Contents

Ex 8 - Tachyon v5.2 Advanced - Real World Examples for Guaranteed State

On this page:

Real World Examples for Guaranteed State

Application Health Check

There are times when we have an application that we need to make sure is running and up to date like Windows Defender or other anti-malware solutions. This exercise will build a policy to check the state of our Application Virtualization Client (App-V), but this scenario could be used for any application. We will check for the installation, the service state (running) and the current version installed. We will add two triggers, one to fire the rule if the service stops and one to fire on a schedule.

Create the Missing Rule

This rule will check to see if the device has the application installed. Since this is a critical application, we will call the device non-compliant if the App-V Client is not installed. If we do not care to report on devices that do not have the application installed, we could use a Pre-Condition check and only report on devices that actually have the application in question installed.


1ETRNW72
  1. Log on as Manager1
  2. In Guaranteed State, navigate to Administration->Rules
  3. Click on New Rule in the far right
  4. In the Name field type in Check that the App-V Client is installed
  5. In the Description field type in Check that App-V Client is installed
  6. Scroll to the Triggers section.
  7. Start typing Periodic in the field and Choose Periodic (hours)
    8. Normally, you do not want to use the interval triggers as one of the huge benefits of Guaranteed State is the ability to only run the rule if specific things change on the device. Here we are checking for the installation so we will run this rule weekly to make sure that devices have the application installed.
  8. In the Interval Hours field type in 168
  9. Scroll to the Check section
  10. In the Select check to be performed field start typing check for WIM and select Check for WMI namespace <WMI namespace to check for>
  11. In the Namespace field type in root\Microsoft\appvirt
  12. Click Save

Create the Service Rule

1ETRNW72
  1. In Guaranteed State, navigate to Administration->Rules
  2. Click on New Rule in the far right
  3. In the Name field type in Check that the App-V Client Service is running
  4. In the Description field type in Ensures the App-V Client Service is running
  5. Scroll to Triggers and start typing when the state and select When the state of the named Windows service changes
  6. In the Service Name field type in sftlist
  7. Scroll to the Check section
  8. In the Check field start typing Check that service and then choose Check that service "ServiceName" is State
  9. In the ServiceName field type in sftlist
  10. In the State field select Running
  11. Scroll to the Fix section
  12. In the Fix field start typing Request Service and Choose Request service "ServiceName" to action
  13. In the ServiceName field type in sftlist. In the Action name field choose Start
  14. Click Save

Create the Version Rule

We will check to make sure the latest version of the App-V Client is installed. We will run this check each time the App-V Client process starts. 

1ETRNW72
  1. In Guaranteed State, navigate to Administration – Rules
  2. Click on New Rule on the right
  3. In the Name field type in Check that the App-V Client is the Latest Version
  4. In the Description field type in Check that the App-V Client is the Latest Version
  5. Scroll to the Triggers section and start typing When a Process and select When a process starts (Windows Only)
  6. In the Executable field type in C:\Program Files\Microsoft Application Virtualization Client\SftList.exe
  7. Scroll to the Check section
  8. In the Check field start typing Check that registry and choose Check that registry key Hive\Subkey\Name has ValueType value of "Value"
  9. In the Hive field select HKLM
  10. In the Subkey field type in SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DB9F70CD-29BC-480B-8BA2-C9C2232C4553}
  11. In the Name field type in DisplayVersion
  12. In the Value field type in 4.6.1.20870
  13. In the Value Type field select REG_SZ
  14. Click Save

Create the Policy

Now, we will create the policy that will contain all of our rules.

1ETRNW72
  1. In Guaranteed State, navigate to Administration->Policies
  2. Click on New Policy in the column on the right
  3. In the Name and Description fields type in App-V Client Health Check
  4. In the All Rules section filter for contains App-V Client and select the 3 rules that we just created Check the App-V Client Version, Check that the App-V Client Service is running, and Check that the App-V Client is installed
  5. Click the double arrows to the right to add them to the Assigned Rules section
  6. Click Save

Deploy the Policy

1ETRNW72
  1. Select App-V Client Health Check and click Assign Mgmt Grp
  2. Select the All Win10 Lab Workstations Devices Management Group and click Save
  3. Click Deploy. Select Ok
  4. Navigate to Overview and select the App-V Client Health Check policy in the drop-down
  5. You may have to refresh in order to see the results

Set the Stage for Broken Application

Now we will "break" our application to see how Guaranteed State shows the results.

