# Appendix - Health Checks The following is a list of built-in health checks available to add to health polices. ### Account Checks | Health Check | Description | Supports Remediation | | ------------------------------ | ---------------------------------------------------------------------------------- | -------------------- | | User Account - Running Service | Verifies that a specific user account is running a specific service on the device. | Yes | ### Adaptiva Client Checks | Health Check | Description | Supports Remediation | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------- | -------------------- | | Adaptiva Client – Not Integrated with SCCM | Checks and Remediates: Adaptiva Client is successfully integrated with the Configuration Manager client. | Yes | | Adaptiva Client - Version | Verifies whether Adaptiva client version is equal to desired Adaptiva client version. | No | ### Background Intelligent Transfer Service (BITS) Health Checks | Health Check | Description | Supports Remediation | | ------------------------------ | --------------------------------------------------------------------------------------------------------------------- | -------------------- | | BITS – Service Running | Checks and Remediates: The BITS service is running, and its start mode is set to desired type. | Yes | | BITS – Service Startup Failing | Checks and Remediates: Detects whether BITS startup is failing (it might be possible that BITS has become corrupted). | Yes | | BITS - Version | Checks and Remediates: Ensure SCCM Clients have a recent version of BITS. | Yes | ### ConfigMgr Client Configuration Checks | Health Check | Description | Supports Remediation | | ---------------------------------------- | -------------------------------------------------------------------------------------- | -------------------- | | ConfigMgr Client - Cache Available Space | Checks and Remediates: The specified amount of space is available in the client cache. | Yes | | ConfigMgr Client - Cache Location | Checks and Remediates: The client cache location is correctly set. | Yes | | ConfigMgr Client - Site Assignment | Checks and Remediates: The client is assigned to the specified site. | Yes | | ConfigMgr Client - Site Auto Discovery | Verifies: Site auto discovery is working on the client. | No | ### ConfigMgr Client Health Checks | Health Check | Description | Supports Remediation | | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | ConfigMgr Client – Cache Size | Checks and Remediates: The client cache size is set to desired value, or more. | Yes | | ConfigMgr Client – CCM Folders | Checks and Remediates: There is no file named GURESIS.TXT in the C:\Windows\System32 folder, and there is no file named GURESIS.TXT in the Windows registry folder. | Yes | | ConfigMgr Client – Download Provider | Verifies whether the specified download provider is present in the CCM\_DownloadProvider class in WMI. | No | | ConfigMgr Client – Duplicate GUID | Verifies: The client does not have a duplicate SMS GUID. | No | | ConfigMgr Client – Installed | Checks and Remediates: The SCCM client agent is installed. | Yes | | ConfigMgr Client – Management Point Location | Verifies: The client can correctly determine the location of the management point. | No | | ConfigMgr Client– Orphaned Cache Folders | Verifies whether there are any folders in the ccmcache that the ConfigMgr client is not aware of. Remediation removes any that exist. | Yes | | ConfigMgr Client – Provisioning Mode | Checks and Remediates: Cases where the Task Sequence Manager leaves software distribution disabled even after it has exited. | Yes | | ConfigMgr Client – Service Running | Checks and Remediates: The SCCM client agent service is running, and its start mode is set to the desired type. | Yes | | ConfigMgr Client – Version | Checks and Remediates: The specified version or later of SCCM agent is installed. | Yes | ### ConfigMgr Client Installation Checks | Health Check | Description | Supports Remediation | | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | CCMSetup – DiscoveryStatus MOF | Checks and Remediates: If the event logs contain entries indicating CCMSetup failed due to a DiscoveryStatus MOF compile issue, compiles the MOF automatically if so. | Yes | | CCMSetup – StatusAgentProxy DLL | Detects if the event logs contain entries indicating CCMSetup failed due to a StatusAgentProxy DLL issue. | No | | CCMSetup – Visual C++ DLL | Checks and Remediates: If the size of the Visual C++ DLL is incorrect, the correct DLL is copied from the specified path. | Yes | ### ConfigMgr Client Status Checks | Health Check | Description | Supports Remediation | | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | -------------------- | | ConfigMgr Client Status – Hardware Inventory | Checks and Remediates: whether hardware inventory is working. | Yes | | ConfigMgr Client Status – Heartbeat Discovery | Checks and Remediates: whether heartbeat discovery is working. | Yes | | ConfigMgr Client Status – Management Point Ping | Checks and Remediates: The management point and distribution point of the management point can be pinged using ICMP echo. | No | | ConfigMgr Client Status – Package Ping | Checks and Remediates: whether package download is working or not. | Yes | | ConfigMgr Client Status – Policy Retrieval | Checks and Remediates: whether recently updated policy can be downloaded successfully by the client. | Yes | | ConfigMgr Client Status – Software Distribution | Checks and Remediates: