►
Description
PowerShell Saturday is a training event for all things PowerShell. The event was held in Raleigh North Carolina and hosted by Research Triangle PowerShell User Group.
In this session Jon discusses the importance of Security and how PowerShell Compliance items and SCCM can help you tackle Security issues.
The files for Jon's slides and code can be found on our github page:
https://github.com/rtpsug/PowerShell-Saturday/tree/master/2019-NC.State/
A
A
So
for
me,
and
maybe
for
some
of
you,
security
is
a
four-letter
word.
They
get
three-letter
acronym
for
a
five-letter
I
forget
as
well,
but
it's
always
tends
to
be
a
pain,
hey
we're,
not
secure,
there's
a
problem
or
hey.
We
just
bought
this
new
product
or
we're
taking
on
this
new
business,
and
now
we've
got
new
regulations
that
we
need
to
comply
with.
A
A
Somebody's
gonna
come
in
and
say:
hey
you
said:
you're
compliant,
show
me
you're
compliant,
you
know,
others
are
going
to
say,
pick
10
machines
at
random
across
their
environment
building
very
compliant,
and
they
they
may
have
a
script
to
run,
and
they
say
just
long
and
let
me
see
so
we're
gonna
make
that
process
easy
or
at
least
easier
for
you.
So
one
of
the
things
here
is:
why
would
I
even
do
this?
A
A
We've
policies
great,
but
it's
not
always
successful.
Sometimes
you
have
replication
issues.
You've
got
one
version
on
one
debate:
controller
one
over
another,
so
you're
not
going
to
be
compliant
because
of
issues
like
that.
The
other
kind
of
reason
to
verify.
That
is
that
if
you've
already
have
systems
that
are
compromised,
the
malware
that's
on
the
system
may
be
monitoring
for
those
settings
and
group
policy
is
changing
and
reverting
though,
so,
even
if
it's
resetting
them
every
15
minutes,
they're
still
going
to
set
them
back.
A
So
if
they
couldn't
operate
them
in
your
environment,
I'm
going
to
use
our
Microsoft
security
framework
as
kind
of
a
reference
input
that
I'm
working
with
it's,
not
the
end-all
for
Bo.
It's
a
starting
point
for
it.
I
like
this
framework,
because
it
lays
it
out
many
different
rings
or
employments
that
you
may
have
impacted
here.
A
So
you
have
your
level
1
baseline,
which
is
safe
to
apply
to
almost
every
machine
in
your
environment
and
then
based
on
the
role
that
the
Machine
plays
you're,
going
to
expand
that
ring
out
to
be
more
and
more
secure
with
that
top
level.
Being
your
administrative
work
stations
within
there,
we're
going
to
mainly
focus
on
that
level,
one
it's
a
broader
piece,
but
for
whatever
regulations
you
guys
may
have
to
the
plywood
we're
going
to
have
different
baselines.
You
may
have
something
coming
in
during
the
view
of
the
environment.
A
You've
got
the
regulatory
stages
that
you
have
to
comply
with
it,
the
PCI
they
have
their
own
baselines.
Sometimes
they
match
exactly.
What's
in
our
Microsoft
frame-up
other
times,
they
are
more
secure
or
they'll
have
different
settings
and
what
we
have
I
have
a
link
up
here
as
well.
I
think
that
the
usually
is
going
to
make
a
site
that
is
available
for
you
as
well.
If
they
don't
have
a
repository,
then
publish
about.
A
A
One
of
the
big
things
were
Sen
wrote
this
reg
the
CI
tool.
He
has
both
an
online
version
where
you
can
go
in
through
a
website,
just
paste
the
content
on
the
registry
cloud
and
it
want.
Let
me
write
the
PowerShell
script
for
you
to
do
both
discovery
check
to
make
diseases.
Is
that
correctly
and
also
to
do
a
review
asian
7170?
