The CheckYourLogs MVP team recently completed a project where we evaluated four enterprise products that can enforce the configuration on a managed device. Although the products are all able to implement configuration changes on a device, the methods of detection, remediation, and reporting greatly differ between Active Directory Group Policy, PowerShell Desired State Configuration, Microsoft Endpoint Manager – Configuration Manager Compliance Settings, and 1E Tachyon Guaranteed State.

To complete this evaluation, we not only examined how each product was able to detect and remediate compliance issues, but also weighed the experience for both the end user and administrator. As each product performs core changes differently, we had to dig into the Policy Engine of each and determine exactly how configurations are applied on the devices.

As administrators of an enterprise support platform, tooling, or the method of creating and applying policies, is extremely important. The most advanced product in the world has little value if it cannot be utilized and customized for individual organizations, so it was important to highlight both the interface that use to configure, and the accessibility of add-ons, custom scripts, and support as we make the most of these products.

The Group Policy Management Console

Products require some level of implementation and configuration, and endpoints need to be told that it is an approved source for content. This is often in the form of a device agent, software product, or connector. How fast and easy they are to implement must also be considered. For each of the products, we investigate what’s required from the environment before device compliance can be considered.

Using IntelliSense to create a Desired State Configuration Policy in PowerShell ISE

The pandemic forced a lot of organizations to waive device standards and manage a large variety of devices. The ability for a product to ensure organizational compliance on a device, regardless of manufacturer, model, architecture, or age, has never been more important. It’s why we took a step out of our comfort zone and looked at how each of these products fared with managing non-windows devices. We were pleasantly surprised to learn how much Microsoft has also embraced devices that wouldn’t typically be expected in a Microsoft-managed enterprise, and despite the age of Group Policy, it can still hold it’s own in the ring with more modern tools.

Creating a Compliance Setting using Microsoft Endpoint Manager – Configuration Manager

The core competency of Group Policy, PowerShell DSC, Compliance Settings and Guaranteed state is device compliance and the ability to detect instances of non-compliance, then issue remediation after a certain duration. How each of these products perform this action is very different and derives from their main purpose. The important aspects revolve around ease of configuration and ability to maintain device compliance, but which of these two is the most important? To answer this, we graded each evaluated feature on a flat scale, based on the results of our testing, and compared each product on a section-by-section basis.

1E Tachyon Guaranteed State’s Remediation node

In the world of Windows management, device non-compliance has always been synonymous with configuration drift. We’ve become accustomed to the operational delays with systems management, and our benchmark is ensuring reporting data is current enough to be accepted by management. With the global increase of zero-day threats and mutating viruses, noncompliance becomes a security threat that requires immediate action.

Our evaluation of these solutions looked at areas of operational importance and how they could service our needs in an increasingly mobile workplace. The enforcement of compliant configurations does not come with an industry-standard, as cases of non-compliance are not created equal. Subsequently, organizations have different requirements around the features and operations that these products provide, as well as the response time of endpoint devices. Our goal was to capture the functionality of these products in broad use-cases to cover the most common scenarios.

While traditional systems provide a very capable solution for managing your device environment, these pull-based, inventory-based products are vastly inefficient with the remediation of device compliance in a time that vulnerabilities are exploited faster than they can be patched.

The harsh reality is, if we’re going to be responsible for endpoint compliance and security in a connected world, we need a product in the environment as fast and light as Tachyon. While it doesn’t completely replace the operational products we’ve worked with for years, it fills a critical gap as systems management and security management become more intertwined.

Download your free copy of Enforcing Compliant Configurations from Leanpub today.