C3 Inventory provide's expansive inventory capabilities for organizations looking to inventory and assess their endpoint and server environments. C3 Inventory is a C3 site -- for more information on C3 please see the C3 Homepage.

Inventory Capabilities

Documentation on this page is organized into categories of content (Active Directory, Applications, etc). Within each category there are sub categories defined (Group Policy, Users and Groups, etc). Each Sub Category will outline what Analyses, Fixlets, and Tasks make up that piece of functionality.

For certain content there are instructions to help get started with that content. Under each Analysis is a list of example properties you can gather using that analysis. If there is a sentence of information under a property the intention is for that to further describe the propery itself.

Every Fixlet and Analysis is a hyperlink to the content on BigFix.Me but we highly recommend setting up the BigFix.Me Sync Tool.

Active Directory

Active Directory

Basic information covering the Active Directory domain that endpoints are bound to.

• Active Directory - Win\Mac
• Errors
• Group Membership

This property provides recursive group membership which is especially useful for identifying devices with membership in high-privilege groups

• Last Query Time

• NetBIOS Domain Name

• Organizational Unit

• Invoke - Active Directory Domain Join - Windows

Provides a secure mechanism to perform remote domain joins in your environment.

Group Policy

Advanced information covering the current Windows Group Policy applied to the Endpoint. This information is especially useful when troubleshooting Group Policy issues and essentially provides the pieces of a, "Resultant Set of Policy".

• Group Policy - Windows
• Applied Group Policies

Lists each applied Group Policy, what OU it's applied to and it's GUID

• Assigned Software Installations
• Average Network wait
• Current AD Site
• Current AD Domain Controller
• Enforced Group Policies
• Extensions with Debug/Tracing
• Locally Group Policy Settings

Lists each applied setting registry path and its current value

• Slow Link Status

• Startup Scripts

• Shutdown Scripts

• Invoke - Group Policy Refresh - Windows

• Invoke - Reset Local Group Policy - Windows

Deletes and resets the Local Group Policy store

Users and Groups

Users and Groups content focuses on providing information related to the current and historical users of the endpoint.

• Users - Win\Mac

• User's Group Membership

• Explicit Administrator

• User Profiles on System

• Users - Windows

• Drive Mappings

• Implicit Administrator

• Last Logged on User

• Last Logon Time for All Users

• Groups - Win\Mac

• Groups defined on the system

• Membership information for common groups

• Invoke - Add Current User to Administrators - Windows

• Invoke - Add Current User to Remote Desktop Users - Windows

• Invoke - Remove Current User from Administrators - Windows

• Invoke - Remove Current User from Remote Desktop Users - Windows

Applications

General

• Applications - Universal

• Currently Running Apps

• Recently Run Apps

• Registered Apps

• Applications - Windows

• Installed Apps

• Silent Uninstall Strings for Installed Apps

• Startup Apps

• Uninstall Strings for Installed Apps

CommVault

• CommVault - Windows
• Agent Version
• Backup Target
• Client Port
• Installed Packages
• Last Job Id
• Last Job Time
• Service State

Correlog

• Correlog - Windows
• Destination Address and Port
• Encryption Configuration
• Last Configuration Modification Time
• Monitored Event Logs
• Remote Configuration Mode
• Service State

Dell Command | Configure

The Dell Command | Configure features of C3-Inventory allow the inventorying and control of bios settings on Dell systems.

• Dell Command | Configure - Windows

• Auto On

• BIOS Version

• Manufacture Date

• Power Management

• Secure Boot State

• TPM State

• Config - Dell Command | Configure Wake on Lan - Enable - Windows

• Config - Dell Command | Configure Wake on Lan - Disable - Windows

• Config - Dell Command | Configure Firmware - UEFI with SecureBoot - Windows

• Config - Dell Command | Configure Firmware - UEFI - Windows

Using Dell Command | Configure requires the following steps to be completed:

1. Install Dell Command | Configure

The package for Dell Command | Configure is available in the C3-Patch site as Deployment, Updating, and Removal content.