A
And
then
he
also
has
a
command-line
tool
that
will
do
the
same
thing.
You
can
point
it
at
a
group
policy
object
or
you
can
put
it
at
a
and
export
or
backup.
So
those
registry
profiles
that
are
associated
with
group
policy
can
be
used
to
automatically
generate
the
compliance
items.
Some
of
the
favorite
tools
that
I
work
with
they
have
a
different
focus:
the
convert
tool,
the
powershell
script
there,
that
tool
will
go
through
and
leverage
the
SE
seems
built-in
providers
for
the
different
items.
A
A
So
in
here,
if
we
just
take
a
registry
file-
and
we
put
this
in
to
the
web
interface
here-
we
can
click
here
to
generate
the
the
check
strip,
and
this
will
give
you
PowerShell
feel.
So
obviously
you
could
write
this
yourself
saying
here
is:
if
you
have
a
list
violence
at
our
registry
file.
This
is
an
easy
way.
This
is
the
check
strip
and
what
you'll
notice
here
is
for
each
item
and
go
sir
and
checks
those
values
and
then
because
it's
intended
to
be
any
compliance,
I,
don't
if
it
doesn't
find
it.
A
A
So
now
the
PowerShell
changes,
rather
than
looking
those
because
those
do
not
return
true
or
false,
is
for
setting
those
Tigers
I
like
this,
not
necessarily
from
a
sec
own
perspective.
If
someone
comes
to
me
and
says,
hey
I
need
to
set
a
registry
value
I'm,
not
exactly
sure
where
it
goes
or
where
it
is,
my
tank,
don't
export.
This
put
it
in
here
go
write
the
code
for
you,
you
don't
know
how
she'll
fall.
So
it's
it's
a
way
to
make
your
life
simpler,
easier.
A
You
know
not
just
or
as
easy,
but
just
again
all
of
your
running,
it's
a
great
way
to
kind
of
leverage.
Those
tools,
the
the
other
thing
here
about
the
convert
to
GPO
the
conversion
to
the
powershell.
So
this
is
the
the
github
site
that
was
linked
on
the
slide
that
great
documentation
here,
there's
a
link
to
an
older
blog
article
as
well,
but
the
first
published
system
kind
of
explains
how
to
use
the
tool.
The
different
functionalities.
A
Good
thing
I
like
for
both
of
these
tools
is
the
source
for
both
of
them
is
out
different.
So
the
website,
the
comics
cable
for
the
designer
tool
for
these
were
doing
that
conversion.
Those
tools
you
can
look
into
that
source
code,
quartz
the
source
code
and
see
what
they're
doing
so
you're,
not
just
pressing
the
page
here
or
if
I
need
to
modify
that
for
something
specific
like,
but
also.
A
A
This
is
the
main
page
that
just
kind
of
lays
out
the
different
levels
of
rings.
Of
that.
The
other
thing
to
know
about
this,
this
as
a
security
baseline,
is,
is
not
just
focused
on
what
you
can
do
with
route
policy,
so
we
have
a
section
in
here.
That's
for
true
policy.
That's
what
we're
going
to
focus
on
as
far
as
checking
for
compliance
here
with
SEC
them,
but
there's
other
things
that
are
associated
with
these
baselines
that
you
may
be
able
to
add
in
here.
A
As
far
as
checks,
you
know
making
sure
you've
got
the
right
version
of
TPM.
You
get
the
right
settings
there.
You
can
put
those
in
there
policy
detector,
which
is
inserted
right
compliance
items
quarters
as
well
the
other
thing,
while
we're
here
and
we're
talking
about
the
policies
themselves
as
far
as
leveraging.
What's
in
group
policy,
one
thing
to
notice
that
well
99%
before
we
do
Newburgh
policy
is
changed
to
registry
values.
Not
everything
is
done.
That
way.
There's
specific
group
policy
of
habit
or
leverage
the
preference
engine
to
make
additional
changes
in
there.
