Appendix - Health Checks

User Account - Running Service

Verifies that a specific user account is running a specific service on the device

Yes

Adaptiva Client – Not Integrated with SCCM

Checks and Remediates: Adaptiva Client is successfully integrated with the Configuration Manager client

Yes

Adaptiva Client - Version

Verifies whether Adaptiva client version is equal to desired Adaptiva client version

No

BITS – Service Running

Checks and Remediates: The BITS service is running, and its start mode is set to desired type

Yes

BITS – Service Startup Failing

Checks and Remediates: Detects whether BITS startup is failing (it might be possible that BITS has become corrupted)

Yes

BITS - Version

Checks and Remediates: Ensure SCCM Clients have a recent version of BITS

Yes

ConfigMgr Client - Cache Available Space

Checks and Remediates: The specified amount of space is available in the client cache

Yes

ConfigMgr Client - Cache Location

Checks and Remediates: The client cache location is correctly set

Yes

ConfigMgr Client - Site Assignment

Checks and Remediates: The client is assigned to the specified site

Yes

ConfigMgr Client - Site Auto Discovery

Verifies: Site auto discovery is working on the client.

No

ConfigMgr Client – Cache Size

Checks and Remediates: The client cache size is set to desired value, or more

Yes

ConfigMgr Client – CCM Folders

Checks and Remediates: There is no file named GURESIS.TXT in the C:\Windows\System32 folder, and there is no file named GURESIS.TXT in the Windows registry folder

Yes

ConfigMgr Client – Download Provider

Verifies whether the specified download provider is present in the CCM_DownloadProvider class in WMI

No

ConfigMgr Client – Duplicate GUID

Verifies: The client does not have a duplicate SMS GUID

No

ConfigMgr Client – Installed

Checks and Remediates: The SCCM client agent is installed

Yes

ConfigMgr Client – Management Point Location

Verifies: The client can correctly determine the location of the management point

No

ConfigMgr Client– Orphaned Cache Folders

Verifies whether there are any folders in the ccmcache that the ConfigMgr client is not aware of. Remediation removes any that exist.

Yes

ConfigMgr Client – Provisioning Mode

Checks and Remediates: Cases where the Task Sequence Manager leaves software distribution disabled even after it has exited

Yes

ConfigMgr Client – Service Running

Checks and Remediates: The SCCM client agent service is running, and its start mode is set to the desired type

Yes

ConfigMgr Client – Version

Checks and Remediates: The specified version or later of SCCM agent is installed

Yes

CCMSetup – DiscoveryStatus MOF

Checks and Remediates: If the event logs contain entries indicating CCMSetup failed due to a DiscoveryStatus MOF compile issue, compiles the MOF automatically if so

Yes

CCMSetup – StatusAgentProxy DLL

Detects if the event logs contain entries indicating CCMSetup failed due to a StatusAgentProxy DLL issue

No

CCMSetup – Visual C++ DLL

Checks and Remediates: If the size of the Visual C++ DLL is incorrect, the correct DLL is copied from the specified path

Yes

ConfigMgr Client Status – Hardware Inventory

Checks and Remediates: whether hardware inventory is working

Yes

ConfigMgr Client Status – Heartbeat Discovery

Checks and Remediates: whether heartbeat discovery is working

Yes

ConfigMgr Client Status – Management Point Ping

Checks and Remediates: The management point and distribution point of the management point can be pinged using ICMP echo

No

ConfigMgr Client Status – Package Ping

Checks and Remediates: whether package download is working or not

Yes

ConfigMgr Client Status – Policy Retrieval

Checks and Remediates: whether recently updated policy can be downloaded successfully by the client

Yes

ConfigMgr Client Status – Software Distribution

Checks and Remediates: whether software distribution is working or not

Yes

ConfigMgr Client Status – Software Inventory

Checks and Remediates: whether software inventory is working or not

Yes

ConfigMgr Client Status – Status Message Submission

Checks and Remediates: whether status messages are being reported

Yes

DEP - Policy

Verifies that the Data Execution Prevention Policy is set to a specific setting.

