Manage Configuration Drift
Overview and use case
A lack of visibility into device compliance can quickly escalate into device performance issues and employee frustrations, putting the broader organization at risk.
The Manage Configuration Drift pack allows you to track, detect and remediate devices in your landscape that have deviated from a defined compliance baseline.
An overview dashboard provides a high-level view of your overall compliance state. In contrast, four additional dashboards monitor the software, services, files and registry entries on every device in your estate, allowing you to drill down into the source of deviated configurations. You can then remediate any identified non-compliant devices using the automated or manual solutions included in the pack.
This pack is vital for Compliance Managers and EUC leads who wish to monitor the overall compliance of their estate. IT Service Desk teams can also greatly benefit from it by effortlessly carrying out necessary fixes at scale.
Video: Configuration Drift Management | Library Pack Overview
Pre-requisites
The pack requires two core components:
An XML file listing the required items to check for compliance must be made available on a shared file accessible by all machines that will run the checks.
The execution of the Get Configuration Drift remote action, which will perform the Compliance test.
This page includes example XML files you can use and customize to fit your organizational needs.
Pack Structure
The pack comprises the remote actions described above, several metrics related to the four dashboards described below and a Nexthink Score.
Understanding the Manage Configuration Drift Score
The Nexthink scoring technology allows for taking any returned data point from a device and translating it into an easily understood value between 0 and 10.
In the case of compliance, the outcome is binary: you are either compliant or non-compliant.
To reflect this, the Nexthink Score in this pack employs the following logic:
When running the remote action against a device registry, the score records the registry as non-compliant if any registry entry is found in that state. Non-compliant equals 0, compliant equals 10, and no values are possible in between (if the remote action is not run, the score is null and will not be counted).
The same principle applies when running the remote action against a device's file system or services: if any check against a file or service fails, the file system compliance is considered failed for that device, and a score of 0 is applied, with 10 for compliant (i.e., no errors)
These three checks are implemented as leaf nodes (i.e., child nodes) in the Nexthink score. There is a parent (Composite) node above, which is the minimum value of the child nodes. In practical terms, the logic is as follows: If child compliance tests fail, then the parent Compliance node is also marked as failed. In other words, if you are non-compliant in anything, you are non-compliant overall.
If the Nexthink Score Creator is used to modify the score, the structure is as follows:
Parent score:
Child score:
You can modify these values as needed.
Changelog
V1.0.0.0 - Initial release
Library Pack Setup Detailed Steps
An XML file with the criteria entered for the Services, Registry and Files\Folders must be made available on a shared network with permission for the remote action to access.
The remote action will access this XML file, examine the items specified, and display the results within the finder.
The Manage Configuration Drift library pack is underpinned by four remote actions reported within four intuitive dashboards.
Only the Get Configuration Drift Remote Action must be executed regularly. In contrast, the Set Windows Registry Key Value, Set Service Information, and Restart Service Remote Actions are not mandatory but can assist in remediation by allowing you to execute the required fix remotely.
If you need to run multiple XML files, you must duplicate the Get Config Drift Remote Action toenter the path to the alternative XML file.
Please note that the dashboards will be devoid of data until the remote actions have run.
Configuration XML file
This is an example of the syntax required for the configuration file that the Get Configuration Drift remote action requires for this pack to function.
Remote actions
Get Configuration Drift
This remote action carries out the examination and reporting of the items as listed within the XML file. The file must be available on a network share with permission for remote action access.
The path to the XML file will need to be entered in UNC format within the parameter ConfigurationFilePath within the remote action.
Set Windows Registry Key Value
This remote action can rectify any registry keys, values, or types identified as non-compliant by the Get Configuration Drift remote action. It can also modify and create a String, Binary, DWORD, or QWORD value on the Windows Registry. Parameters for RegistryKey, ValueName, Value, and ValueType must be entered within the remote action.
More details of this remote action can be found here. The remote action should be executed manually.
