Purpose:
You wish to show which machines have a particular service, the status of that service, and the Startup Type of that service.
For this example, we want to know which machines have the Windows Defender service and which do not (and should have), the status of that service, and the Startup Type of that service.
Note: The information is only as good as that provided by the last scan, not when the collection is accessed. For up to date information, a scan should manually be performed before accessing the collection information.
Resolution:
Because the drill down option in used in this process, it is important to understand what drill down is and (more importantly) what it is not. For a review of Drill Down, please see http://www.adminarsenal.com/admin-arsenal-blog/drill-down-collections-in-pdq-inventory-what-they-are-and-arent/
The steps:
- Create a Dynamic Collection. This will be the parent collection (either all machines or a subset of your machines meeting a specific criteria.)
- From the parent collection, we drill down to check for a service and look for the absence of that service
- We drill down from the parent collection to see if the service is running or stopped
- We drill down from the parent collection to determine the Startup Type of the service
Create the parent collection:
In this example there are machines that have ESET (a popular antivirus solution) installed and machines that do not. Since ESET does not play nicely with Windows Defender, all machines that have ESET should not have Windows Defender (following best practices). Likewise, if a machine does not have ESET, it should have Windows Defender.
The above will list all machines without ESET, and by implication, all machines that should have Windows Defender.
Create the child collections:
1. Check for Machines that do not have Windows Defender
Like above, but change the Group Filter and Comparison to reflect the absence of any machine without any service equal to WinDefend.
Notice the use of the drill down option. This means Inventory is checking the filter of this collection against only those machines in the parent collection. For this example, it means that of all the machines that do not have ESET, show those machines that do not have the WinDefend service.
2. Check for Machines that have Windows Defender
Of those machines that do not have ESET, the rest of the machine should have Windows Defender. If they do not, they will show in the preceding collection. This child collection checks for machines that have the WinDefend service.
From the two examples above, it is known which machines have the Windows Defender service and those that do not. We can then correct any absence of Windows Defender until all machines that do not have ESET are listed in the “Has Windows Defender Service” collection.
3. Next, create a collection to show the service Status as Running
Technically, we don’t need the “Drill down from parent collection” option since it is already known which machines have Windows Defender and which do not. It is included here in case a change is made to the filters that might widen the inclusion of machines outside the scope of requiring the existence of the WinDefend service.
4. Create a collection to show the service Status as Stopped
Again, it is not a requirement to include the drill down option.
You could also use a filter that evaluates the state of the service as Equals | Stopped
5. Check for Automatic Startup Type
Here, as above, we need to evaluate that any machine with the WinDefend service that is also set to a Startup Type of Automatic is true. Again, the drill down option isn’t necessary here, but is a convenience in case we change the filter to be more inclusive.
6. Check for Manual Startup Type
7. Check for Disabled Startup Type
8. Once all the dynamic collections have been created and nested properly, your Collection Tree should look similar to this:
As you can see from the above (numbers), there is much the administrator needs to do to improve the endpoint security of the organization.
See Also:
Drill Down Collections in PDQ Inventory: What They Are and Aren’t