A
A
There
are
some
tools
not
really
part
of
what
I've
been
presenting
on.
That
will
allow
you
to
take
policies
that
contain
those
items
and
apply
them
to
the
system
as
part
of
the
the
security
framework
you
download,
where
we
publish
all
the
group
policy
values
for
each
OS
version
contained
within
that
there
is
a
liquid
detailed
tool.
So
what
you
think
those
policy
items
put
them
into
your
local
local
policy.
A
A
It's
LGPL
vfc
and
when
you
go
actually
so
here
on
this
dock
site
before
the
security
configuration
right
here
for
the
Windows
security
baselines,
this
is
the
component
of
the
dock
site
that
talks
about
those
baselines
and
their
security.
Compliance
toolkit
the
download,
the
back
that
contains
the
documentation
for
policy.
A
A
All
right
so
in
here
back
here,
so
in
here
for
our
baseline.
We
have
this
huge
list
of
policy
items
that
you
need
to
check.
So
there's
a
couple
of
different
ways
that
we
can
take
this
on
as
far
as
doing
it
within
SCCM.
So
we
can
sit
down
and
say:
here's
a
specific
policy.
I
didn't!
Let
me
go
when
you
look
at
the
documentation
and
see
what
rich
key
just
associated
with
and
I
can
write
a
script
to
do
that.
A
But
you
know
there's
hundreds
of
things
that
need
to
be
set
in
and
I
it's
easy
to
go
into
group
policy
and
make
those
changes.
You
know
just
double
checking,
check
listing
that
hand,
side
and
all
I've
got
a
group
policy
I
think
that
apply
it
to
the
systems.
How
we
can
leverage
these
other
tools.
We
don't
spend
all
day
writing
code.
Just
do
it.
They
help
pass
values
that
you
need
to
set
so.
A
Group
policy
that
contains
that
lovely
one
baseline
settings
in
here
so
through
the
magic
of
late
nights
and
hotel
days.
We
have
all
these
items
here
set
so
from
here.
I
know:
I
can
just
leverage
these
tools
to
help
write
these
compliance,
like
so
I,
don't
have
to
go
set
all
of
these
in
camera
before
I
show
you
the
tool.
A
So
we
talked
about
things
that
you
can't
or
aren't
back
to
read
strategies
that
first
item,
like
just
watched
by
here
on
the
screen
big
counter
settings
so
setting
to
make
sure
that
the
password
age
is
set
incorrectly
or
not.
That's
a
great
example
of
something
that
is
not
backed
by
a
registry
and
if
I'm,
looking
at
this
from
a
local
system,
I've
gotten
command-line
options.
A
I
can
use
the
net
to
detect
these
and
set
those
which
works
great
for
my
local
policy,
if
I'm
at
the
main
member
I'm
going
to
get
that
from
my
domain,
so
I,
wouldn't
necessarily
in
a
domain
situation,
check.
Writing
it's
a
local
machine,
but
I
would
maybe
write
a
compliant
title
that
we're
going
to
apply
to
my
domain
controller
to
check.
A
A
So
here,
when
we
just
run
that
command-
and
you
see
we're
just
getting
strange
coming
back
so
this
is
just
a
technique
of
reading
that
string
text-
that's
coming
back
into
the
console
identifying
that
line
and
grabbing
that
value.
So
that's
simply
here
we're
just
doing
a
split.
You
know
where
the
divider
is
once
we've
identified
to
identify
that
line,
pulling
it
out
as
a
compliance
item.
All
I'm
do
is
pull
that
by
you
and
I'm
going
to
send
it
back
here
in
in
my
compliance
item
for
secm.
A
So
we're
looking
at
that,
okay,
so
if
I
needed
to
change
that.
