clients and relays to communicate with the BigFix server, not Web Reports4.
- Port 80 was the default port for Web Reports in version 9.2.4 and earlier, but it was changed to avoid conflict with WebUI.
References:
- Installing Web Reports Standalone
- Customizing HTTPS on Web Reports
- Change Communication Ports
- Network Port Conflicts
- [BigFix Network Ports]
The BigFix Console must be accessed by a Master Operator to perform which of the following activities? (Choose two.)
Options:
To create and deploy Baselines.
To create and manage other Console operators.
To create custom Fixlets and Tasks in an external site.
To activate local analyses so that they only affect the computers that they manage.
To create a custom site.
Answer:
B, EExplanation:
- The BigFix Console is a graphical user interface that allows you to interact with the BigFix Platform and perform various tasks, such as deploying actions, creating content, managing sites, and viewing reports1.
- The BigFix Console operators are the users who can access the BigFix Console and perform different activities based on their permissions and roles2.
- There are two types of Console operators: Master Operators (MO) and Non-Master Operators (NMO)2.
- Master Operators are the administrative users of the BigFix Console. They have access to all the computers defined in the BigFix environment and the authority to create and manage other Console operators2.
- Non-Master Operators are the users who manage the day-to-day BigFix operations, including Fixlet management and action deployment, against a subset of computers they are allowed to manage by the Master Operator2.
- Some of the activities that can only be performed by a Master Operator are23:
- Some of the activities that can be performed by both Master Operators and Non-Master Operators are23:
References:
- The BigFix Console
- The Console Operators
- Accessing the console
The license.pvk file is used to authenticate which Big Fix user?
Options:
The BigFix Site Administrator
All BigFix local operators
All BigFix Master Operators
All BigFix LDAP operators
Answer:
CExplanation:
- The license.pvk file is the private key file that is part of the BigFix license. It is protected by a password that is set during the installation of the BigFix server.
- The license.pvk file is used to authenticate the BigFix Master Operators, who are the highest level of authority in the BigFix hierarchy. They can perform any action on any computer or site in the BigFix deployment.
- The license.pvk file is also used to sign the masthead file, which contains the configuration settings and the public key for the BigFix deployment. The masthead file isdistributed to all BigFix components, such as clients, relays, and consoles, to verify the identity and authority of the BigFix server.
- The license.pvk file is not used to authenticate the BigFix Site Administrator, who is a special Master Operator that can manage the license and the masthead files. The Site Administrator uses the site admin password to access the license.pvk file and perform license-related tasks.
- The license.pvk file is not used to authenticate the BigFix local operators, who are the lower level of authority in the BigFix hierarchy. They can only perform actions on the computers and sites that are assigned to them by the Master Operators. The local operators use their username and password to log in to the BigFix console.
- The license.pvk file is not used to authenticate the BigFix LDAP operators, who are the local operators that are authenticated by an external LDAP server. They use their LDAP credentials to log in to the BigFix console. References:
- Managing licenses
- Missing or Lost license.pvk file
- Check private key password - license.pvk
Which type of operators are allowed to create an analysis?
Options:
All Console Operators
Only Master Operators
Only Non-Master Operators
Only Console Operators with the Can Manage Analyses permission
Answer:
DExplanation:
- An analysis is a custom content that allows operators to monitor and audit specific properties of the managed BigFix clients12.
- To create an analysis, an operator needs to have the Can Manage Analyses permission, which grants the ability to create, edit, activate, and deactivate analyses3 .
- This permission can be assigned to any console operator, regardless of whether they are master or non-master operators3 .
- Therefore, the correct answer is D. Only console operators with the Can Manage Analyses permission are allowed to create an analysis. References:
- Create Analysis - HCL Product Documentation
- Creating Analyses - HCL Product Documentation
- Operators and analysis - HCL Product Documentation
- [Operator Permissions - HCL Product Documentation]
What is the recommended scalability limits to consider when designing a WebUI server on BigFix v10.x?
Options:
WebUI supports up to 36 concurrent users on a maximum of 300,000 endpoints.
WebUI supports up to 20 concurrent users on a maximum of 300,000 endpoints.
WebUI supports up to 100 concurrent users on a maximum of 250,000 endpoints.
WebUI has no scalability limits and can support all concurrent users and endpoints as longas additional hardware is added.
Answer:
AExplanation:
- The WebUI is a web-based interface that provides access to the flexibility and power of BigFix.
- The WebUI has some upper use limits that depend on many factors, such as the number of endpoints, the workload, the time of day, the server location, and the number of concurrent users.
- Concurrent users are defined as highly active users who perform multiple actions per minute on the WebUI.
- According to the BigFix Capacity Planning Guide, both the Windows and Linux WebUI instances support 36 concurrent users on a 250k deployment base. This is the recommended scalability limit for the WebUI server on BigFix v10.x.
- The WebUI also requires additional hardware resources, such as CPU, memory, and storage, to power the WebUI. These resources are in addition to the BigFix root server requirements and depend on the number of concurrent users.
- The WebUI also implements a database cache for several counters to improve the WebUI response times. The cache has a default refresh interval of 10 minutes. References:
- Hardware Requirements
- WebUI Administrators Guide
- BigFix WebUI
Which of the following is the correct upgrade process when performing a BigFix Windows Root server upgrade that uses a remote database?
Options:
Upgrade the server installers using the Support Fixlets and run the server installer on the BigFix Server as a local administrator.
Upgrade using upgrade Fixlets from the console.
Upgrade the server installers and use the upgrade Fixlets from the BigFix Console.
Upgrade the server installers using the Support Fixlets and run the server installer on the BigFix Server as a user that has Sysadm permissions to the database server.
Answer:
DExplanation:
According to the BigFix Platform documentation, the upgrade Fixlet in the Support site does not upgrade a remote server correctly. You must run the full BigFix server installer to perform the upgrade. Remote database setups might encounter problems during upgrade and require resetting database connection settings after manually running the BigFix Server installer1.
The upgrade procedure is as follows:
- Upgrade the Server Installers using the Support Fixlets.
- Run the Server installer as a user that has DB Owner or SA permissions to the database server. The installer recognizes that the Server is at an earlier version and asks if you want to upgrade to the latest version.
- Run the BigFix Administrator Tool (BESAdmin.exe) to update the remote database tables; you will be prompted for the site admin password. Note: The BESAdmin.exe should be run automatically, if your account has the DB Owner or SA privileges to the remote database.
- The BigFix server is now correctly upgraded.
The other options (A, B, and C) are not correct because:
- Running the server installer as a local administrator does not guarantee that the user has the appropriate database permissions.
- Using the upgrade Fixlets from the console does not work for a remote server setup.
- Upgrading the server installers and using the upgrade Fixlets from the BigFix Console is redundant and unnecessary.
References:
- Upgrading a BigFix server with a remote database
- [BigFix Server Upgrade Guide]