Set Service Information
This remote action enables modifying the status and startup type of one or more services identified as out of compliance by the Get Configuration Drift remote action. It is useful for enforcing the expected status of critical services (e.g., Antivirus, SCCM agent, core business applications, etc.) following corporate policies. Parameters for ServiceName, StatusChange, and SetStartTypeTo must be entered within the Remote Action.
More details of this remote action can be found here. The remote action should be executed manually.
Restart Service
This remote action can restart stopped services identified as out of compliance by the Get Configuration Drift remote action. Several services can be restarted within a single execution of the remote action.
The fields Display Name and Default Value under the ServiceName parameter must be completed within the Remote Action. The Description field is optional. The name of the service (i.e., spooler) is entered into the Default Value. Display Name field is the label for the Default Value field. This is useful if several devices need the same service restarted.
More details of this remote action can be found here. The remote action should be executed manually. When the Remote Action is executed, a prompt is displayed with the completed fields.
Dashboards
Overview dashboard
The overview dashboard contains a summary of your compliance status. Nexthink recommends aiming for a compliance score of 10. If you have any noncompliance present, consider investigating the details dashboard for that area (explained below) and correcting the issue either by using the relevant Set remote action or by tasking one of the service desks to follow up on the non-compliant items.
A chart shows over time if compliance is ‘drifting’ from the standard specified, which may assist in pinpointing any issues.
Services dashboard
This dashboard offers a more detailed view of the compliance of the service items as defined within the XML file.
Metrics defined for each use case are monitored and a compliance score and ratio are calculated.
Charts show over time if compliance deviates from the standard specified, which may assist in pinpointing any issues.
KPIs show how many services have an incorrect status (running or stopped), incorrect start type (automatic\manual, etc), or if any service is actually missing from the targeted devices.
Counters are also provided to show how many times the Set Service Information and Services Restart remote actions are triggered within a specified time frame. If the counts are consistently high, then further investigations should be carried out as to why.
Registry dashboard
This dashboard offers a detailed view of the compliance of the Registry items as defined within the XML file.
Metrics defined for each use case are monitored and a compliance score and ratio are calculated.
Charts show over time if compliance is ‘drifting’ from the standard specified, which may assist in pinpointing any issues.
KPIs show how many registry values or property types are noncompliant or if the registry key is missing from the targeted devices.
Files\folders dashboard
This dashboard offers a detailed view of the compliance of the Files and folders defined within the XML file.
Metrics defined for each use case are monitored and a compliance score and ratio are calculated.
Charts show over time if compliance deviates from the standard specified, which may assist in pinpointing any issues.
Individual KPIs and metrics are used to monitor critical files (for example, antivirus dat files or critical business files) and report if missing. Cannot be used to check the existence of Windows protected, hidden system files.
Troubleshooting
'ConfigurationFilePath' is not a correct UNC format error
Solution
The UNC path to access the XML file entered into the ConfigurationFilePath parameter within the Get Configuration Drift remote action contains invalid characters. Quotation marks (“) cannot be used.
Find the Get Configuration Drift remote action, which is normally located within the On-demand folder within the finder. Double-click to open.
Find the ConfigurationFilePath parameter and click the + sign to expand.
Enter within the field a valid unc path.
Click Save
The script cannot connect to [path] error
After running the Get Configuration Drift remote action, you receive the message “Line ‘xxx': [Input error] The script cannot connect to [path]. Check if it exists and has proper permissions. PowerShell exited with code 1” within the 'Execution status details (Get Configuration Drift)’ field
Solution
The UNC path to access the XML file entered into the ConfigurationFilePath parameter within the Get Configuration Drift remote action cannot be accessed. Either the permissions on the network share where the XML file is located does not have the correct permissions for the remote action to access or the unc path to the XML is incorrect.
Find the Get Configuration Drift remote action which is normally be located within the On-demand folder within the finder. Double click to open.
Find the ConfigurationFilePath parameter and click the + sign to expand.
Enter within the field a valid unc path
Click Save
Check permissions on the network share. Read access will be required.
Last updated
Was this helpful?