1. Action Invoke - Dell Command | Configure Probe - Windows as a policy action

The probe Invoke - Dell Command | Configure Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).

Dell Command | Update

The Dell Command | Update features of C3-Inventory enable updating system drivers as well as the BIOS of a Dell system.

• Dell Command | Update - Windows

• Application Updates

• Driver Updates

• Important Updates

• Optional Updates

• Recommended Updates

• Urgent Updates

• Invoke - Dell Command | Update Driver Probe - Windows

• Invoke - Dell Command | Update Driver Update - Windows

Using Dell Command | Update requires the following steps to be completed:

1. Install Dell Command | Update

The package for Dell Command | Update is available in the C3-Patch site as Deployment, Updating, and Removal content.

1. Action Invoke - Dell Command | Update Driver Probe - Windows as a policy action

The probe Invoke - Dell Command | Update Driver Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).

Optionally, you can perform updates using Dell Command | Update:

1. Action Invoke - Dell Command | Update Driver Update - Windows

This will cause the Dell Command | Update agent to reach out to the internet (bypassing the relay infrastructure) to download available drivers.

Internet Explorer

• Internet Explorer - Windows
• Trusted Sites (from Group Policy)

Java

• Java - Windows
• x86 Version
• x64 Version
• Site Exception Configuration

NXLog

NXLog is the log forwarder of choice for C3 Inventory. NXLog can be configured and deployed entirely using C3.

• NXLog - Windows

• Installation Directory

• Monitored Items

• Service State

• Version

• Config - NXLog CE - Enable Modular Management - Windows

• Config - NXLog CE Definition - Environment Variables - Windows

• Config - NXLog CE Extension - w3c - Windows

• Config - NXLog CE Extension - xm_gelf - Windows

• Config - NXLog CE Extension - xm_json - Windows

• Config - NXLog CE Extension - xm_syslog - Windows

• Config - NXLog CE Input - Application Event Log - Windows

• Config - NXLog CE Input - Application Event Log Warnings - Windows

• Config - NXLog CE Input - Applocker AppX Event Log - Windows

• Config - NXLog CE Input - Applocker AppX Event Log Warnings - Windows

• Config - NXLog CE Input - Applocker EXE and DLL Event Log - Windows

• Config - NXLog CE Input - Applocker EXE and DLL Event Log Warnings - Windows

• Config - NXLog CE Input - Applocker MSI and Script Event Log - Windows

• Config - NXLog CE Input - Applocker MSI and Script Event Log Warnings - Windows

• Config - NXLog CE Input - BigFix Client - Windows

• Config - NXLog CE Input - BigFix Relay - Windows

• Config - NXLog CE Input - Directory Service - Windows

• Config - NXLog CE Input - IIS - Windows

• Config - NXLog CE Input - Microsoft Office Alerts Event Log - Windows

• Config - NXLog CE Input - NXLog - Windows

• Config - NXLog CE Input - Powershell Event Log - Windows

• Config - NXLog CE Input - Security Event Log - Windows

• Config - NXLog CE Input - Security Event Log Reduced - Windows

• Config - NXLog CE Input - System Event Log - Windows

• Config - NXLog CE Input - System Event Log Warnings - Windows

• Config - NXLog CE Output - to_gelf - Windows

• Config - NXLog CE Output - to_syslog_bsd - Windows

• Invoke - Reload NXLog CE Configuration - Windows

• Invoke - Reload Stale NXLog CE Configuration - Windows

• Invoke - Remove NXLog CE Modular Configuration - Windows

Using NXLog requires the following steps to be completed:

1. Install NXLog

The package for NXLog is available in the C3-Patch site as Deployment, Updating, and Removal content.

