Apr 23, 2021 Navpreet Kundal

Part 3: A comparison of Configuration Management tools’ remediation

Managing an estate of devices on the network has always been a challenge to infrastructure administrators. In today’s world, we deal with real threats from bad actors, a multitude of everchanging devices, and complex remote work scenarios driven by Covid-19. Are the traditional tools like Microsoft’s Group Policy, Endpoint Manager, and PowerShell enough to manage a modern workforce?
A-comparison-of-Configuration-Management-tools -policy-engines- -1 2x

This is the second in a series of blogs based on TriCon Elite Consulting’s recent review of the following Configuration Management tools:

  1. Group Policy
  2. PowerShell DSC/Azure Automation
  3. Endpoint Management Compliance MGR
  4. 1E Tachyon Guaranteed State

Our first blog examined TriCon Elite’s analysis of these vendors’ policy engines, and the second instalment explored these Configuration Management tools’ delivery of custom scripts. This week we consider the four tools’ remediation capabilities and effectiveness in relation to:

  • Remediation Time
  • Remediation Rules
  • Detection
  • Reporting
  • Configuration
  • Cross-Platform Support

To assess the ability of each of the solutions to remediate states of non-compliance, TriCon evaluated the following actions: Remediating an issue that requires settings change, based on a trigger and a recurring schedule, as well as remediating an issue that requires script execution, again based on a trigger and a recurring schedule.

Overview

On the whole, Group Policy did not receive any points in this section, as TriCon found it is designed more for prevention than remediation, and does not include the detect-and-resolve logic built into other solutions. Microsoft Endpoint Manager appears to focus on automating resolution of configuration drift across a large group of machines over longer periods, as opposed to micro-managing device compliance settings. PowerShell DSC proved to be versatile with performing immediate checks and remediations, providing a “good enough” solution to address many compliance-related needs. Finally, Tachyon Guaranteed State proved to be most successful in the ‘Remediation’ category, primary due to its ability to instantly detect and remediate compliance issues. An ability in Guaranteed State to leverage Configuration Manager reporting or SQL Reports Builder to create exportable reports from Guaranteed State or PDF-style reports with charts and data would also be a welcomed addition.


Remediation Time

TriCon’s verdict: 1E Tachyon Guaranteed State scored the highest in this category, it’s local policy engine, coupled with sub-millisecond speeds for new requests, make Guaranteed State the fastest product evaluated in this publication. Azure and Powershell ranked second highest, with its versatility to perform remediations immediately moving it ahead of other Microsoft products. Group Policy scored the lowest in this area. The report notes that Group Policy’s reliance on SYSVOL replication to update both policy assignments and scripts’ deployment, prevents the tool from being utilized for rapid remediation of critical issues.

Remediation Rules

TriCon’s verdict: Guaranteed State and PowerShell DSC/Azure Automation proved to be equally effective with regards to rules. Tachyon Guaranteed State remediates non-compliance based on the Fix Fragment that is included in the policy. When a state of non-compliance is detected, the agent immediately triggers the fix without relying on an instruction from the Tachyon Servers. For Powershell and Azure, each configuration will have an Ensure property that has two values: Present or Absent. If you want to ensure a Windows Feature is installed, you will use Present. If you want to ensure a Windows Feature is removed, if found, you would use Absent.

Detection

TriCon’s verdict: Overall, PowerShell DSC/Azure Automation and Endpoint Manager fell in the middle in this area. For PowerShell and Azure, the default interview is 30 mins, so if unchanged, a target would remediate itself within a 30 min window. A manual retrigger of the policy can be configured on the target by running Update-DscConfiguration. With Endpoint Manager, the overall feedback is that the 7-day default compliance evaluation schedule is not designed to provide immediate Remediation of a device’s non-compliance. Notably, Group Policy does not offer the feature of detection based triggers and relies solely on Remediation Timers to enforce the policy. Guaranteed State received full points for ‘Detection’, with TriCon please with its instant detection ability.

Reporting

TriCon’s verdict: Whilst scoring highly in other areas, Tachyon Guaranteed State’s export capabilities were found to be limited when it comes to reporting, with no ability to create PDF reports. Statistics and metrics are available in the system. PowerShell DSC/Azure Automation and Endpoint Manager tied in this area. TriCon found that for PowerShell and Azure, reports must be custom-written or manipulated in Excel for a presentable format. With Endpoint Manager, they found it can take several weeks for accurate and complete reporting data to be available for consumption.

Configuration

TriCon’s verdict: PowerShell and Azure took the lead in this area, though were closely followed by Guaranteed State. In Guaranteed State, remediations are configured by creating Fix Fragments, which are created in TIMS and instruct the agent how to return a device to compliance. TriCon scored Group Policy and Endpoint Manager equally here, finding that with some creative policy management, Group Policy can be used to force adherence to a specific configuration and remediation actions are sometimes difficult with Endpoint Manager.

Cross-Platform Support

TriCon’s verdict: In this final category, TriCon scored all four solutions lowly. However, Tachyon Guaranteed State ranks highest of the four, as analysis showed that fix rules – like Check rules – can be written to support multiple platforms. But due to the OS-specific granularity required to implement some remediations, they are often separated. Guaranteed State policies for multiple individual platforms are common.

How Tachyon Guaranteed State ranked in the Remediation category

Remediation

Based on their evaluation, TriCon determined that Tachyon Guaranteed State was the strongest contender in the ‘Remediation’ category. And, while the traditional systems provide a very capable solution for managing your device environment, they are inefficient with the remediation of device compliance in a time that vulnerabilities are exploited faster than they can be patched.


You can read the full comparison report and learn how the vendors stack up for other evaluation criteria, here. To learn more, be sure to check out Part 1 and Part 2!