Yes

DCOM – Remote Connection Enabled

Checks and Remediates: Whether remote connection is enabled or not

Yes

Instant Inventory - Disk Space

Returns any machines that have below the specified amount of available disk space

No

Instant Inventory - File Contains Text

Returns any machines that have the specified text in a specified file

No

Instant Inventory – File Exists

Returns any machines that have a specified file

No

Instant Inventory – Folder Exists

Returns any machines that have a specified folder

No

Instant Inventory – Process Running

Returns any machines that have a specified process running

No

Instant Inventory – Service Started

Returns any machines that have a specified service that is in the started state

No

Instant Inventory – Service Stopped

Returns any machines that have a specified service that is in the stopped state

No

IP – Permitted Scope

Verifies: Client's IP address is within the specified permitted IP address scopes

No

IP – Prohibited Scope

Verifies: Client's IP address is not within the specified prohibited IP address scopes

No

(Lanman) Server - Service Running

Verifies: The lanmanserver service is running, and its start mode is set to automatic

Yes

Network - DNS Name Resolution

Verifies whether the local hostname resolves to the correct IP address in DNS. Remediation registers the current IP in DNS.

Yes

Network – DNS Settings

Checks and Remediates: If the Primary DNS suffix, Sync Domain with Membership, the Primary DNS Domain, the NIC DNS Domain and Enable Dynamic DNS Registration settings are set correctly; sets to the desired state if incorrect

Yes

Network – Hosts file entries present

Checks and Remediates: If the hosts file contains the specified entries. If any specified hosts entry is not present, it is appended

Yes

OS – Admin Share Available

Checks and Remediates: The admin$ share is published on the client

Yes

OS – Clear Windows print queues

Clears the Windows printer queues

Yes

OS – Computer Naming Convention

Detects whether the computer naming convention matches the specified regular expression

No

OS – Delete Temp Folder Contents

Deletes all content from Temp folders

No

OS – File Associations

Checks and Remediates: That a list of file extensions is present and match. Corrects any that are incorrect and adds any that are missing

Yes

OS - Group Policy Processing Errors

Verifies whether any errors are shown within the specified number of days when attempting to process Group Policy.

No

OS – Logon Server Correct

Detects whether the current Logon Server matches the desired name

No

OS – Remote Desktop Settings

Checks and Remediates: Remote Desktop, Remote Assistance and Secure connection (Network Level Authentication) and sets if any are incorrect

Yes

OS – Run Key Entries

Checks and Remediates: Both the x86 and x64 Run Key entries are in an allowed list; removes any that are not

Yes

OS – Screen Saver Settings

Checks and Remediates: For each user, whether the screen saver is configured, whether it is set to password protected, the timeout and the path; if any are incorrect, they are corrected

Yes

OS – Security Group Presence

Checks and Remediates: Local group membership for a specified local group to ensure that a specified member exists; if it does not exist, it is added

Yes

OS - Version

Verifies that the client operating system version is one of the specified versions.

No

OS – Windows Explorer Settings

Checks and Remediates: The following - Show Hidden Files, Show Protected System Files, Hide Extensions for Known File Types, Compressed Files in a different color, Show Run on Start Menu, Hide Empty Drives; corrects any that are incorrect

Yes

OS – Windows Licensing Compliance

Detects the current Windows licensing state

No

Remote Registry Service Running (OS Specific)

Checks and Remediates: The Remote Registry service is running based on operating system, and its start mode is set to desired type

Yes

PowerShell – Set PowerShell Execution Policy

Checks and Remediates: The PowerShell execution policy. Choose between Restricted, AllSigned, RemoteSigned, Unrestricted, Bypass or Undefined and sets to the desired state if incorrect

Yes

PowerShell - WinRM

Checks and Remediates: That WinRM is enabled or disabled on the machine. If in an incorrect state, changes it accordingly

Yes

SCCM – Client Actions must be Present

Verifies specific client actions are present.