So
if
that's
my
setting
or
my
value
for
my
compliance
item
or
my
regulatory
baseline,
that
I'm
looking
for
and
we
decide
to
make
that
more
aggressive
and
say
nope,
you
know
if
you're
locked
out,
we
want
you
to
be
locked
out
thirty
minutes
or
for
two
hours.
You
just
adjust
your
compliance.
Id.
A
A
So
here-
and
this
is
something
that's
kind
of
is-
this
is
specific
to
what
we're
doing
so
here
for
these
specific
items.
So
we
look
at
account.
Policy.
Different
items
have
different
rules.
So
if
I'm
looking
at
this
threshold,
I've
got
a
different
thing,
so
I
can
grab
that
value
pretty
easily,
but
sometimes
the
value
is
coming
back.
So
I've
got
a
note
here
in
this
script.
If
it
comes
back
as
as
never
you
know
what
I'm
trying
to
do
a
compliance
check
against
that.
A
You
know
I
can't
say:
hey
it's
greater
than
or
equal
to
zero,
because
that
that's
not
the
value
that
gets
returned
so
in
this
instance.
If
I
put
this
in
the
compliance
check,
I'm
going
to
have
my
code
count
or
that,
so
this
is
kind
of
getting
with
getting
creative,
with
the
things
that
aren't
there.
A
So
it's
one
of
those
things
are,
the
hey.
Did
I
just
what
did
I?
You
know,
I,
didn't
think
anything.
Of
course
I
did
you
know
it's
just
finding
out
which
attacks
are
increasing?
You
know
one
of
those
things,
one
from
a
testing
perspective
a
lot
of
times.
We
know
things
are
going
to
break
I,
know,
I've
got
an
application
that
is
okay,
except
for
this
one
thing
it
needs
to
run,
and
you
know
the
standard
says
turn
on
the
UAC,
but
because
of
this
application,
we'll
get
to
change
the
setting
on
this.
A
A
So
back
here
into
our
lab
environment
here,
so
this
is
here
and
the
reason
I
have
this
out
has
an
individual
item.
Here
is
depending
on
how
the
tools
to
create
this
or
you
choose
to
create
this.
You
have
different
options:
being
creature
or
baseline,
so
here
I've
created
a
baseline
or
a
compliant
site
conservation.
Compliance
item
is
looking
at
one
specific
setting.
A
The
tool
that
you
use
is
going
to
take
different
approaches
on
how
it
creates
these
items,
so
it
may
create
one
compliant
item
for
every
single
chapter
in
your
group
policy,
and
that
may
not
be
what
you
want
and
those
have
to
go
through
anything
you've
got
the
code.
You
can
simplify
it
break
it
out.
If
you
need
to
make
it
specific
over
time.
A
Sorry
I
don't
care
if
you're
not
compliant,
just
tell
me
you're
not
compliant,
and
if
I'm
going
to
remediate
I'm
gonna
force
everything
wrong
to
you,
but
it's
important
to
consider
that
we
need
target
these
as
well.
So
I
may
want
to
check
the
one
specific
thing
or
may
want
to
check
for
absolutely
everything
that
exists.
A
A
It
does
have
a
comment
based
help
enabled
on
here,
so
you
can
always
just
run
that
against
there
and
say
what
are
the
parameters
that
were
here.
The
script
version
comments
not
great,
but
at
least
tells
you
here
exactly
the
options
that
are
in
here,
but
I
want
to
provide
this
particular
script.
If
you're
going
to
utilize
it
one
thing
to
note
the
machine
that
you're
running
with
this
on
it
has
to
have
both
the
the
PowerShell
modules
for
80
and
for
configuration
management.
So
you
know
you
have
one
or
the
other.
A
A
So
we
have
a
couple
items
in
here
as
well,
so
by
default.
If
we
run
this,
it's
just
going
to
do
discovery
items.
We
have
the
ability
to
tell
it
to
do
remediation
as
well.
