Nomad Client Health DEX Pack
DEX Pack used to create the Nomad Client Health instruction set and Nomad Client Health policy.
Nomad is included as part of the 1E Client, and as part of that integration, we offer a Nomad client health compliance policy in Endpoint Automation. This verifies common Nomad requirements such as ACP registration, disk availability, firewall exceptions, crash notifications and cache monitoring.
The Nomad client health policy replaces the client health tile in the Nomad dashboard plus additional remediation steps:
-
Keeps content distribution services up and running on Nomad clients, so that users are secure and productive.
-
Ensures Alternative Content Provider (ACP) registration configuration is set.
-
Maintains optimal disk availability and monitors cache size for storage capacity planning.
-
Enforces Firewall exceptions.
This policy is intended for deployment to Windows devices only.
Instructions
The following table shows the instructions included in the Integrated Product Pack. Unless already uploaded, the following instructions are added to an Instruction set named: Nomad Client Health.
Readable Payload |
Type |
Description |
Name |
Version |
---|---|---|---|---|
P2P election weight vs criticality |
Question |
Returns the Nomad peer-to-peer election weight and the criticality of the device. This instruction is useful if you use - and want to correlate - the Nomad feature Sensitive server weighting and the 1E Platform feature Using Device Criticality. The P2PElectionWeight registry entry does not exist unless it is explicitly set - for example by a Configuration Manager baseline or Tachyon instruction. If the registry entry does not exist, the response will be Not set. Similarly, the default criticality value assigned to a device is Undefined. The following is an extract from Election weighting in Download once to branch: Click here to expand... Nomad performs automatic weighting depending on its situation, according to the criteria listed below, and stores the value in memory (not registry). The higher the value, the greater the probability of winning the election.
If necessary, you can use the P2PElectionWeight registry setting to increase or decrease a Nomad client's probability of being elected a master. The range for this registry value must be between 0 and 99 inclusive. If not set, Nomad uses the values listed above.
To take effect after setting the registry value, the client service must be restarted. This method is not recommended because Nomad is already quite efficient in the way it elects a master and needs very little intervention in this process. However, you may want to reduce the chance of computers with low processing power, or prevent critical servers, becoming a master. You should also consider the following points before you influence the weighting:
Setting to 0 is a special case called Sensitive server weighting designed for use on critical servers. The 0 value prevents Nomad from acting as master, and devices with this value will not respond to election requests. |
1E-Explorer-NomadClientHealth-ElectionWeightVsCriticality |
3 |
Policies
Before deploying the Nomad Health Policy you need to be familiar with its contents and comfortable that you want to apply it to the devices in your network.
-
By default, automated fixes in the Policies provided by 1E are not enabled, this means you will have to specifically enable the ones you want to use before they can take effect.
-
A new or updated Policy should first be verified by deploying it to a Management Group containing a small number of devices, reviewing the Endpoint Automation reports, and confirming the checks and enabled fixes are working as expected. When you are comfortable with the results you can then deploy to larger Management Groups.
-
Review the following specific considerations before verifying and deploying.
Rule
Considerations
Check rule: Ensure Nomad does not have its content indexed by ConfigMgr software inventory checks
Disable this check rule if the Nomad cache location has been changed from the default C:\ProgramData\1E\NomadBranch.
The corresponding fix rule is disabled by default.
Deploying
-
Target the Policy at separate Management Groups for Distribution Points and Nomad clients, containing only Windows devices.
-
If you have deployed your Nomad clients with different baseline settings then consider creating different Management Groups for them, so that it will be easier to identify the potential differences in compliance. Target all clients to begin with and then target different groups as required.
-
This policy is intended for deployment to Windows devices only, so in a cross-platform estate it is advisable to deploy this policy to a Management Group that is scoped to Windows devices. If you do target non-Windows devices then preconditions for the rules ensure those devices are unaffected and rules are reported as Not Applicable.
The following table shows the policies included in the Nomad Client Health Integrated Product Pack:
Name |
Description |
---|---|
Nomad Client Health |
The Nomad Client Health policy ensures that the health of the Nomad client is compliant with a reference baseline. |
Rules
The following table shows the rules included in the Nomad Client Health Integrated Product Pack:
Any parameter values shown in the table below are specifically set in the rules when the pack is uploaded. These may be different from the default values shown in the Fragments and Trigger templates tables. You can modify these if required.