whether software distribution is working or not. | Yes | | ConfigMgr Client Status – Software Inventory | Checks and Remediates: whether software inventory is working or not. | Yes | | ConfigMgr Client Status – Status Message Submission | Checks and Remediates: whether status messages are being reported. | Yes | ### Data Execution Prevention Checks | Health Check | Description | Supports Remediation | | ------------ | -------------------------------------------------------------------------------- | -------------------- | | DEP - Policy | Verifies that the Data Execution Prevention Policy is set to a specific setting. | Yes | ### DCOM Checks | Health Check | Description | Supports Remediation | | -------------------------------- | ------------------------------------------------------------------- | -------------------- | | DCOM – Remote Connection Enabled | Checks and Remediates: Whether remote connection is enabled or not. | Yes | ### Instant Inventory Checks | Health Check | Description | Supports Remediation | | -------------------------------------- | ---------------------------------------------------------------------------------- | -------------------- | | Instant Inventory - Disk Space | Returns any machines that have below the specified amount of available disk space. | No | | Instant Inventory - File Contains Text | Returns any machines that have the specified text in a specified file. | No | | Instant Inventory – File Exists | Returns any machines that have a specified file. | No | | Instant Inventory – Folder Exists | Returns any machines that have a specified folder. | No | | Instant Inventory – Process Running | Returns any machines that have a specified process running. | No | | Instant Inventory – Service Started | Returns any machines that have a specified service that is in the started state. | No | | Instant Inventory – Service Stopped | Returns any machines that have a specified service that is in the stopped state. | No | ### IP Address Scope Checks | Health Check | Description | Supports Remediation | | --------------------- | --------------------------------------------------------------------------------------- | -------------------- | | IP – Permitted Scope | Verifies: Client's IP address is within the specified permitted IP address scopes. | No | | IP – Prohibited Scope | Verifies: Client's IP address is not within the specified prohibited IP address scopes. | No | ### Network Checks | Health Check | Description | Supports Remediation | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | (Lanman) Server - Service Running | Verifies: The lanmanserver service is running, and its start mode is set to automatic. | Yes | | Network - DNS Name Resolution | Verifies whether the local hostname resolves to the correct IP address in DNS. Remediation registers the current IP in DNS. | Yes | | Network – DNS Settings | Checks and Remediates: If the Primary DNS suffix, Sync Domain with Membership, the Primary DNS Domain, the NIC DNS Domain and Enable Dynamic DNS Registration settings are set correctly; sets to the desired state if incorrect. | Yes | | Network – Hosts file entries present | Checks and Remediates: If the hosts file contains the specified entries. If any specified hosts entry is not present, it is appended. | Yes | ### Operating System (OS) Health Checks | Health Check | Description | Supports Remediation | | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | OS – Admin Share Available | Checks and Remediates: The admin$ share is published on the client. | Yes | | OS – Clear Windows print queues | Clears the Windows printer queues. | Yes | | OS – Computer Naming Convention | Detects whether the computer naming convention matches the specified regular expression. | No | | OS – Delete Temp Folder Contents | Deletes all content from Temp folders. | No | | OS – File Associations | Checks and Remediates: That a list of file extensions is present and matches the list. Corrects any that are incorrect and adds any that are missing. | Yes | | OS - Group Policy Processing Errors | Verifies whether any errors are shown within the specified number of days when attempting to process Group Policy. | No | | OS – Logon Server Correct | Detects whether the current Logon Server matches the desired name. | No | | OS – Remote Desktop Settings | Checks and Remediates: Remote Desktop, Remote Assistance and Secure connection (Network Level Authentication) and sets if any are incorrect. | Yes | | OS – Run Key Entries | Checks and Remediates: Both the x86 and x64 Run Key entries are in an allowed list; removes any that are not. | Yes | | OS – Screen Saver Settings | Checks and Remediates: For each user, whether the screen saver is configured, whether it is set to password protected, the timeout and the path; if any are incorrect, they are corrected. | Yes | | OS – Security Group Presence | Checks and Remediates: Local group membership for a specified local group to ensure that a specified member exists; if it does not exist, it is added. | Yes | | OS - Version | Verifies that the client operating system version is one of the specified versions. | No | | OS – Windows Explorer Settings | Checks and Remediates: The following - Show Hidden Files, Show Protected System Files, Hide Extensions for Known File Types, Compressed Files in a different color, Show Run on Start Menu, Hide Empty Drives; corrects any that are incorrect. | Yes | | OS – Windows Licensing Compliance | Detects the current Windows licensing state. | No | | Remote Registry Service Running (OS Specific) | Checks and Remediates: The Remote Registry service is running based on operating system, and its start mode is set to desired type. | Yes | ### PowerShell Health Checks | Health Check | Description | Supports Remediation | | -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | PowerShell – Set PowerShell Execution Policy | Checks and Remediates: The PowerShell execution policy. Choose between Restricted, AllSigned, RemoteSigned, Unrestricted, Bypass or Undefined and sets to the desired state if incorrect. | Yes | | PowerShell - WinRM | Checks and Remediates: That WinRM is enabled or disabled on the machine. If in an incorrect state, changes it accordingly. | Yes | ### SCCM Miscellaneous Checks | Health Check | Description | Supports Remediation | | ------------------------------------- | --------------------------------------------- | -------------------- | | SCCM – Client Actions must be Present | Verifies specific client actions are present. | Yes | ### Security Health Checks | Health Check | Description | Supports Remediation | | -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | Security - Bad Rabbit Immunisation | Verifies whether a system has already been infected by the Bad Rabbit ransomware. Remediation removes the infection and immunizes against future attack. | Yes | | Security – BitLocker Drive Encryption | Checks and Remediates: If BitLocker drive encryption is enabled for either the OS Drive, All Drives or a Specific drive; enables if it is not already enabled (encrypts). | Yes | | Security – Secure Boot | Detects whether Secure Boot is enabled or disabled in the BIOS/UEFI. | No | | Security – User Access Control (UAC) Enabled | Checks and Remediates: If UAC is enabled; performed only on Windows operating systems. | Yes | | Security – User Local Admin | Detects whether the currently logged on user is a local administrator. | No | | Security - WannaCry Infection Detection | Verifies whether systems have already been infected by WannaCry by conducting a comprehensive evaluation of Indicators of Compromise (IOC) for this exploit. Machines that fail this health check are likely to be compromised and must be immediately isolated from the network. The business must then evaluate whether to reimage the affected systems or pay the ransom to retrieve data. | No | | Security - WannaCry Vulnerability Assessment | Verifies whether systems are vulnerable to the WannaCry attack by evaluating whether the correct patches and system updates have been applied to the system. If a machine contains none of the specified patches, it is vulnerable to attack by WannaCry. The patch list can be easily updated by system administrators through a simple command line user interface to add additional patches to the health check as they become available. | Yes | ### Software Health Checks | Health Check | Description | Supports Remediation | | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | -------------------- | | Software – Illegal Software Installed | Detects whether any software specified in a named list of either software titles or software GUIDs is installed. | No | | Software – Internet Explorer Home Page | Checks and Remediates: Whether the Internet Explorer home page is set correctly, and if not sets it. | Yes | ### System Performance Health Checks | Health Check | Description | Supports Remediation | | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | System – Defrag Drive | Runs the disk defragmentation tool to reorganize and optimize the disk. | No | | System - Disk Cleanup | Verifies whether the device is under a specified percentage of free disk space. Schedules the Disk Cleanup Manager utility with the specified cleanup options to safely reclaim space. | Yes | | System – Free Disk Space | Verifies: The % free space on disk drives. | No | | System - Reboot Required | Verifies whether a reboot is required for up to four primary reboot reasons (Windows Update Installation, Windows Component Installation, File Rename Operations, SCCM Reboot Pending). | No | | System - Run Check Disk | Schedules a ChkDsk to run on the next reboot. | No | | System – Trigger System Restore | Triggers a System Restore task so systems can be restored to a specific point in time. | No | | System – Uptime | Verifies whether a system has been online longer than the specified number of days. | No | ### System Settings Checks | Health Check | Description | Supports Remediation | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | System – Registry Setting must Exist | Verifies that a specific registry setting exists or is set to a specific value. | Yes | | Unquoted Service Binary Path | Scans for services that have spaces in their binary path, but which are not surrounded by double quotes. Remediates any that are found. | Yes | ### Tanium Health Checks | Health Check | Description | Supports Remediation | | ------------------------------- | ---------------------------------------------------------------- | -------------------- | | Tanium – Verify Client Settings | Verifies that Tanium Client settings are set to a desired state. | Yes | ### Windows 10 Health Checks | Health Check | Description | Supports Remediation | | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- | | Windows 10 - Credential Guard Active | Verifies that Credential Guard is enabled and active on the machine. If Credential Guard is not enabled, remediation will enable it. | Yes | | Windows 10 - Device Guard & Credential