For
the
example
we're
not,
but
you
certainly
have
that
you
can
also
choose
to
have
it
export
and
the
export
option
is
just
going
to
create
a
zip
cat
file
which
you
can
use
to
create
that
compliant
item
and
they
put
it
in
two
different
different
environments.
So
this
is
one
that
I
really
liked
it.
A
A
Right
so
that
that's
one
so
in
this
business
one.
So
it's
a
great
point
there
about
drill,
and
that's
really
the
reason
why
we
look
at
compliance
items
in
SCCM.
You
know
and
that's
that
was
kind
of
a
focus,
at
least
from
powershell
perspective
of
desired
configuration
management.
You
know
it's
not
necessarily
that
we
we
just
want
to
set
it.
We
want
to
try
that
drift
from
whatever
we
say
it
should
be
set
to
and
then
give
us
the
options
to
enforce.
A
I
got
an
email
this
morning,
they're
patching
our
lab
environment.
So
if
the
host
goes
down,
we
may
lose
the
lab,
but
the
thing
that's
where
the
same
goes
for
its
secm.
You
can
see
that
same
thing
with
ECM.
You
know
we're
just
setting
that
up
coming
reporting
server.
You
can
see
that
through
and
then
know
where
you
need
to
go
track
down.
Why?
Why
you're
seeing
that
drift,
especially
you
know
it
was
easy
to
say
we're
mediated,
but
we
consistently
see
things
drifting.
You
need
to
go
find
out.
A
Why
now
I'm,
looking
at
one
group
policy
as
part
of
what's
being
applied?
If
there's
something
else,
that's
at
a
different
layer.
Changing
those
settings.
Are
we
running
an
application?
That's
trying
to
modify
those
settings
and
you
know
it's
finding
why
you're
drifting?
Because
that's
where
you
know
the
potential
exists
for
compromise
within
your
environment
is
something
that's
not
a.
A
Desired
configuration
management
base
and
that's
really
so
compliance
I,
don't
that's
what
they
came
into
sec
as
they
came
into
secm
before
PowerShell
was
released.
Smoke
paper
was
out
there.
When
you
go
to
create
compliance
items,
you
actually
have
the
option
to
create
compliance
items
using
BB
script
and
JavaScript,
so
you're
really
old-school
even
more
comfortable
with
notions
it,
but
that's
that
was
how
we
originally
had
to
write
plans
for
obviously,
once
the
core
self
came
out,
it
had
its
own
engine.
A
We
begin
to
leverage
a
lot
of
that
for
that
as
a
side
note
for
sports
SCCM
compliance
items
are
really
some
of
the
most
powerful
items
that
we
have
within
as
they
seem
when
we
talk
about
what
secm
does
when
we
talk
about
leveraging
the
application
model
deploying
patches
the
backend
for
all
of
that
work
is
leveraging
compliant
items,
so
that's
always
to
see
leveraging
so
using
it
to
do
things
that
can
make
your
job
easier.
It's
great,
it's
a
great
kind
of
song
going
to
hey.
A
A
A
Zone
settings
for
ie
but,
as
you
see
you
know,
it's
coming
in,
say:
hey
I'm!
Looking
for
this!
This
is
a
registry
value,
that's
being
set,
so
here
it's
using
the
built-in
divider
for
registry
items
to
check
for
that
compliant
and
then
actually
for
this,
since
this
is
focused
around
the
registry
components,
all
of
these
items
are
here,
but
he
said
if
this
is
an
example
of
saying:
hey,
I've,
written
individual
checks
for
individual
items,
but
here,
if
I
decided
I
needed
an
individual
compliance
item,
we
can
copy
these
checks.
A
A
So
here
for
the
Reg
tool,
we
have
to
point
it
at
a
registry
profile,
that's
been
exported,
so
what
I?
Simply
what
I
did
is
create
a
backup
of
the
group
policy
item
and
we
just
pulled
that
whole
problem
out
of
there.
So
here,
when
we
run
this
tool,
we
just
run
it.