Name |
Type |
Description |
Check and Fix fragments |
Triggers |
Precondition fragment |
---|---|---|---|---|---|
Check Nomad ActiveEfficiency connectivity status |
Check |
Checks the Nomad agent connectivity to ActiveEfficiency. |
1E-GuaranteedState-Nomad-Check-AEConnectivity
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad can communicate through the Windows Firewall |
Check |
Check that there are Windows Firewall program exceptions for Nomad and its related executables. |
1E-GuaranteedState-Nomad-Check-FirewallExceptions
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Ensure Nomad can communicate through the Windows Firewall |
Fix |
Ensures there are Windows Firewall program exceptions for Nomad and its related executables. |
1E-GuaranteedState-Nomad-Check-FirewallExceptions
1E-GuaranteedState-Nomad-Fix-FirewallExceptions
|
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad can generate LSZ files on ConfigMgr distribution points |
Check |
Check that LSZ generation is enabled on ConfigMgr distribution points. |
1E-GuaranteedState-Nomad-Check-DpLszEnabled
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad can hash content |
Check |
Checks Nomad content hashing is enabled. |
1E-GuaranteedState-Nomad-Check-HashingEnabled
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad crash dumps status |
Check |
Checks whether Nomad has generated any crash dump in the last seven days. |
1E-GuaranteedState-Nomad-Check-CrashDumps
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad does not have its content indexed by ConfigMgr software inventory checks |
Check |
Checks whether skpswi.dat exists in the Nomad cache directory. |
1E-GuaranteedState-Nomad-Check-SkpSwiDat
|
Warning Do NOT use this Check if you have changed your cache location. |
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Ensure Nomad does not have its content indexed by ConfigMgr software inventory checks |
Fix |
Ensures that skpswi.dat exists in the Nomad cache directory. |
1E-GuaranteedState-Nomad-Check-SkpSwiDat
1E-GuaranteedState-Nomad-Fix-SkpSwiDat
|
Warning Do NOT use this Fix if you have changed your cache location. |
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad has a virtual directory on ConfigMgr distribution points to perform LSZ generation |
Check |
Check that an LSZFILES virtual directory has been created on a ConfigMgr distribution point. |
1E-GuaranteedState-Nomad-Check-DpLszVirtualDirectory
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Ensure Nomad has a virtual directory on ConfigMgr distribution points to perform LSZ generation |
Fix |
Ensure that an LSZFILES virtual directory has been created on a ConfigMgr distribution point. |
1E-GuaranteedState-Nomad-Check-DpLszVirtualDirectory
1E-GuaranteedState-Nomad-Fix-DpLszVirtualDirectory
|
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad has sufficient disk space to download content |
Check |
Check the drive that Nomad is using for content download has sufficient disk space. |
1E-GuaranteedState-Nomad-Check-DiskAvailablility
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad is not using the Windows temp directory for caching |
Check |
Checks that Nomad is not configured to use the Windows temporary directory for caching. |
1E-GuaranteedState-Nomad-Check-CacheInTemp
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad is registered as an Alternate Content Provider with ConfigMgr |
Check |
Check that Nomad is correctly registered as an Alternate Content Provider with ConfigMgr. |
1E-GuaranteedState-Nomad-Check-AlternateContentProvider
|
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Ensure Nomad is registered as an Alternate Content Provider with ConfigMgr |
Fix |
Ensure Nomad is registered as an Alternate Content Provider with ConfigMgr, registering it if necessary. |
1E-GuaranteedState-Nomad-Check-AlternateContentProvider
1E-GuaranteedState-Nomad-Fix-AlternateContentProvider
|
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad run status |
Check |
Checks that the Nomad service is running. |
1E-GuaranteedState-Nomad-Check-StartService
|
TriggerTemplate-ServiceStatusChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Ensure Nomad is running |
Fix |
Ensure the Nomad service is running, starting the service if required. |
1E-GuaranteedState-Nomad-Check-StartService
1E-GuaranteedState-Nomad-Fix-StartService
|
TriggerTemplate-ServiceStatusChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad variant status |
Check |
Checks whether the running Nomad service was one supplied with the 1E Client. |
1E-GuaranteedState-Nomad-Check-Variant
|
TriggerTemplate-ServiceStatusChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad's share directory is accessible |
Check |
Check whether Nomad needs a share, and if it does that it would be accessible to other devices. |
1E-GuaranteedState-Nomad-Check-Share
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Ensure Nomad's share directory is accessible |
Fix |
Ensures that Nomad's share is accessible if it is configured to require a share. |
1E-GuaranteedState-Nomad-Check-Share
1E-GuaranteedState-Nomad-Fix-Share
|
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Check Nomad's share is accessible by specific accounts |
Check |
Checks that the correct accounts are able to access Nomad's share. |
1E-GuaranteedState-Nomad-Check-ShareAccount
|
TriggerTemplate-WindowsRegistryChange
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Ensure Nomad's share is accessible by specific accounts |
Fix |
Ensures that the correct accounts are able to access Nomad's share. |
1E-GuaranteedState-Nomad-Check-ShareAccount
1E-GuaranteedState-Nomad-Fix-ShareAccount
|
|
1E-GuaranteedState-Nomad-PreCondition-MultiTests
|
Fragments
The following table shows the fragments included in the Nomad Client Health Integrated Product Pack:
The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these fragments, unless you select alternative values.