Yes

Security - Bad Rabbit Immunisation

Verifies whether a system has already been infected by the Bad Rabbit ransomware. Remediation removes the infection and immunizes against future attack.

Yes

Security – BitLocker Drive Encryption

Checks and Remediates: If BitLocker drive encryption is enabled for either the OS Drive, All Drives or a Specific drive; enables if it is not already enabled (encrypts)

Yes

Security – Secure Boot

Detects whether Secure Boot is enabled or disabled in the BIOS/UEFI

No

Security – User Access Control (UAC) Enabled

Checks and Remediates: If UAC is enabled; performed only on Windows operating systems

Yes

Security – User Local Admin

Detects whether the currently logged on user is a local administrator

No

Security - WannaCry Infection Detection

Verifies whether systems have already been infected by WannaCry by conducting a comprehensive evaluation of Indicators of Compromise (IOC) for this exploit. Machines that fail this health check are likely to be compromised and must be immediately isolated from the network. The business must then evaluate whether to reimage the affected systems or pay the ransom to retrieve data.

No

Security - WannaCry Vulnerability Assessment

Verifies whether systems are vulnerable to the WannaCry attack by evaluating whether the correct patches and system updates have been applied to the system. If a machine contains none of the specified patches, it is vulnerable to attack by WannaCry. The patch list can be easily updated by system administrators through a simple command line user interface to add additional patches to the health check as they become available.

Yes

Software – Illegal Software Installed

Detects whether any software specified in a named list of either software titles or software GUIDs is installed

No

Software – Internet Explorer Home Page

Checks and Remediates: Whether the Internet Explorer home page is set correctly, and if not sets it

Yes

System – Defrag Drive

Runs the disk defragmentation tool to reorganize and optimize the disk

No

System - Disk Cleanup

Verifies whether the device is under a specified percentage of free disk space. Schedules the Disk Cleanup Manager utility with the specified cleanup options to safely reclaim space.

Yes

System – Free Disk Space

Verifies: The % free space on disk drives

No

System - Reboot Required

Verifies whether a reboot is required for up to four primary reboot reasons (Windows Update Installation, Windows Component Installation, File Rename Operations, SCCM Reboot Pending)

No

System - Run Check Disk

Schedules a ChkDsk to run on the next reboot

No

System – Trigger System Restore

Triggers a System Restore task so systems can be restored to a specific point in time

No

System – Uptime

Verifies whether a system has been online longer than the specified number of days

No

System – Registry Setting must Exist

Verifies that a specific registry setting exists or is set to a specific value

Yes

Unquoted Service Binary Path

Scans for services that have spaces in their binary path, but which are not surrounded by double quotes. Remediates any that are found.

Yes

Tanium – Verify Client Settings

Verifies that Tanium Client settings are set to a desired state.

Yes

Windows 10 - Credential Guard Active

Verifies that Credential Guard is enabled and active on the machine. If Credential Guard is not enabled, remediation will enable it

Yes

Windows 10 - Device Guard & Credential Guard Active

Verifies that both Device Guard and Credential Guard are enabled and active on the machine. If Device Guard and Credential Guard are not enabled, remediation will enable them

Yes

Windows 10 - Device Guard & Credential Guard Capable

Verifies that the device has all prerequisites and is capable of supporting both Device Guard and Credential Guard

No

Windows 10 - Device Guard HVCI Active

Verifies that Device Guard HVCI is enabled and active on the machine. If Device Guard is not enabled remediation will enable it

Yes

Windows 10 - DG-CG - DMA Protection

Verifies that Direct Memory Access Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security

No

Windows 10 - DG-CG - NX Protection

Verifies that No-Execute (NX) Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security