It
tells
us
hey
here's
the
command
line
that
we're
looking
for
I
need
to
give
it
either
a
read
file
or
this
profile
from
the
food
policy.
A
A
Yeah,
so
if
it's
saying
hey,
there's
a
you
know
setting
config
to
say:
let's
let
this
process
run
or
we're
being
brought
to
a
group
policy.
If
it's
saying
hey,
it's
very
complimentary
system,
every
gotta
have
access,
I
can
flip
it.
So
I
can
do
more
things
and
then
it
just
monitors
but
I
keep
I
will
change
and
if
it
give
something
sets
it
back,
you
know,
but
you
know,
and
that's
where
you
know
has
been
talking
about
baselining
it.
A
You
know
when
we
look
at
it,
come
on
compliance
setting
we're
going
to
give
when
we
deploy
this
baseline.
We're
gonna
say
give
this
schedule
I.
Want
you
to
check
once
a
week
once
a
month,
every
15
minutes,
whatever
the
criticality
is
we're
gonna
set
that
in
schedule.
Obviously,
if
you've
got
something
going
on
and
you're,
seeing
that
constant,
hey
this
every
time
this
runs
vision
remediation,
you
know,
that's
what
we
have
to
look
at
and
say:
is
there
something
squishing
it
at
a
different
level
within
our
application?
A
A
A
And
then,
once
you've
got
this
deployed,
you
can
are
created
within
here.
You
can
associate
this
with
the
baseline
and
you
can
deploy
that
baseline
out,
and
this
is
where
we
really
kind
of
go
straight
kind
of
the
value
of
things.
What
you
can
do
is
integration
engine
we've
been
talking
about
hey
I'm
in
a
domain
and
I'm
doing
this
with
configuration
manager,
the
machines
that
you're
managing
don't
have
to
exist
within
the
same
domain.
A
They
don't
have
to
exist
within
the
same
trusted
force
they
even
have
to
exist
within
your
network
is
to
be
joint
machines.
These
could
be
bring
their
own
devices
that
you
prefer.
You
know
to
cry
on
as
you're
managing
so
from
here
from
SCCM.
You
have
the
ability
to
track
different
clients
at
across
your
entire
state
for
the
enterprise.
It's
one
of
those
great
things,
especially
nowadays
where
machines
move
around.
A
You
know
not
necessarily
on
your
network,
if
you
put
in
and
you
leveraging
internet
management
points
to
be
able
to
give
them
policy,
you
can
get
the
results
right
there.
Also
the
cloud
management
gateway,
the
ability
to
get
these
results
back
from
the
common.
We
haven't
really
talked
about
it
here,
but
you
take
these
same
scripts,
put
to
the
run
power
social
feature
for
a
cesium,
and
then
you
know
if
you've
got
laptops
that
are
sitting
at
home,
that
you're
protecting
something
wrong
with
them.
A
A
So
that's
it's
leveraging
those
things.
So
the
greatest
example
there
is
with
with
the
the
cloud
management
gateway.
You
don't
have
to
anything
that
communications
into
your
home
users.
They
we're
using
that
content,
a
gateway
as
a
proxy
there's,
a
core
set
of
ports
that
are
in
between
your
SSM
servers
and
that
power
management
a
way
primarily
it's
the
443
and
a
couple
of
ports
that
communicates
with.
A
For
those
specific
instances
of
the
ends
up
in
the
cloud
the
traffic
coming
in
and
out,
it's
simply
HTTP
traffic,
we're
using
certificates
that
have
to
be
deployed
to
your
book
to
the
comment
gateway
into
your
machines
that
you're
gonna
manage
those
certificates
of
what
the
problems.
Okay,
wait,
wait,
wait,
they're
talking
to
the
server
and
then
that's
it
I
mean
it's
a
policy
traffic.
So
you
know,
if
we're
some,
you
know
it
was
just
a
couple
cables.
