Desktop Inventory for a large organization

Your annual Microsoft True-up is due in a few months and your team have been given the task of gathering the inventory of software on all company desktops, laptops and tablets (clients). The catch? It’s for the whole group, not just the local office and your company has 1,000’s of employees in offices all over the world. So what are some of the typical challenges you need to prepare for when doing a desktop inventory at scale?

How do I know when I’m finished?

At the start you need to establish what a successful scan of devices looks like. There must be a clear list of what must be gathered from each device (software installed, date installed, etc.) as well as what is mandatory and what is nice to have. The challenge will be knowing what the total number of devices should be. Even if you have agents deployed for patching or support you must assume they are not on a significant proportion of devices. You will be able to generate estimates from Active Directory, Exchange, subscription services (Office365), CMDB and procurement records but expect there to be significant differences. If you can segment by country, city or office you can usually improve the accuracy of your device count.

h3>Where are all the devices?

You need to start by finding all the devices your staff are using and although you have a few options when the network is small for a global inventory there is only one choice, Active Directory (AD). The challenge will be stale data, users who have left the company, changed their laptop or temporarily worked in your offices. The practical solution is to set a cut-off for the last time they accessed your network. 90 days is adequate but you may have to reduce to 30 days if you have time constraints. You will still have far more entries than actual devices but at least the list is manageable. You should expect multiple Active Directories or even work groups and although there shouldn’t be overlap it does happen.

Is the device turned on?

Desktop scanning can be compared to a radar sweeping across your network and the “beep” a device being turned on. To scan a client device it needs to be switched on and with a global organization the working day differs from country to country. The challenge will be “catching” a device when it is turned on and when you are scanning that piece of the network. The simplest solution is to scan devices over a long period of time, 30-60 days to increase your odds of catching the device. It may also be possible to ask staff to leave their devices on overnight during the scanning period. Ideally your scanning tool can be configured to scan a particular location more intensely during their working hours.

h3>Do I have enough bandwidth?

Although the scan of a device is quick and the amount of data generated is usually modest, when you multiply this by 1000’s of devices the amount of data can be significant. The challenge for a global scan is that no one person or team knows where the bottlenecks might be outside of their network. If you have time the easiest thing is to continuously scan at a low intensity or from multiple collectors around the network. If you can profile the network by location and quality of link you can greatly reduce risk and speed up getting the result. There are a variety of other things to consider when attempting to do a desktop scan for a large organization but this is a good start. Can you think of other factors to consider?