Trigger templates and preconditions reference

Reference for all the precondition fragments and trigger templates available in Integrated Product Packs. These can be used to create your own custom rules and policies.

Trigger templates

Name

Readable Payload and summary

Parameters

Included in

TriggerTemplate-FileChange

On change of file "<fileName>"

When a file changes (Windows only)

File Name

  • File path of file to be monitored, default is null.

TriggerTemplate-IntervalHours

Every <intervalHours> hours

Periodic (hours)

Interval Hours

  • 0 to 999 hours (approximately 42 days), default interval is 12 hours.

TriggerTemplate-IntervalMinutes

Every <intervalMinutes> minutes

Periodic (minutes)

Interval Minutes

  • 0 to 99,999 minutes (approximately 69 days), default interval is 30 minutes.

TriggerTemplate-IntervalSeconds

Every <intervalSeconds> seconds

Periodic (seconds)

Interval Seconds

  • 0 to 999,999 seconds (approximately 11 days), default interval is 3600 seconds (1 hour).

TriggerTemplate-ProcessCrash

On crash of process "<executable>"

When a process crashes (Windows only)

Monitors the Windows Application Event Log for event 1000.

Executable is case insensitive but is required to be the whole filename without the folder path, such as unreliableapp.exe A partial string such as unreliableapp will not trigger on a crash of unreliableapp.exe.

Executable

  • Filename of executable to be monitored, default is empty.

TriggerTemplate-ProcessLaunch

On launch of process "<executable>"

When a process starts (Windows only)

Monitors the Windows Security Event Log for event 4688.

Executable

  • File path of executable to be monitored, default is empty.

TriggerTemplate-ServiceStatusChange

On change of running state of the "<serviceName>" service

When the state of the named Windows service changes.

You can determine the short name of a service using the PowerShell cmdlet.

Copy
get-service -DisplayName "Network Location Awareness"

This will return NlaSvc in the above example. It is this short name you specify in the <ServiceName> parameter.

Service Name

  • Short name of service - for example NomadBranch.

TriggerTemplate-WindowsEventLog

On Windows"<channel>"; event log entry matching "<query>" (debounce for <debounce> seconds)

When an event log entry is created (Windows only).

A channel is an event sink, example standard channel names are Application or Security.

To determine the available event channels execute the following PowerShell command:

Copy
Get-WinEvent -ListLog *

Or to view the event channels on a remote computer:

Copy
Get-WinEvent -ListLog * -ComputerName <hostname>

Similarly to view event log entries for a given channel either use Event Viewer or from PowerShell for example:

Copy
Get-EventLog application | where {($_.EntryType -Match "Error"
-or ($_.EntryType -Match "Warning")}

Or:

Copy
[dateTime]$oneWeekAgo = (get-date).addDays(-7) Get-EventLog -LogName Application 
-After $oneWeekAgo -computerName . | ? {$_.EventID -eq 1000}

A query is used to filter the event log messages for a given channel. Examples can be found at https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events.

For example to query all OneNote application crashes error log messages:

Copy
*[System[(Level=2) and (EventID=1000)]] and *[EventData[Data='onenote.exe']]

Debounce is a settling period to ensure that in the case of multiple events, only a single event is registered within the space of a given time period.

Channel

  • Text string, default null.

Query

  • Text string, default null.

Debounce Time Seconds

  • 0 to 99 seconds, default 0.

TriggerTemplate-WindowsRegistryChange

On change of registry values in "<hive>\<subkey>" (include subkeys=<includeSubkeys>)

When the value of a Windows registry key changes.

Hive, which must be one of:

  • HKLM (default)

  • HKCR

Subkey : free text string, default empty.

Include Sub Keys : 1/0 default 0.

Precondition fragments

Name

Readable Payload and Description

Parameters

Included in

1E-GuaranteedState-ClientHealth-PreCondition-ConfigMgrClient

Run if the ConfigMgr client is installed

Uses the Device.GetSummary method to determine if the device is running Windows.

Uses the OperatingSystem.GetServiceInfo method to determine if the ConfigMgr client service (ccmexec) is installed, although not necessarily running.

No parameters.

1E-GuaranteedState-General-PreCondition-InstalledSoftware

Run if <SoftwareTitle> is installed

Uses the Software.GetInstallations to see if SoftwareTitle is installed.

The Software Title parameter can be a partial string such as SQL Server which will match on the first SQL Server title that is found installed on the device.

Software Title

  • A product name as it appears in Programs and Features (Add Remove programs - ARP).

1E-GuaranteedState-General-PreCondition-MinWindowsVersion

Run if device is Windows <MinimumVersion>

Uses Agent.GetSummary method to get MinimumVersion, and passes if it matches the given parameter.