1ETRNW101
  1. Log into 1ETRNW101 as 1ETRN\Tachyon_AdminG
  2. Stop the Microsoft Application Virtualizaion Client Service
1ETRNW72
  1. In Guaranteed State - Overview with the App-V Client Health Check Policy selected
  2. Notice the device move into the non-compliant state (the rule will also restart the service, so you may miss it moving to non compliant, but if you click on view history on the device you will see the service stop and be restarted)
    3. You can see from this sample exercise how powerful this tool can be. Play around with other rules and policies to see how Tachyon handles the different triggers that you can utilize. Remember that the rules are all evaluated when the policy is initially deployed, after that it will only be re-evaluated according to the trigger that is assigned.

Service Desk Ticket Symptom

There are times when we have an incident reported to the Service Desk that has the potential for wide-spread impact in our environment. It may be related to a global application or a business-critical functionality. Typically, what we see happening is the first user to experience the issue calls the service desk and a fix is determined and applied. The Service Desk must depend on the spread of that solution to the other help desk agents using a KB article or other such knowledge transfer. When the next user has the issue, they call the Service Desk, and if they are lucky the agent will know the resolution and be able to apply it. Alternatively, the Agent may have to come up with the solution again, duplicating efforts and wasting time for both the agent and the end user. With Guaranteed State we can create a policy for this issue and have the device remediated immediately without a need for a service desk call and maybe even before the end user knows they have the issue. In this exercise we will use a harmless event to show you the functionality. We will call it Help Desk Issue #2.

Create the Rule

In this exercise we will use a specific event in the Event Viewer as our trigger. This way we can perform the fix each time that event fires. In our example, the fix is simply going to be restarting the service but we could just as easily do anything else to the device that we needed to.

1ETRNW72
  1. In Guaranteed State, navigate to Administration->Rules
  2. Click on New Rule on the right
  3. In the Name field type in Check For Help Desk Issue #2
  4. In the Description field type in A great description that tells you what Help Desk Issue #2 is
  5. Scroll to Triggers. Start typing When an event Choose When an event log entry is created (Windows only)
  6. In the Channel field type in Application
  7. In the Query field type in *[System[(Level=2) and (EventID=1000)]] and *[EventData[Data='onenote.exe']]
  8. In the Debounce time (seconds) field type in 60
  9. Scroll to the Check section
  10. In the Select check to be performed start typing Check that service and choose Check that service "Servicename" is State
  11. In the ServiceName field type in Windows Update
  12. In the State field select Running
  13. Scroll to the Fix section
  14. In the Fix box start typing Request service and select Request service "serviceName" to action
  15. In the Service name box type in Wuauserv
  16. In the Action box select start
  17. Click Save

Create the Policy

1ETRNW72
  1. In Guaranteed State, navigate to Administration - Policies
  2. Click New Policy on the right
  3. In the Name and Description boxes type in Help Desk Issue #2
  4. In the All Rules section choose our Check for Help Desk Issue #2 rule
  5. Click the double Arrows to move the rule to the assigned rules box
  6. Click Save

Assign and Deploy the Policy

1ETRNW72
  1. Select our Help Desk Issue #2 policy and click Assign Mgmt Grp
  2. Select the All Devices management group and click OK
  3. Click Deploy and OK on the message popup

Viewing the Initial Results

1ETRNW71
  1. Open the Services applet and stop the Windows Update Service.
  2. Navigate to C:\ProgramData\1E\Client and open 1E.Client.log in CMTrace
  3. Look in the log for "Policy Rule "Check for HelpDesk Issue #2""
  4. You will see entries for downloading the policy, processing the instruction, and running the fix (starting the service)

Set the Stage

Since our rule has a trigger to look for a specific event from the event logs we will force that event to occur on a device. This will force our rule to run again.

1ETRNW71
  1. Open the Services applet and stop the Windows Update service again
  2. Launch an Administrative command prompt
  3. In the command prompt type in the following: 
    4. eventcreate /ID 1000 /L Application /SO onenote.exe /T Error /D "onenote.exe"


View the Results

1ETRNW71
  1. Open the 1E.Client.log again and notice the entries for the reprocessing of the rule
  2. Open the Services applet and notice the Windows Update service has been started. If you did not close the applet you may have to refresh

Removing Unauthorized Software


In this exercise we will create a policy that will remove a piece of software that is not allowed to be used in our environment. We have several devices in our environment with unapproved software installed and this is leading to non-productive workers. We will create a policy that looks for Orca and perform the removal. We will use the process of Orca starting as a trigger for the rule so that we can also remove subsequent installations of the application after we remove it the initial time.