1. Build a configuration baseline with the following Component Groups:

• Refresh on Change
  1. Invoke - Reload Stale NXLog CE Configuration - Windows
• Enable NXLog Modular Management
  1. Config - NXLog CE - Enable Modular Management - Windows
• Define NXLog Environment Variables
  1. Config - NXLog CE Definition - Environment Variables - Windows
• Enable NXLog Extensions
  1. Config - NXLog CE Extension - w3c - Windows
  2. Config - NXLog CE Extension - xm_gelf - Windows
  3. Config - NXLog CE Extension - xm_json - Windows
  4. Config - NXLog CE Extension - xm_syslog - Windows
• Add NXLog Inputs
  1. Config - NXLog CE Input - Application Event Log Warnings - Windows
  2. Config - NXLog CE Input - Applocker AppX Event Log Warnings - Windows
  3. Config - NXLog CE Input - Applocker EXE and DLL Event Log Warnings - Windows
  4. Config - NXLog CE Input - Applocker MSI and Script Event Log Warnings - Windows
  5. Config - NXLog CE Input - BigFix Client - Windows
  6. Config - NXLog CE Input - BigFix Relay - Windows
  7. Config - NXLog CE Input - Directory Service - Windows
  8. Config - NXLog CE Input - IIS - Windows
  9. Config - NXLog CE Input - Microsoft Office Alerts Event Log - Windows
  10. Config - NXLog CE Input - NXLog - Windows
  11. Config - NXLog CE Input - Powershell Event Log - Windows
  12. Config - NXLog CE Input - Security Event Log Reduced - Windows
  13. Config - NXLog CE Input - System Event Log Warnings - Windows
• Add NXLog Outputs
  1. Config - NXLog CE Output - to_gelf - Windows

  If you are forwarding to Graylog choose only this one

  1. Config - NXLog CE Output - to_syslog_bsd - Windows

  If you are forwarding to Syslog choose only this one

1. Action your baseline as a policy action

Your baseline should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the configuration to be acceptable (typically once a day is fine).

Microsoft IIS

• Microsoft IIS - Windows

Mirosoft MDT

• Microsoft Deployment Toolkit - Windows

Microsoft SQL

• Microsoft SQL - Windows

Microsoft SCCM

• SCCM - Windows

BIOS

UEFI

Secure Boot

Trusted Platform Module

Hardware

Mobile Device Management

Apple Configuration Profiles

Monitoring

Service Monitoring

The Service Monitor features of C3-Inventory enable operators to monitor and remediate critical service failures on their servers and endpoints.

• Service Monitor - Windows

• Monitored Services

• Recovered Services

• Services Failing to Recovered

• Monitor Blacklist

• Config - Service Monitor - 1E NightWatchman - Windows

• Config - Service Monitor - Active Directory Certificate Authority - Windows

• Config - Service Monitor - Active Directory Federation Services - Windows

• Config - Service Monitor - Add to Blacklist

• Config - Service Monitor - Blackboard Learn - Windows

• Config - Service Monitor - IBM BigFix Components - Windows

• Config - Service Monitor - McAfee ePO Agent - Windows

• Config - Service Monitor - Microsoft Applocker - Windows

• Config - Service Monitor - Microsoft EMET - Windows

• Config - Service Monitor - Microsoft Hyper-V Guest Services - Windows

• Config - Service Monitor - Microsoft Hyper-V Host Services - Windows

• Config - Service Monitor - Microsoft IIS - Windows

• Config - Service Monitor - Microsoft SCCM Agent - Windows

• Config - Service Monitor - Microsoft SQL Server - Windows

• Config - Service Monitor - Microsoft Skype for Business Services - Windows

• Config - Service Monitor - Microsoft Windows Basic Services - Windows

• Config - Service Monitor - Microsoft Windows DFS - Windows

• Config - Service Monitor - Microsoft Windows DHCP Server - Windows

• Config - Service Monitor - Microsoft Windows DNS Server - Windows

• Config - Service Monitor - Microsoft Windows SNMP - Windows

• Config - Service Monitor - Reset Blacklist

• Config - Service Monitor - Set Audit Delay to 10 Minutes - Windows

• Config - Service Monitor - Set Audit Delay to 15 Minutes - Windows

• Config - Service Monitor - Set Audit Delay to 5 Minutes - Windows

• Config - Service Monitor - Set Remediation Delay to 10 Minutes - Windows

• Config - Service Monitor - Set Remediation Delay to 15 Minutes - Windows

• Config - Service Monitor - Set Remediation Delay to 5 Minutes - Windows

• Config - Service Monitor - VMWare Tools - Windows

• Invoke - Service Monitor Remediation - Windows

Using C3 Service Monitor requires the following steps to be completed:

Start Monitoring Services

In the C3 Inventory Site are a number of fixlets for monitoring standard services. These Fixlets have relevance to only be applicable on devices that have these services. Simply build a baseline with all relevant "Config - Service Monitor - *" Fixlets and apply to your endpoints.