  • XP or greater (5.2) - also matches Server 2003

  • Vista or greater (6.0) - also matches Server 2008

  • 7 or greater (6.1) - also matches Server 2008 R2

  • 8 or greater (6.2) - also matches Server 2012

  • 8.1 or greater (6.3) - also matches Server 2012 R2

  • 10 or greater (10.0) - also matches Server 2016

Minimum Version

  • XP or greater

  • Vista or greater

  • 7 or greater

  • 8 or greater

  • 8.1 or greater

  • 10 or greater (default)

1E-GuaranteedState-General-PreCondition-MinWindowsVersionAndVariant

Run if device is running <Variant> variant of Windows <MinimumVersion>

Uses the Agent.GetSummary method to get Variant and MinimumVersion, and passes if they match the given parameters.

If the text Server is in OsVersionText then it's a Server, otherwise it's a Desktop.

  • XP/Server 2003 or greater (5.2)

  • Vista/Server 2008 or greater (6.0)

  • 7/Server 2008 R2 or greater (6.1)

  • 8/Server 2012 or greater (6.2)

  • 8.1/Server 2012 R2 or greater (6.3)

  • 10/Server 2016 or greater (10.0)

Minimum Version

  • XP/Server 2003 or greater

  • Vista/Server 2008 or greater

  • 7/Server 2008 R2 or greater

  • 8/Server 2012 or greater

  • 8.1/Server 2012 R2 or greater

  • 10/Server 2016 or greater (default)

Variant

Windows OS variant:

  • Desktop (default)

  • Server

1E-GuaranteedState-General-PreCondition-OperatingSystem

Run if operating system is <OsText>

Uses the Agent.GetSummary method to get OsText, and passes if it matches the given parameter.

OsText

  • Android

  • macOS

  • Red Hat

  • SUSE

  • Ubuntu

  • Windows

  • Windows 10

  • Windows 7

  • Windows 8.1

  • Windows Server 2012

  • Windows Server 2016

  • Windows Vista

  • Windows XP

1E-GuaranteedState-General-PreCondition-OSAndSoftware

Run if operating system is <OsText> and <SoftwareTitle> is installed

Uses the Agent.GetSummary method to get OsText.

Uses the Software.GetInstallations to see if SoftwareTitle is installed.

OsText

  • See: 1E-GuaranteedState-General-PreCondition-OperatingSystem

SoftwareTitle

  • See: 1E-GuaranteedState-General-PreCondition-InstalledSoftware

1E-GuaranteedState-General-PreCondition-OsTypeAndArchitecture

Check whether a device has an OS of <OsType> and an architecture of <Architecture>

Passes if the OsType agent enumeration and the Architecture match the given parameters.

Uses the Device.GetSummary method.

OsType

  • Windows (default)

  • Android

  • Linux

  • macOS

  • Solaris

Architecture

  • x64 (default)

  • x86

1E-GuaranteedState-General-PreCondition-Service

Run if <ServiceName> service is installed

Uses the OperatingSystem.GetServiceInfo method to check the specified service is in the specified state. You specify the service by its short name.

Service names are listed under registry HKLM\CurrentControlSet\Services.

You can determine the short name of a service using the PowerShell cmdlet

Copy
get-service -DisplayName "Network Location Awareness"

The above example will return NlaSvc, whch is the short name you specify in the <ServiceName> parameter.

Another example is WindDefend, which is the short name of the Microsoft Defender Antivirus Service.

ServiceName

  • Short name of the Windows Service, default empty.

1E-GuaranteedState-General-PreCondition-WindowsDevice

Determine if device is running Windows

Is Operating System type = Windows.

Uses the Device.GetSummary method.

No parameters.

1E-GuaranteedState-Nomad-PreCondition-MultiTests

Nomad client passes 3 standard tests plus any/all of the following tests if enabled

The precondition passes for all of the following standard tests:

  • The device is running a version of Windows - Nomad is only supported on Windows operating systems.

  • The device is not running Windows XP - which is no longer supported by Nomad.

  • The NomadBranch service is installed, although not necessarily running.

The precondition also tests for each of the following if it is enabled by changing its parameter from 0 to 1:

  • hasCmClient : The ConfigMgr client is installed.

  • sccmDp : The device is a ConfigMgr Distribution Point (DP).

  • smbEnabled : SMB sharing of Nomad's cache is enabled.

If smbEnabled test is set in the rule precondition then an additonal test is made to see if the device is a Domain Controller (DC). When installed on a DC Nomad must use its computer account instead of SMSNomadP2P& in order to share its cache. This requires registry value HKLM\SOFTWARE\1E\NomadBranch\SpecialNetShare to have its 0x80 bit set. If not set then Nomad does not share its cache on a DC and does not respond to elections.

  • hasCmClient : 1/0

  • sccmDp : 1/0

  • smbEnabled : 1/0

Defaults are 0.