No

Windows 10 - DG-CG - OS Architecture

Verifies that the Operating System is 64-bit. 64-bit virtualization is required for Device Guard/Credential Guard

No

Windows 10 - DG-CG - OS SKU

Verifies that the Operating System is a valid SKU. Supported SKUs for Device Guard/Credential Guard include Enterprise, Server, Education and IoT

No

Windows 10 - DG-CG - Secure Boot State

Verifies that Secure Boot is enabled on the device. Secure Boot is a requirement for Device Guard/Credential Guard

No

Windows 10 - DG-CG - Secure MOR

Verifies that Secure Memory Overwrite Request (MOR) Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security

No

Windows 10 - DG-CG - SLAT Supported CPU

Verifies that the installed CPU supports the Second-level address translation feature desirable for Device Guard/Credential Guard

No

Windows 10 - DG-CG - SMM Protection

Verifies that System Management Mode (SMM) Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security

No

Windows 10 - DG-CG - TPM Version

Verifies that the system has a valid TPM and that it is at least version 2.0. Version 2.0 of the TPM is desirable for Device Guard/Credential Guard

No

Windows 10 - DG-CG - Virtualization Firmware

Verifies that virtualization firmware is present and available. This includes Intel Virtualization Technology, Intel VT-x, AMD-V, Virtualization Extensions or similar. Virtualization firmware is a requirement for Device Guard/Credential Guard

No

Windows 10 - DG-CG - Win10 Build Version

Verifies that the version of Windows 10 running is Redstone X or higher. Additional security options were made available after build 10586 (release 1511) that are desirable for Device Guard/Credential Guard

No

Windows 10 - Last OS Install Date-Time

Verifies that the last time the device had an OS install/reinstall was more than X days ago. This can ensure that end-users that have just been disrupted for an install are prioritized last for another install

No

Windows 10 - Microsoft Edge Version

Verifies that the installed version of Microsoft Edge meets requirements

No

Windows 10 - Minimum Hardware Requirements

Verifies that the device has the minimum required hardware specification for supporting Windows 10. Defaults are set to Microsoft hardware recommendations but can be adjusted at design time or runtime to reflect specific business requirements for Windows 10

No

Windows 10 - Unified Extensible Firmware Interface (UEFI)

Verifies that the device is running the Unified Extensible Firmware Interface (UEFI) required for Secure Boot and Device Guard/Credential Guard. These security features are not supported on legacy BIOS

No

Windows Update - Auto Update GPO

Verifies whether the group policy settings for Windows Update configuration are set correctly.

No

Windows Update - Last Scan Cycle

Verifies whether the machine last ran the software update scan cycle within the specified number of days.

Yes

Windows Update - Metadata Version

Verifies whether the software update metadata version on the client matches the current metadata version on the server

Yes

Windows Update - Non-Compliant Assignments

Verifies whether there are any ConfigMgr software update deployments that contain updates in a non-compliant state

No

Windows Update - Software Update Scan Errors

Verifies whether any errors have been reported by the Software update scan agent and reports back up to the last 10 errors

No

WUA – Service Missing

Checks and Remediates: Whether WSUS service is present on the machine or not

Yes

WUA – Service Running

Checks and Remediates: The wuauserv service is running, and its start mode is set to desired type

Yes

WUA - Version

Checks and Remediates: The WSUS client version is current

Yes

WMI – ConfigMgr Client Namespaces

Checks and Remediates: Connectivity to WMI namespaces used by the SCCM client

Yes

WMI – ExecMgr Connection Error

Checks and Remediates: Detects whether the SCCM client's execmgr log contains WMI connection errors

Yes

WMI – In Path

Checks and Remediates: The system32\wbem folder is included in the path variable in the environment

Yes

WMI – Repository Integrity

Checks and Remediates: The integrity of the WMI repository

Yes

WMI – Service Running

Checks and Remediates: The WinMgmt service is running, and its start mode is set to desired type

Yes