Report on failing Services

To report on failing services you can simply make a web report which checks for results for the property, "Service Monitor - Services Failing to Start - Windows" in the, Service Monitor - Windows analysis. Set this report to email whenever there is a change to the report.

Remediate failing Services

You also have the option of automatically remediating failed services. You can do this using Invoke - Service Monitor Remediation - Windows. This Fixlet has the same relevance as the failing services property and will only be relevant on computers with failing services.

When this Fixlet runs it will attempt to start the service.

You should apply this as a policy action set to re-apply at whatever frequency you would like Service monitor to attempt to start the services (Typically 5-15 minutes).

Custom Service Monitoring

To designate custom services to monitor you can simply create a client setting: "besservicemonitor--".

This name should be unique for every set of services you want to monitor. The value of this new client setting should be a semi-colon separated list of services to monitor.

For instance, for monitoring Microsoft EMET we would could use ActionScript create a client setting like this:

setting "besservicemonitor-microsoft-emet"="EMET_Service" on "{now}" for client

We can then use the following relevance to cause computers without this setting to become applicable:

not exists values whose (it = "EMET_Service") of settings "besservicemonitor-microsoft-emet" of client

And finally we can use the following relevance to make the fixlet only relevant on computers that have the service installed:

exists services (substrings separated by ";" of "ccmexec;ConfigMgr Wake-up Proxy")

To help simplify and automate this process we have provided a helper script, written in powershell, which prompts you for a friendly service group name and for the list of services and generates/imports a fixlet.

Customizing Service Monitor

There are three ways to customize service monitor:

1. Adjust the time threshold for Failure (besservicemonitor-setting-audit-delay)
2. Adjust the time threshold for Remediation (besservicemonitor-setting-remediation-delay)
3. Blacklist a service to prevent reporting and remediation (besservicemonitor-setting-blacklist)

The first two two settings adjust how long after startup the Service Monitor should wait before reporting a service failure and before attempting remediation. If these settings are not set, the Service Monitor defaults to waiting for 5 minutes after system startup before reporting on service failure and before attempting remediation.

There are pre-made Fixlets in the C3 Inventory site for setting these values to 5, 10, and 15 minutes.

The final setting is a semi-colon separated list of services to ignore. This causes the service monitor to ignore the blacklisted services and not report them as failing or attempt to remediate them. This is particularly useful if you're pushing service monitor configs as global policy actions but need to exclude a specific service on just a single machine.

Process Monitoring

In addition to monitoring Services, the Process Monitor features of C3-Inventory enable operators to monitor critical processe failures on their servers and endpoints.

• Process Monitor - Windows
• Monitored Processes
• Processes Failing to Recovered

You can also monitor processes that do not correspond to a service by activating the Analysis: "Process Monitor - Windows" and configuring processes to monitor using the prefix, "besprocessmonitor-" instead of "besservicemonitor" to make sure that individual processes are running on the system. Process Monitor does not have any capability for performing automatic remediation (just reporting) if a process has failed.

To help simplify and automate this process we have provided a helper script, written in powershell, which prompts you for a friendly process group name and for the list of process and generates/imports a fixlet.

Network

Operating System

Certificate Store

The Certificate Store capabilities of C3 Inventory make auditing Certificates easier.

