Verifying Secure Hash Algorithm (SHA-256) readiness

BigFix version 9.1 uses the SHA-256 hashing algorithm to increase file exchange security. OS Deployment manages file exchange within the application flows using SHA-256.

From BigFix Version 9.1, all application-specific files are managed with SHA-256. All new files uploaded by the user (images, drivers, MDT Bundles etc.) and generated by the system after the installation of BigFix version 9.1 are created with the SHA-256 hashing information included, and are managed accordingly. The files that were uploaded and created on earlier BigFix versions, do not have the SHA-256 information. You can continue to use these files, but file exchange will not benefit from the improved security provided by SHA-256.

If the BigFix Server is configured to allow exchange of files in SHA-256 mode only, then it will no longer be possible to use files created with earlier versions of BigFix.

To verify SHA-256 readiness, the health check named "OS deployment Environment is SHA-256 compliant" scans for files that do not have SHA-256 information. The outcome of this check can result in a warning message indicating that some files are not SHA-256 compliant. You can start an action to calculate the missing SHA-256 information and to automatically update the affected files from the Resolution section of the health check. If the action does not update one or more files, you can display the file names for further problem determination. When the action completes successfully, the status changes to "Pass". In this case, a synchronization action is automatically started to update the hashing information on Bare Metal servers in the network.

If the BigFix server is configured to allow the exchange of files in SHA-256 mode only, a warning banner is also displayed in the OS Deployment dashboards, with an indication for the user if the SHA256 compliance health check status is not "Pass". Clicking on the banner opens the Health Checks dashboard from where you can start a remediation action.