C3 Inventory provide's expansive inventory capabilities for organizations looking to inventory and assess their endpoint and server environments. C3 Inventory is a C3 site -- for more information on C3 please see the C3 Homepage.
Documentation on this page is organized into categories of content (Active Directory, Applications, etc). Within each category there are sub categories defined (Group Policy, Users and Groups, etc). Each Sub Category will outline what Analyses, Fixlets, and Tasks make up that piece of functionality.
For certain content there are instructions to help get started with that content. Under each Analysis is a list of example properties you can gather using that analysis. If there is a sentence of information under a property the intention is for that to further describe the propery itself.
Every Fixlet and Analysis is a hyperlink to the content on BigFix.Me but we highly recommend setting up the BigFix.Me Sync Tool.
Basic information covering the Active Directory domain that endpoints are bound to.
This property provides recursive group membership which is especially useful for identifying devices with membership in high-privilege groups
Invoke - Active Directory Domain Join - Windows
Provides a secure mechanism to perform remote domain joins in your environment.
Advanced information covering the current Windows Group Policy applied to the Endpoint. This information is especially useful when troubleshooting Group Policy issues and essentially provides the pieces of a, "Resultant Set of Policy".
Lists each applied Group Policy, what OU it's applied to and it's GUID
Lists each applied setting registry path and its current value
Invoke - Reset Local Group Policy - Windows
Deletes and resets the Local Group Policy store
Users and Groups content focuses on providing information related to the current and historical users of the endpoint.
[Invoke - Remove Current User from Administrators - Windows]()
[Invoke - Remove Current User from Remote Desktop Users - Windows]()
The Dell Command | Configure features of C3-Inventory allow the inventorying and control of bios settings on Dell systems.
Dell Command | Configure - Windows
Config - Dell Command | Configure Wake on Lan - Enable - Windows
Config - Dell Command | Configure Wake on Lan - Disable - Windows
Config - Dell Command | Configure Firmware - UEFI with SecureBoot - Windows
Using Dell Command | Configure requires the following steps to be completed:
The package for Dell Command | Configure is available in the C3-Patch site as Deployment, Updating, and Removal content.
The probe Invoke - Dell Command | Configure Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).
The Dell Command | Update features of C3-Inventory enable updating system drivers as well as the BIOS of a Dell system.
Dell Command | Update - Windows
Using Dell Command | Update requires the following steps to be completed:
The package for Dell Command | Update is available in the C3-Patch site as Deployment, Updating, and Removal content.
The probe Invoke - Dell Command | Update Driver Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).
Optionally, you can perform updates using Dell Command | Update:
This will cause the Dell Command | Update agent to reach out to the internet (bypassing the relay infrastructure) to download available drivers.
NXLog is the log forwarder of choice for C3 Inventory. NXLog can be configured and deployed entirely using C3.
Config - NXLog CE Definition - Environment Variables - Windows
Config - NXLog CE Input - Application Event Log Warnings - Windows
Config - NXLog CE Input - Applocker AppX Event Log - Windows
Config - NXLog CE Input - Applocker AppX Event Log Warnings - Windows
Config - NXLog CE Input - Applocker EXE and DLL Event Log - Windows
Config - NXLog CE Input - Applocker EXE and DLL Event Log Warnings - Windows
Config - NXLog CE Input - Applocker MSI and Script Event Log - Windows
Config - NXLog CE Input - Applocker MSI and Script Event Log Warnings - Windows
Config - NXLog CE Input - Microsoft Office Alerts Event Log - Windows
Config - NXLog CE Input - Security Event Log Reduced - Windows
Config - NXLog CE Input - System Event Log Warnings - Windows
Using NXLog requires the following steps to be completed:
The package for NXLog is available in the C3-Patch site as Deployment, Updating, and Removal content.
If you are forwarding to Graylog choose only this one
If you are forwarding to Syslog choose only this one
Your baseline should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the configuration to be acceptable (typically once a day is fine).
The Service Monitor features of C3-Inventory enable operators to monitor and remediate critical service failures on their servers and endpoints.
Config - Service Monitor - Active Directory Certificate Authority - Windows
Config - Service Monitor - Active Directory Federation Services - Windows
Config - Service Monitor - Microsoft Hyper-V Guest Services - Windows
Config - Service Monitor - Microsoft Hyper-V Host Services - Windows
Config - Service Monitor - Microsoft Skype for Business Services - Windows
Config - Service Monitor - Microsoft Windows Basic Services - Windows
Config - Service Monitor - Microsoft Windows DHCP Server - Windows
Config - Service Monitor - Microsoft Windows DNS Server - Windows
Config - Service Monitor - Set Audit Delay to 10 Minutes - Windows
Config - Service Monitor - Set Audit Delay to 15 Minutes - Windows
Config - Service Monitor - Set Audit Delay to 5 Minutes - Windows
Config - Service Monitor - Set Remediation Delay to 10 Minutes - Windows
Config - Service Monitor - Set Remediation Delay to 15 Minutes - Windows
Config - Service Monitor - Set Remediation Delay to 5 Minutes - Windows
Using C3 Service Monitor requires the following steps to be completed:
In the C3 Inventory Site are a number of fixlets for monitoring standard services. These Fixlets have relevance to only be applicable on devices that have these services. Simply build a baseline with all relevant "Config - Service Monitor - *" Fixlets and apply to your endpoints.
To report on failing services you can simply make a web report which checks for results for the property, "Service Monitor - Services Failing to Start - Windows" in the, Service Monitor - Windows analysis. Set this report to email whenever there is a change to the report.