• Certificates - Windows

• My Certificates

• My Certificates Expiring in 30 Days

• My Certificates Expiring in 7 Days

• My Certificates Expiring in 1 Day

• My Expired Certificates

• Remote Desktop Certificates

• Trusted Code Signing Certificates

• Trusted Intermediate Authorities

• Trusted Publishers

• Trusted Root Authorities

• Trusted Root Authorities with Private Keys

• Invoke - Certificate Store Probe - Windows

Using the C3 Certificate Store capabilities of C3 Inventory requires the following steps to be completed:

1. Action Invoke - Certificate Store Probe - Windows as a policy action

The probe Invoke - Certificate Store Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).

Launch Daemons/Agents

Network Shares

Pagefile

Pending Restart

Printers

Updates

Scheduled Tasks

Services

Pagefile

Volumes

Temporary Administrators

The temporary administrator features of C3-Inventory allow the provisioning and automatic removal of administrative rights for end-users using actions or offers. The feature requires the following to be successful:

• Temporary Administrators - Windows

• Current Temporary Administrators

• Current Authorized Requestors

• Expired Temporary Administrators

• Expired Authorized Requestors

• Invoke - Add Current Authorized Requestor to Remote Desktop Users - Windows

• Invoke - Add Current Authorized Requestor to Temporary Administrators - Windows

• Invoke - Add Current User to Authorized Requestors - Windows

• Invoke - Add Current User to Temporary Administrators - Windows

• Invoke - Add Permanent Administrators to Authorized Requestors - Windows

• Invoke - Convert Permanent Administrators to Temporary Administrators - Windows

• Invoke - Convert Permanent Administrators who are Authorized Requestors to Temporary Administrators - Windows

• Invoke - Remove Current User from Authorized Requestors - Windows

• Invoke - Remove Current User from Temporary Administrators - Windows

• Invoke - Remove Expired Users from Authorized Requestors - Windows

• Invoke - Remove Expired Users from Temporary Administrators - Windows

Using Temporary Administrative Rights requires the following steps to be completed:

Add users to Administrators Group Temporarily

Invoke - Add Current User to Temporary Administrators - Windows can be used to grant a user temporary administrative privileges.

This Fixlet has a number of actions available that determine the expiration date and time of the users administrative rights anywhere from 1 hour to 5 days.

Offer Temporary Administrative Privileges

By using the Invoke - Add Current User to Temporary Administrators - Windows as an offer, you can temporarily grant users administrative rights in a self-service model.

Automatically remove expired administrative privileges

Use Invoke - Remove Expired Users from Temporary Administrators - Windows as a policy action to always remove expired users from the administrators group.

This should be actioned to run an unlimited number of times with no delay.

Authorized Requestors

Using "Authorized Requestors"

Authorized Requestors is a way to limit who can request Temporary Administrator access on an endpoint. The idea is that instead of allowing anyone to request access anywhere, you can designate "Authorized Requestors" on individual endpoints and only those users can request administrative rights on the workstation.

To do this simply use the Invoke - Add Current User to Authorized Requestors - Windows Fixlet combined with the Invoke - Add Current Authorized Requestor to Temporary Administrators - Windows as an offer! This combination allows you to selectively provide temporary administrative rights to users.

Convert "Current Administrators" to "Authorized Requestors"

Where the Authorized Requestor model becomes very powerful is when combined with Invoke - Add Permanent Administrators to Authorized Requestors - Windows and Invoke - Convert Permanent Administrators who are Authorized Requestors to Temporary Administrators - Windows.

The idea here is to convert current administrators to authorized requestors, remove their permanent administrator access and replace it with a timed temporary administrative access (up to 5 days). This allows you to convert permanent administartors to temporary administrators!

Special Use Cases

Reverting Help Desk granted Administrators

One of the most effective ways to use temporary administrator content is to just convert permanent administrators to temporary administrators using: Invoke - Convert Permanent Administrators to Temporary Administrators - Windows. This allows help desk and other staff to give out Administrative Rights and have them automatically revoked after a certain amount of time. This is particularly useful when deploying new computers.

Virtualization

Hyper-V Guest and Host

VMWare ESXi

Support

If you're having issues with the content feel free to create issues in the Github Repository for this site or contact me on the BigFix forum.

Contributing

Feel free to make a pull request with any changes or fixes to the content in this site.