Question on optimizing BigFix Relevance

dgendera 2022-08-10 15:20:35 UTC #1

All,
Looking for some advice on trying to optimize some BigFix Relevance, I’ve got the solution working but wanted to see if there might be better way to write the relevance.
We have project going where we want to retrieve info from the registry about agents (BigFix; CrowdStrike; Flexera …) deployed in our environment, that info is written to BigFix properties and used for reporting in Corporate Dashboard.

To get the agent info I’m looking at the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall key for both x32/x64. The info I’m interested in are DisplayName and DisplayVersion

Challenges

what if there are multiple versions installed of the agent (For the moment I’m reporting on most recent version)
What if agent is not installed

Below relevance will provide me with that info

if (exists values “DisplayVersion” of keys whose (value “DisplayName” of it as string as lowercase contains “flexnet inventory agent”) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x32 registry ; x64 registry)) then
(if ((it as string contains “|”) of (concatenation “|” of (unique values of ( value “DisplayVersion” of it as string as trimmed string) of keys whose ((exists (value “DisplayVersion” of it as string as trimmed string as lowercase)) And (value “DisplayName” of it as string as lowercase contains “flexnet inventory agent”)) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x32 registry ; x64 registry)))) then (following text of last “|” of concatenation “|” of (unique values of ( value “DisplayVersion” of it as string as trimmed string) of keys whose ((exists (value “DisplayVersion” of it as string as trimmed string as lowercase)) And (value “DisplayName” of it as string as lowercase contains “flexnet inventory agent”)) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x32 registry ; x64 registry))) else (concatenation “|” of (unique values of ( value “DisplayVersion” of it as string as trimmed string) of keys whose ((exists (value “DisplayVersion” of it as string as trimmed string as lowercase)) And (value “DisplayName” of it as string as lowercase contains “flexnet inventory agent”)) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x32 registry ; x64 registry)))) else “noinfo”

Question:
To check for multiple versions and report most recent version, I’m using “Unique Values” which is sorted and I will return last entry which is the latest version. I’ve found some articles mentioning “maximum of” but was not able to really make that work that’s why I’m choosing this option

any suggestions or feedback to improve relevance are much appreciated.

trn 2022-08-10 15:27:46 UTC #2

The values returned are registry values.

If you cast them to versions, the maximum keyword works.

So instead of unique values of ( value “DisplayVersion” of it as string as trimmed string) try maximum of ( value “DisplayVersion” of it as string as trimmed string)

dgendera 2022-08-11 08:10:26 UTC #3

Cool that did the trick and will simplify my relevance, appreciate the help !!!