Our
policy.
That's!
Okay!
There's
there's
new
instructions
for
you.
A
If
you
need
to
go
download
something,
but
problems
in
gateway
acts
as
a
distribution
point,
so
it
needs
to
grab
content
associated
on
packages
or
application
that
can
be
the
trigger
to
do
that.
We
can
run
scripts
feature
that
script
is
actually
set
for
the
machine
as
part
of
those
policy
information,
so
it
just
gets
sterilizing
with
X
file
and
sent
down.
It
creates
a
powerful
scripture
locally
on
the
client
script
and
then
the
results.
A
No,
so
SCCM
will
give
you
metrics,
so
you
get
some
very
basic
metrics
around
the
console
itself.
So
I
can
come
in
and
say:
hey
I've
got
a
compliant
file.
It's
the
point
out.
I
can
see.
I've
got
this
one.
It's
sent
to
a
total
of
one
machine
is
compliant
I'm
honored
that
one,
but
we
also
have
sequel
reporting
services
that
you
can
leverage
to
have.
There's
some
built-in
reports
that
you
can
display
that
you
can
write
custom
reports
there.
A
A
A
Okay,
the
one
of
the
for
me
it's
a
great
example.
So
I
I
worked
with
something's
a
lot
where
they
say:
hey,
just
a
minute:
vulnerability
scanning
and
the
vulnerability
scanner
says:
hey,
you
have,
you
know
a
thousand
machines
and
there
are
twenty
thousand
items
that
you're
not
going
to
plant
across
the
hall
and
we
come
in
with
us.
It's
you
know
we
kind
of
looked
at.
Actually,
okay
tell
us
the
biggest
item.
What
are
you
not
replying
for?
Is
it
hey?
A
I've
got
a
patch
of
mine
or
if
I
don't
have
it,
we
just
need
to
apply
the
patch
will
fight
back.
We
need
to
apply
the
patch
and
set
in
a
registry
item
to
import
something
as
well,
then
we'll
do
it,
and
then
we
leave
that
configuration
item
that
we're
mediated
in
effect.
So
if
we
build
a
new
machine,
a
machine
drifts
for
whatever
reason
you
know
we
apply
I,
just
something
is
reverted
and
group
policy
and
then
pick
it
up.
Yet
the
a
lot
of
advents
will
know.
A
Hey
we've
run
boner
release
cans,
Friday
night,
so
art
compliance
baselines
get
executed,
Thursday
night
at
11
p.m.
so
you
know,
they're,
making
sure
that
they're
going
to
report
it
as
compliant
as
possible,
which
you
know
for
my
metrics
perspective.
That's
everybody
just
making
themselves
look
good
for
Clemente
compliance
piece.
We
want
to
not
only
consider
how
much
runner
at
first
what's
running
again
on
Sunday
night
Monday
night.
You
know
finding
what's
good.
A
When
you
look
at
the
documentation,
like
the
Excel
spreadsheet,
that
says,
here's
all
of
the
islands
that
came
out
for
this
release,
you
know,
if
there's
not
a
registry
key
associated
with
it
in
the
documentation,
for
that
it
will
tell
you.
This
is
not
done
here,
and
that
means
you've
just
got
to
dig
the
scene
and
it
was
a
common
level.
It's
almost
anything
I
mean.
A
Sometimes
we
have
to
go
in
and
say:
hey,
I'm
doing
something
and
I
don't
have
a
command
line
to
do
it,
but
I
can
write,
develop
the
policy
based
on
quality
things,
work
that
out
and
then
I'll
just
run,
because
you
know
I,
don't
have
a
great
way
to
click
here
and
say:
let's
run
this
and
randomly
set
permissions
for
my
specific
I.
So
it's
really
the
control.
Well
I
wouldn't
say
common.
We
see
this
is
an
opt-in,
it's
more.
This
is
what
we're
doing
where
we're
fishing.