Create the Fragment

This fragment will be used to remove any software that was installed using MSI. We will ask for the Product Name and Publisher as our parameters.

1ETRNW72
  1. Launch TIMS if it is already open then click File New to clear any previous code.
  2. In the code block type in the following: 
    3. @Software = Software.GetInstallations(Publisher:"%Publisher%",Product:"%Software%");
IF (@Software)
	SELECT 0 as Passed, "%Software% installed" as Data;
ELSE
	SELECT 1 as Passed, "%Software% not installed" as Data;
ENDIF;
  3. Click Run
  4. Notice the results
    5. We are using the Software.GetInstallations method to check to see if our Product is installed. In this case, Orca. If it is installed the device is non-compliant. We will add the parameter now. This will enable us to use the same fragment for any software products.
  5. In TIMS click on Add Parameter
  6. In the Name field type in Software
  7. In the Hint Text type in Unauthorized Software Product
  8. Click Add Parameter again and type Publisher in the Name field and Unauthorized Publisher Name in the Hint text field
  9. Click OK
  10. In the Instruction Definition section Comments field type in Checks to see if unauthorized software is installed
  11. In the description field type in Does this machine have unauthorized software?
  12. In the Instruction Type select Check
  13. In the Name field type in 1E-GuaranteedState-Check-UnauthorizedSoftware
  14. In the Readable payload type in Check for %Software% by %Publisher%
  15. Click on Schema choose yes to create the schema. Change the length of the data field to 1024. Click OK
  16. Save the file as 1E-GuaranteedState-Check-UnauthorizedSoftware.xml in C:\tools\AdditionalProductPacks\Product_Pack_Templates
  17. Create a folder in C:\Tools\AdditionalProductPacks\Product_Pack_Templates called UnauthorizedSoftware
  18. Move your fragment to C:\Tools\AdditionalProductPacks\Product_Pack_Templates\UnauthorizedSoftware\Fragments\Check (you will need to create the additional two folders)
  19. Copy the manifest.xml from one of the other product pack folders to C:\Tools\AdditionalProductPacks\Product_Pack_Templates\UnauthorizedSoftware
  20. Find a .ico file on your machine to use for your Product Pack. Copy the file to C:\Tools\AdditionalProductPacks\Product_Pack_Templates\UnauthorizedSoftware
  21. Edit your manifest.xml for your Unauthorized Software Product Pack
  22. Change the Name, description, and icon file references. Save the file as manifest.xml
  23. Now we will edit this fragment and create a Fix for the removal of Orca. At the end of line 2 in your code block hit the enter key to create a new line 3 (below the IF)
    24. If we just wanted to check for the existence of the unauthorized software we could use this check rule. Since we want to also remove the software we will create a rule to not only check for the software but remove it also.
  24. Type in the following on your new empty line 3 
    25. Software.Uninstall(Publisher:"%Publisher%",Product:"%Software%");
  25. In the Instruction Definition Section Comments field type in Checks to see if unauthorized software is installed
  26. In the Description field type in Ensures that unauthorized software is not installed
  27. In the Instruction Type select Fix
  28. In the Name field type in 1E-GuaranteedState-Fix-UnauthorizedSoftwareRemoval
  29. In the Readable Payload field type in Check for %Software% by %Publisher% and remove
  30. Save file as C:\Tools\AdditionalProductPacks\Product_Pack_Templates\UnauthorizedSoftware\Fragments\Fix\1E-GuaranteedState-Fix-UnauthorizedSoftwareRemoval.xml

Upload into Guaranteed State

1ETRNW72
  1. In File Explorer navigate to C:\Tools\AdditionalProductPacks\Product_Pack_Templates\UnauthorizedSoftware
  2. Multi select all of the files in that folder and right click and choose Send to Compressed (zipped) folder
  3. Rename the .zip file to UnauthorizedSoftware.zip
  4. Copy the file to C:\Tools\ProductPacks\Integrated
  5. Launch Tachyon.ProductPackDeploymentTool.exe
  6. In the Server name field change .acme.local to .1etrn.local and click on Test Connection
  7. Uncheck Select all and only select our Unauthorized Software Product Pack
  8. Click Upload Selected

Create the Rule

We will be creating a rule to remove Orca. With this parameterized fragment you could make multiple rules to add to your policy if you wanted to remove a number of software titles. The Software.Uninstall module and method only works for software installed via the Windows Installer (.MSI format). We could just as easily use the NativeServices.RunCommand instead, we would just need to supply the command line for the unattended uninstall.

