Manage Configuration Drift
Overview and Use Case
A lack of visibility into device compliance can quickly escalate into device performance issues, employee frustrations and put the wider organization at risk.
The Manage Configuration Drift pack allows you to track, detect and remediate devices in your landscape that have “drifted” from a defined compliance baseline.
An overview dashboard provides an at-a-glance view of your overall compliance state, while 4 additional dashboards monitor the software, services, files and registry entries on every device in your estate, allowing you to drill down into the source of configuration drifts. You can then remediate any identified non-compliant devices using the automated or manual remediations included in the pack.
This pack is vital for Compliance Managers and EUC leads who wish to keep an eye on the overall compliance of their estate. IT Service Desk teams can also massively benefit from it by effortlessly carrying out necessary fixes at scale.
Video: Configuration Drift Management | Library Pack Overview
Pre-Requisites
The pack requires two core components:
An XML file listing the required items to check for compliance, which must be made available on a share that is accessible by all machines that will run the checks.
The execution of the “Get Configuration Drift” Remote Action, which will perform the Compliance test.
We have included example XML files which may be used below, however you are free to customize to fit your Organizational needs.
XML File Construction
The below document explains how to construct the XML file and the configuration which should be observed:
Configuration Drift Schema.pdf
Some example XML baselines are also attached for download if required but are purely to be used as a template to create the desired compliance baselines:
Dashboard.xml
The XML file that the dashboards within this pack were based upon
Example Generic Schema Template
Purely intended to show the flow of the XML construct (vanilla)
Example – Ops Team – Endpoint Compliance Baseline
A number of compliance checks for key services, agents, files (Eg. VPN Client, Windows Firewall running, Defender ATP version, also an example of an integrity check for (example) malicious files
Example – Endpoint Manager CM Baseline
Client presence, client version, essential services for MEMCM, assigned site code, previous site code, and so on.
Example Generic Schema Template.xml
Example - Ops Team - Endpoint Compliance Baseline.xml
Example - Endpoint Manager CM Example.xml
Please note that these files are not all encompassing but rather intended to give assistance on the construct of your own XML file.
Pack Structure
The pack is made up of the Remote Actions described above, a number of metrics which relate to the four dashboards (described later) and importantly, a Nexthink Score.
Understanding the Manage Configuration Drift Score
The Nexthink scoring technology allows us to take any returned datapoint from a device and transcribe that to an easily understood value between 0 and 10.
In the case of Compliance, the situation is binary: you are either Compliance, or you are not Compliant.
To reflect this, the Nexthink Score in this pack, Configuration Drift Score uses the following logic:
When running the Remote Action against a device registry, if any registry entry is found to be non-compliant, then the score records the registry as non-compliant. Non-compliant is 0, Compliant is 10, there are no values possible in between (if the Remote Action is not run, the score is null and will not be counted).
When running the Remote Action against a devices File System, the same principle is taken: if any check against a file fails then the file system compliance is considered failed for that device and a score of 0 is applied, with 10 for compliant (i.e. no errors).
When running the Remote Action against a devices Services, the same principle is taken: if any check against a service fails then the Service compliance is considered failed for that device and a score of 0 is applied, with 10 for compliant (i.e. no errors).
These three checks are implemented as leaf nodes (i.e. child nodes) in the Nexthink score. There is a parent (Composite) node above which is the minimum value of the child nodes. I.e. in real world terms, the logic is “If any of the child compliance tests fail, then the parent Compliance node is also marked as failed”. In other words, if you are non compliant in anything, then you are non compliant overall.
If the Nexthink Score Creator is used to modify the score, the structure is as follows:
Parent Score:
Child Score:
Feel free to modify this a you wish, for example you may not wish to be so strict and use the MIN logic as the roll up summarizer for the child leaf scores.
Change log
V1.0.0.0 - Initial release
Library Pack Setup Detailed Steps
An XML file with the required criteria entered for the Services, Registry and Files\Folders must be made available on a network share with permission for the remote action to access.
The remote action will access this XML file, examine the items specified within the file and the results displayed within the finder.
The Manage Configuration Drift library pack is underpinned by four Remote Actions which are reported on within four intuitive dashboards.
Only the Get Configuration Drift Remote Action is required to be executed on a regular basis whereas the Set Windows Registry Key Value, Set Service Information and Restart Service Remote Actions are not mandatory requirements but can be used to assist in the remediation process by allowing you to execute the required fix remotely.
Should you require to run multiple XML files then you will need to duplicate the Get Config Drift Remote Action so that the path to the alternative XML file can be entered.
Please note that the dashboards will be empty of data until the Remote Actions have run.
Remote Actions
Get Configuration Drift
The remote action that carries out the examination and reporting of the items as listed within the XML file. The file will need to be made available on a network share with permission for the remote action to access. The path to the XML file will need to be entered in UNC format within the parameter ConfigurationFilePath within the remote action
Set Windows Registry Key Value
The remote action can be used rectify any registry keys, values or type that have identified as being out of compliance by the Get Configuration Drift remote action. It can be used to modify, create a String, Binary, DWORD or QWORD value on the Windows Registry. Parameters for RegistryKey, ValueName, Value and ValueType must be entered within the Remote Action
Set Service Information
The remote action enables the modification of the status and startup type of one or multiple services, that has been identified as being out of compliance by the Get Configuration Drift remote action. Useful for enforcing the expected status of critical services (e.g. Antivirus, SCCM agent, core business applications, etc.) in accordance with corporate policies. Parameters for ServiceName, StatusChange and SetStartTypeTo must be entered within the Remote Action.
Restart Service
The remote action can be used to restart stopped services. that have been identified as being out of compliance by the Get Configuration Drift remote action. Several services can be restarted within a single execution of the remote action. The fields Display Name and Default Value under the ServiceName parameter must be completed within the Remote Action. The Description field is optional. The name of the service (ie spooler) is entered in to the Default Value. Display Name field is the label for the Default Value field. This is useful if several devices need the same service restarted.
*
Dashboards
Overview dashboard
The overview dashboard contains a summary status of your compliance. You should always be aiming for 10 as the score and if you have any non compliance showing you should investigate in the details dashboard for that area (explained below) and correct the issue either by using the relevant Set remote action or by tasking one of the service-desk to follow up on the non compliant items. A chart shows over time if compliance is ‘drifting’ from the standard specified which may assist in pinpointing any issues.
*
*
Troubleshooting
'ConfigurationFilePath' is not a correct UNC format error
Solution
The UNC path to access the XML file entered in to the ConfigurationFilePath parameter within the Get Configuration Drift remote action contains invalid characters. Quotation marks (“) cannot be used.
Find the Get Configuration Drift remote action which is normally be located within the On-demand folder within the finder. Double click to open.
Find the ConfigurationFilePath parameter and click the + sign to expand.
Enter within the field a valid unc path
The script cannot connect to [path] error
After running the Get Configuration Drift remote action, you receive the message “Line ‘xxx': [Input error] The script cannot connect to [path]. Check if it exists and has proper permissions. PowerShell exited with code 1” within the 'Execution status details (Get Configuration Drift)’ field
Solution
The UNC path to access the XML file entered in to the ConfigurationFilePath parameter within the Get Configuration Drift remote action cannot be accessed. Either the permissions on the network share where the XML file is located does not have the correct permissions for the remote action to access or the unc path to the XML is incorrect.
Find the Get Configuration Drift remote action which is normally be located within the On-demand folder within the finder. Double click to open.
Find the ConfigurationFilePath parameter and click the + sign to expand.
Enter within the field a valid unc path
5. Check permissions on the network share. Read access will be required.
Last updated
