While solving issues on Windows workstations in enterprises, you often find something unexpected on the device where the issue is first noticed. There might be a wide variety of things like:
- Too little free hard disk space
- Installed application version is not what you expect
- Some Group Policy settings are not applied
- Too many user profiles
- Too many local administrators
- Updates have not been installed
And when one device has an abnormality, you want to quickly figure out how many other devices have the same issue.
I have been using Microsoft’s Configuration Manager (ConfigMgr) for very long time and CMPivot is one of my favorite ConfigMgr features to get answers quickly for those kinds of ad-hoc questions. You just select a suitable target collection and run a CMPivot query against them to get the answers.
My friend Ed Aldrich from 1E contacted me and asked if I would like to test how 1E’s Tachyon Explorer could handle similar tasks. I’ve seen some Tachyon demos previously and it seemed to be very powerful tool, but I’ve never used the product before. He provided me with a Tachyon test lab and I happily did some testing with Tachyon Explorer.
What is CMPivot?
First, let’s do a quick intro to Microsoft Configuration Manager’s CMPivot. With CMPivot you create queries within ConfigMgr admin console or use a stand-alone CMPivot app. The queries are run by ConfigMgr client on the target devices. CMPivot queries use a simple Kusto Query Language (KQL). You can learn the basics of KQL in a couple of minutes.
CMPivot queries have the following syntax:
Entity | operator1 | operator2 | …
Different keywords are just divided by “|” character. You start with some dataset from the devices (entity) and then you start filtering/formatting the results with a few keywords.
Queries can be very simple: if your query is just the entity name, you will get all attributes of the entity from your target devices.
By selecting any column, you can sort the data based on that attribute.
Here is one example to find all the devices which have less than 100 GB free disk space.
In our example, you start with Disk entity. Then you filter the results with where operator to show only local hard disks with less than 100 GB free space. With project, you can select which attributes are shown in the result set and lastly the devices are order by the amount of free space.
There are a lot of different entities. Basically, all ConfigMgr hardware classes, including your custom hardware classes, are entities within CMPivot. Then there are some additional entities which are not based on hardware inventory. Entities that are not based on hardware inventory require target devices to be online to get any results. Some of the most used entities are:
- Administrators Local administrators on the device
- EventLog(), WinEvent() EventViewer data
- File() Files on the device
- InstalledSoftware Installed applications
- Ipconfig Network adapter configuration
- OperatingSystem Info about operating system configuration
- Registry() Data from computer’s registry
ConfigMgr customers cannot add new entities to CMPivot (outside of creating custom hardware inventory classes). Almost every ConfigMgr Current Branch release has added some features to CMPivot. For example, you cannot check computer’s certificates with latest CMPivot release and as a customer you just need to hope that Microsoft will add support for certificates in some upcoming release.
There are quite a few operators that you can use and create simple charts based on the result set.
Notice that you can use join operator to combine results from different queries. In the above examples, there are two registry related queries, but it could two or more different entities in the same CMPivot queries.
Because the queries can get quite complex, you can save commonly used queries as favorites to quickly re-run them later.
Microsoft provides a community hub, where users can share their CMPivot queries with others.
Under the hood, CMPivot is a PowerShell script that is run on the ConfigMgr client. The exact query and the results are transmitted by ConfigMgr’s “fast channel” which means that the query results are returned fast (about 10-50 s) from the online clients.
From the result set, you can select devices and target a new CMPivot query against them. If you want to make any changes to devices, you can target a PowerShell script against the devices. But you need to have created the corrective script beforehand.
In summary, CMPivot is a very flexible way to query almost anything from ConfigMgr clients. No queries are built-in, so you need to create your own queries or download from the community hub. And if you want to make any changes, you need to utilize some other feature like ConfigMgr scripts to do so. For more information, you should check Microsoft’s documentation about CMPivot.
1E’s Tachyon Explorer is one of the modules available on the 1E Tachyon platform. The platform has many other features like Microsoft’s Configuration Manager. In this article, we won’t cover other features. Tachyon also supports non-Windows operating systems.
Tachyon uses a web-based user interface. This means that you don’t need to install any additional software or use a Windows device to access Tachyon. Supported browsers are Google Chrome, Mozilla Firefox, and Microsoft IE11/Edge. You need to login to the website with the right identity to get permissions to utilize Explorer.
At first on the home screen, you get a basic search window.
When you start typing something to the search box, you will get the list of potential instructions to select.
Explorer contains hundreds of built-in instructions to choose from. What’s interesting is the extensibility of the search feature: it is very likely that there is a built-in instruction for the thing you need to know. You can query files, registry, applications, services, certificates, network configuration and so on. Some instructions don’t need any parameters, but others do.
This is the first major difference between Explorer and CMPivot. There are no built-in queries in CMPivot, although you can download example queries from community hub. Second major difference is that with Tachyon Explorer you can both run queries and make modifications if needed with the same tool.
For example, there are almost 50 instructions related to files in Tachyon Explorer. You can check the size of folders, partitions, permissions etc.
You can also make modifications like change file permissions, delete files, find/replace strings within files. There are a lot of powerful instructions available.