You also have the option of automatically remediating failed services. You can do this using Invoke - Service Monitor Remediation - Windows. This Fixlet has the same relevance as the failing services property and will only be relevant on computers with failing services.
When this Fixlet runs it will attempt to start the service.
You should apply this as a policy action set to re-apply at whatever frequency you would like Service monitor to attempt to start the services (Typically 5-15 minutes).
To designate custom services to monitor you can simply create a client setting: "besservicemonitor-
This name should be unique for every set of services you want to monitor. The value of this new client setting should be a semi-colon separated list of services to monitor.
For instance, for monitoring Microsoft EMET we would could use ActionScript create a client setting like this:
setting "besservicemonitor-microsoft-emet"="EMET_Service" on "{now}" for client
We can then use the following relevance to cause computers without this setting to become applicable:
not exists values whose (it = "EMET_Service") of settings "besservicemonitor-microsoft-emet" of client
And finally we can use the following relevance to make the fixlet only relevant on computers that have the service installed:
exists services (substrings separated by ";" of "ccmexec;ConfigMgr Wake-up Proxy")
To help simplify and automate this process we have provided a helper script, written in powershell, which prompts you for a friendly service group name and for the list of services and generates/imports a fixlet.
There are three ways to customize service monitor:
The first two two settings adjust how long after startup the Service Monitor should wait before reporting a service failure and before attempting remediation. If these settings are not set, the Service Monitor defaults to waiting for 5 minutes after system startup before reporting on service failure and before attempting remediation.
There are pre-made Fixlets in the C3 Inventory site for setting these values to 5, 10, and 15 minutes.
The final setting is a semi-colon separated list of services to ignore. This causes the service monitor to ignore the blacklisted services and not report them as failing or attempt to remediate them. This is particularly useful if you're pushing service monitor configs as global policy actions but need to exclude a specific service on just a single machine.
In addition to monitoring Services, the Process Monitor features of C3-Inventory enable operators to monitor critical processe failures on their servers and endpoints.
You can also monitor processes that do not correspond to a service by activating the Analysis: "Process Monitor - Windows" and configuring processes to monitor using the prefix, "besprocessmonitor-" instead of "besservicemonitor" to make sure that individual processes are running on the system. Process Monitor does not have any capability for performing automatic remediation (just reporting) if a process has failed.
To help simplify and automate this process we have provided a helper script, written in powershell, which prompts you for a friendly process group name and for the list of process and generates/imports a fixlet.
The Certificate Store capabilities of C3 Inventory make auditing Certificates easier.
Using the C3 Certificate Store capabilities of C3 Inventory requires the following steps to be completed:
The probe Invoke - Certificate Store Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).
The temporary administrator features of C3-Inventory allow the provisioning and automatic removal of administrative rights for end-users using actions or offers. The feature requires the following to be successful:
Temporary Administrators - Windows
Invoke - Add Current Authorized Requestor to Remote Desktop Users - Windows
Invoke - Add Current Authorized Requestor to Temporary Administrators - Windows
Invoke - Add Current User to Authorized Requestors - Windows
Invoke - Add Current User to Temporary Administrators - Windows
Invoke - Add Permanent Administrators to Authorized Requestors - Windows
Invoke - Convert Permanent Administrators to Temporary Administrators - Windows
Invoke - Remove Current User from Authorized Requestors - Windows
Invoke - Remove Current User from Temporary Administrators - Windows
Invoke - Remove Expired Users from Authorized Requestors - Windows
Invoke - Remove Expired Users from Temporary Administrators - Windows
Using Temporary Administrative Rights requires the following steps to be completed:
Invoke - Add Current User to Temporary Administrators - Windows can be used to grant a user temporary administrative privileges.
This Fixlet has a number of actions available that determine the expiration date and time of the users administrative rights anywhere from 1 hour to 5 days.
By using the Invoke - Add Current User to Temporary Administrators - Windows as an offer, you can temporarily grant users administrative rights in a self-service model.
Use Invoke - Remove Expired Users from Temporary Administrators - Windows as a policy action to always remove expired users from the administrators group.
This should be actioned to run an unlimited number of times with no delay.
Authorized Requestors is a way to limit who can request Temporary Administrator access on an endpoint. The idea is that instead of allowing anyone to request access anywhere, you can designate "Authorized Requestors" on individual endpoints and only those users can request administrative rights on the workstation.
To do this simply use the Invoke - Add Current User to Authorized Requestors - Windows Fixlet combined with the Invoke - Add Current Authorized Requestor to Temporary Administrators - Windows as an offer! This combination allows you to selectively provide temporary administrative rights to users.
Where the Authorized Requestor model becomes very powerful is when combined with Invoke - Add Permanent Administrators to Authorized Requestors - Windows and Invoke - Convert Permanent Administrators who are Authorized Requestors to Temporary Administrators - Windows.
The idea here is to convert current administrators to authorized requestors, remove their permanent administrator access and replace it with a timed temporary administrative access (up to 5 days). This allows you to convert permanent administartors to temporary administrators!
One of the most effective ways to use temporary administrator content is to just convert permanent administrators to temporary administrators using: Invoke - Convert Permanent Administrators to Temporary Administrators - Windows. This allows help desk and other staff to give out Administrative Rights and have them automatically revoked after a certain amount of time. This is particularly useful when deploying new computers.
If you're having issues with the content feel free to create issues in the Github Repository for this site or contact me on the BigFix forum.
Feel free to make a pull request with any changes or fixes to the content in this site.