1ETRNW72
  1. Launch Guaranteed State as our Admin 1ETRN\Manager1
  2. Navigate to Administration->Rules
  3. Click New Rule to create a new rule Name it Remove Orca
  4. Put in a meaningful description
  5. Scroll to the Triggers section
  6. Start typing When a process into the Triggers field and choose the trigger When a process starts (Windows only)
  7. In the Executable field type in C:\Program Files\Orca\orca.exe
    8. In the precondition we could add only run on Windows since our trigger is only a windows trigger but we are only going to not include a precondition check and have it run on all of our devices since we only have Windows.
  8. Scroll to the Check section
  9. In the Check field start typing Check for Software select Check for Software by Publisher
  10. In the Software field type in the Product Name in this case Orca
  11. In the Publisher field type in the Publisher Name in this case Microsoft Corporation
    12. Make sure you type in the exact syntax and case for the Product and Publisher (for example Apple is Apple Inc. with the period) this method and module is very specific. Use Software.GetInsallations(); to pull a table that contains all of the software and publisher information. This will help you to get the proper syntax for your fragment.
  12. Scroll to the Fix section
  13. Start typing Check for and Select the Check for Software by Publisher and remove
  14. Type the product name in the Software field - Orca
  15. Type the Publisher name in the Publisher field - Microsoft Corporation
  16. Click Save

Create the Policy

1ETRNW72
  1. Navigate to Administration->Policies
  2. Click New Policy to create a new policy name it Remove Unauthorized Software
  3. Put in a meaningful description
  4. Select our Remove Orca Rule
  5. Click the double right arrow to move it over to the assigned section
  6. Click Save

Assign and Deploy the Policy

1ETRNW72
  1. Select our Remove Unauthorized Software policy
  2. Click Assign Mgmt Grp. Choose our All Win7 Lab Workstations Management Group
  3. Navigate to Start - All Programs and notice that Orca is installed on this device
  4. Click Deploy. Click OK

View the Results

1ETRNW72
  1. Navigate to Overview. Click the dropdown to select our Remove Unauthorized Software Policy
  2. You will see the devices become non-compliant the rule will then remove the software.
    3. The log may show some errors on the rule evaluation when the fix is run since the software is being removed. It may also show an error in the uninstall log created by Tachyon located in c:\Program Data\1E\Client\Tachyon.Agent.Software.Uninstall.<DateStamp.Publisher.Product>.log especially if the MSI throws an error code because the software is open when Guaranteed State is trying to remove. Since the launch of the software is our trigger to re-run the rule - the software will always be open during the uninstall.
1ETRNW72
The 1E Client runs the rule(s) the first time the policy is deployed and after that only when the trigger fires the rule. We set our trigger to be when Orca is launched - that will catch any subsequent installs of Orca once they launch the product.
  1. Navigate to C:\ProgramData\1E\Client and Open the 1E.Client.log using CMTrace
  2. Check the Client entries for the processing of the policy. Leave the log file open
  3. Notice that Orca has been removed
  4. Reinstall Orca from the ConfigMgr Content location using the desktop shortcut
  5. Open Software\Orca and double click Orca.msi. Select the Complete installation
  6. Once the install completes launch Orca close Orca to allow the uninstall to complete
  7. Navigate back to the 1E.Client.log and notice that Orca has been removed again. Look at Start - All Programs to ensure it has been removed.
    8. Scenario for extra practice on your own - XML Notepad is also a piece of unauthorized software.

Lab Summary

In this lab we learned how to use Guaranteed State in some real-world scenarios. As you can see Guaranteed State is very flexible and can be used for many, many different jobs to keep our environment healthy and configured correctly. 

Next Page

Ex 9 - Tachyon v5.2 Advanced - Tachyon Activity Record