Name |
Type |
Readable Payload and summary |
Parameters |
---|---|---|---|
Precondition |
Check if standard conditions apply for Nomad plus optionally: is a ConfigMgr DP (<sccmDp>); has a ConfigMgr client (<hasCmClient>); SMB sharing is enabled (<smbEnabled>) The precondition passes for all of the following standard tests:
The precondition also tests for each of the following if it is enabled by changing its parameter from 0 to 1:
If smbEnabled test is set in the rule precondition then an additonal test is made to see if the device is a Domain Controller (DC). When installed on a DC Nomad must use its computer account instead of SMSNomadP2P& in order to share its cache. This requires registry value For early adopters, the readable payload of this precondition was: Carries out the specified checks; if any fail (i.e. they are logically AND-ed) then the preconditions fails. |
Range 0 or 1, defaults=0 |
|
Check |
Check whether there is a working connection to ActiveEfficiency Tests whether the URL given by registry value |
None |
|
Check |
Check whether Nomad is correctly registered within Microsoft ConfigMgr Check that the ConfigMgr client's list of ACPs includes an object for Nomad in WMI class |
None |
|
Fix |
Ensures Nomad is correctly registered within Microsoft ConfigMgr If the same checks as 1E-GuaranteedState-Nomad-Check-AlternateContentProvider are not satisfied, restarts the |
None |
|
Check |
Check whether Nomad's cache is not in a temporary directory The Nomad cache can sometimes be configured to be in the Windows The check examines Nomad's |
None |
|
Check |
Check whether there have been any crashdump files created by Nomad in last 7 days Nomad dump files are saved in the same directory as the log file, the parent directory of the |
None |
|
Check |
Checks whether there is sufficient disk space for Nomad This examines Nomad's |
None |
|
Check |
Check whether web LSZ generation is correctly configured on standalone distribution points Nomad automatically sets up LSZ file generation on DPs that are ConfigMgr site servers, but extra configuration is required for standalone DPs. The device is a standalone DP if, under registry key |
None |
|
Check |
Check whether the LSZ directory is correctly configured on distribution points At time of writing there is a bug such that the overall check status is usually "Passed" even when individually reported checks fail. If the device is a standalone DP, the check first verifes that registry value
|
None |
|
Fix |
Ensure that the LSZ directory is correctly configured on distribution points At time of writing there is a bug such that the overall check status is usually "Passed" even when individually reported checks fail. If any of the conditions described above for the corresponding check fragment is not true, the LSZFILES website is reconfigured to set that condition. |
None |
|
Check |
Checks whether firewall exceptions exist for Nomad First is a check that at least one Windows firewall profile is enabled and that the firewall itself is enabled with either Otherwise,the Nomad-related firewall rules are examined. These are the rules named:
Using the
Rulesfor |
None |
|
Fix |
Ensures the required firewall exceptions exist for Nomad This carries out all the checks as described above for 1E-GuaranteedState-Nomad-Check-FirewallExceptions then, for each absent or incorrectly configured rule that is required to support the |
None |
|
Check |
Check whether hashing is enabled in Nomad This examines the |
None |
|
Check |
Checks whether the Nomad share is available This first checks the firewall settings. If the firewall is enabled then " The share's properties are then verified as follows:
These additional checks are not carried out if the host is a server or a custom share is involved:
The |
None |
|
Fix |
Ensures the Nomad share is available This carries out the checks as in 1E-GuaranteedState-Nomad-Check-Share above, then if any of them fails it restarts the |
None |
|
Check |
Checks whether the Nomad share account is correctly configured If the machine account is used rather than the default " A WMI |
None |
|
Fix |
Ensures the Nomad share account is correctly configured If the checks as described above for 1E-GuaranteedState-Nomad-Check-ShareAccount do not pass, the |
None |
|
Check |
Check whether skpswi.dat exists on disk A Such a file must exist in the directory named by the |
None |
|
Fix |
Ensure skpswi.dat exists on disk If the directory named by the |
None |
|
Check |
Checks that Nomad is running The |
None |
|
Fix |
Ensures that Nomad is running If the |
None |
|
Check |
Check whether the correct variant of Nomad (that supplied with the 1E Client, not standalone Nomad) is used for the service This verifies that the parent directory of the executable that the Service Control Manager uses to run the |
None |
Trigger templates
The following table shows the trigger templates included in the Nomad Client Health Integrated Product Pack.
The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these templates, unless you select alternative values.
Name |
Readable Payload and summary |
Parameters |
---|---|---|
On change of file "<fileName>" When a file changes (Windows only) |
File Name
|
|
Every <intervalHours> hours Periodic (hours) |
Interval Hours
|
|
Every <intervalMinutes> minutes Periodic (minutes) |
Interval Minutes
|
|
Every <intervalSeconds> seconds Periodic (seconds) |
Interval Seconds
|
|
On change of running state of the "<serviceName>" service When the state of the named Windows service changes Note You can determine the short name of a service using the PowerShell cmdlet
This will return NlaSvc in the above example. It is this short name you specify in the <ServiceName> parameter. |
Service Name
|
|
On change of registry values in "<hive>\<subkey>" (include subkeys=<includeSubkeys>) When the value of a Windows registry key changes. |
Hive, which must be one of:
Subkey : free text string, default empty. Include Sub Keys : 1/0 default 0. |