For Windows registry there’s a lot of different instructions to choose from.
If you don’t find what you are looking for from the out-of-the-box instructions, you can always go to the Tachyon Exchange website that allows you to download additional 1E and community-created instructions. You can also request new instructions.
CMPivot is a read-only utility, but you can run PowerShell scripts against the CMPivot result set. You need to create the scripts beforehand. With Tachyon, you have built-in instructions to choose from to remediate the issue.
When you select an instruction, you will see additional details before the command is run. You can, for example, change how long Tachyon will wait for clients’ replies. In this example, Tachyon waits for 60 mins for clients to be online.
After you run the query, the answers will show up very quickly. I’m impressed with how fast and effective 1E Tachyon’s client is when receiving answers. Tachyon Explorer returns data only from online clients. CMPivot could get data from offline clients, if the data is based on the hardware inventory.
You can filter the answers with Filter results. You can filter by all the attributes that are shown.
There are a couple of features that I’m missing from Explorer’s list views:
- You cannot show/hide different columns. Different instructions define which attributes are displayed from the target set and all those attributes are shown. Some objects might have many attributes that you are not interested in and it would be very useful to hide them from the result set. With CMPivot this is very easy by using project operator to list the attributes you want to see.
- You cannot change the order of the columns nor sort by any column. The sorting is defined within the instruction.
Some instructions include charts, such as which Windows hotfixes are installed.
Let’s have another example how you can combine instructions: You want to find out Microsoft 365 Apps (Office 365) versions and update channels from your devices. First you find all the installed software.
From the result set you filter to see only Microsoft Office 365 applications and versions.
With Follow-up question, you can ask something else from the result set. You want to find out the update channel by getting the registry value from your devices with Microsoft 365 Apps:
And you quickly get the results. On the left side of the result windows, Trail view shows the queries you have run.
By combining instructions, you can easily dive deeper within your result set and to get the results you want. This give you almost unlimited options.
With CMPivot you could add both Microsoft 365 Apps version and update channel registry value to the same view. With Tachyon Explorer, the information is shown on two different views (unless you create a custom instruction).
Here is one example to check and modify computers’ local administrators. First you query which local users and groups exist.
Then the results are filtered by remote desktop users group and by specific computers.
Then you want to remove the user psaukko from Remote Desktop Users group by selecting Follow-up action. Follow-up action and Follow-up question features are very powerful, because with those you can easily do remediations and debug the issue more deeply.
You need to provide credentials, before you can modify the devices.
And you get a message that the instruction needs to be approved.
If you run instructions that modify devices, then an authorized user must approve them before the change is run on the devices.
Then you will get a confirmation message that the instruction has been completed.
In ConfigMgr, you need to create and test the script that removes users from local groups. The admin can run any scripts they have permissions for against the authorized devices without any run-time approvals.
There are so many different things that you can do with Tachyon Explorer. It is very easy to find expiring certificates:
Finding the version information about a specific program is easy to do:
There are many security-related instructions like:
- What scheduled tasks are configured. Aggregate by task name
- How many devices have started a process called <procName> in the last <numDays> days?
- Accounts: What credentials are in the Windows Credential Store and available for decryption
- Passwords: What device local accounts share a common password
You can easily see that there are a lot of security administrators who have utilized Tachyon Explorer.
By editing instruction’s parameters, you can do a lot of things:
- Filter results. This is very useful when the instruction might return otherwise a larger dataset
- Limit the target devices: You can limit the target devices based on many different parameters
It is possible to schedule instructions. This is very useful when you want to run the same instruction daily/weekly/monthly.
Tachyon Explorer is very, very efficient tool to query and remediate many issues when managing Windows and other environments. The main problem with Tachyon Explorer is when you don’t find a suitable instruction for your case. Although there are a lot of instructions available built-in and from Tachyon Exchange, you may have cases where you would like to modify instructions to add some new attributes to the result set or do some other modifications to instructions.
Creating custom Tachyon instructions is closer to “real” programming than to simple scripting. There is a separate GUI application, Tachyon Instruction Management Studio (TIMS), to create and modify instructions. All instructions are signed, so you need a code signing certificate. The process is more complex than to either modify ConfigMgr’s CMPivot queries or creating ConfigMgr scripts to remediate issues.
See the following article for more information about creating custom Tachyon instructions.
Both Tachyon Explorer and ConfigMgr CMPivot/Scripts enables you to do complex queries and modifications to your devices very quickly. They have different design philosophies: CMPivot/Scripts is simpler and more open solution for do-it-yourself guys, but you need to know KQL and PowerShell to get things done.
Tachyon Explorer is based on built-in instructions and there is an instruction available for most common tasks. Thus, you don’t need to learn any query/scripting languages to complete the tasks. You can extend Tachyon, but it requires some learning to do.
If you are responsible for managing Windows environment, I recommend you check out 1E Tachyon. It is an impressive product that can help reducing your workload.
Keen to learn more about 1E Tachyon? Why not take a look at our ongoing Tachyon Tuesday series of blogs and vlogs? Or subscribe to our YouTube channel to stay up to date with the latest Tachyon content!