Guard Active | Verifies that both Device Guard and Credential Guard are enabled and active on the machine. If Device Guard and Credential Guard are not enabled, remediation will enable them. | Yes | | Windows 10 - Device Guard & Credential Guard Capable | Verifies that the device has all prerequisites and is capable of supporting both Device Guard and Credential Guard. | No | | Windows 10 - Device Guard HVCI Active | Verifies that Device Guard HVCI is enabled and active on the machine. If Device Guard is not enabled remediation will enable it. | Yes | | Windows 10 - DG-CG - DMA Protection | Verifies that Direct Memory Access Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security. | No | | Windows 10 - DG-CG - NX Protection | Verifies that No-Execute (NX) Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security. | No | | Windows 10 - DG-CG - OS Architecture | Verifies that the Operating System is 64-bit. 64-bit virtualization is required for Device Guard/Credential Guard. | No | | Windows 10 - DG-CG - OS SKU | Verifies that the Operating System is a valid SKU. Supported SKUs for Device Guard/Credential Guard include Enterprise, Server, Education and IoT. | No | | Windows 10 - DG-CG - Secure Boot State | Verifies that Secure Boot is enabled on the device. Secure Boot is a requirement for Device Guard/Credential Guard. | No | | Windows 10 - DG-CG - Secure MOR | Verifies that Secure Memory Overwrite Request (MOR) Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security. | No | | Windows 10 - DG-CG - SLAT Supported CPU | Verifies that the installed CPU supports the Second-level address translation feature desirable for Device Guard/Credential Guard. | No | | Windows 10 - DG-CG - SMM Protection | Verifies that System Management Mode (SMM) Protection is available. This advanced security feature is desirable for Device Guard/Credential Guard security. | No | | Windows 10 - DG-CG - TPM Version | Verifies that the system has a valid TPM and that it is at least version 2.0. Version 2.0 of the TPM is desirable for Device Guard/Credential Guard. | No | | Windows 10 - DG-CG - Virtualization Firmware | Verifies that virtualization firmware is present and available. This includes Intel Virtualization Technology, Intel VT-x, AMD-V, Virtualization Extensions or similar. Virtualization firmware is a requirement for Device Guard/Credential Guard. | No | | Windows 10 - DG-CG - Win10 Build Version | Verifies that the version of Windows 10 running is Redstone X or higher. Additional security options were made available after build 10586 (release 1511) that are desirable for Device Guard/Credential Guard. | No | | Windows 10 - Last OS Install Date-Time | Verifies that the last time the device had an OS install/reinstall was more than X days ago. This can ensure that end-users that have just been disrupted for an install are prioritized last for another install. | No | | Windows 10 - Microsoft Edge Version | Verifies that the installed version of Microsoft Edge meets requirements. | No | | Windows 10 - Minimum Hardware Requirements | Verifies that the device has the minimum required hardware specification for supporting Windows 10. Defaults are set to Microsoft hardware recommendations but can be adjusted at design time or runtime to reflect specific business requirements for Windows 10. | No | | Windows 10 - Unified Extensible Firmware Interface (UEFI) | Verifies that the device is running the Unified Extensible Firmware Interface (UEFI) required for Secure Boot and Device Guard/Credential Guard. These security features are not supported on legacy BIOS. | No | ### Windows Update Agent Health Checks | Health Check | Description | Supports Remediation | | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | -------------------- | | Windows Update - Auto Update GPO | Verifies whether the group policy settings for Windows Update configuration are set correctly. | No | | Windows Update - Last Scan Cycle | Verifies whether the machine last ran the software update scan cycle within the specified number of days. | Yes | | Windows Update - Metadata Version | Verifies whether the software update metadata version on the client matches the current metadata version on the server. | Yes | | Windows Update - Non-Compliant Assignments | Verifies whether there are any ConfigMgr software update deployments that contain updates in a non-compliant state. | No | | Windows Update - Software Update Scan Errors | Verifies whether any errors have been reported by the Software update scan agent and reports back up to the last 10 errors. | No | | WUA – Service Missing | Checks and Remediates: Whether WSUS service is present on the machine or not. | Yes | | WUA – Service Running | Checks and Remediates: The wuauserv service is running, and its start mode is set to desired type. | Yes | | WUA - Version | Checks and Remediates: The WSUS client version is current. | Yes | ### WMI Health Checks | Health Check | Description | Supports Remediation | | --------------------------------- | ---------------------------------------------------------------------------------------------------- | -------------------- | | WMI – ConfigMgr Client Namespaces | Checks and Remediates: Connectivity to WMI namespaces used by the SCCM client. | Yes | | WMI – ExecMgr Connection Error | Checks and Remediates: Detects whether the SCCM client's execmgr log contains WMI connection errors. | Yes | | WMI – In Path | Checks and Remediates: The system32\wbem folder is included in the path variable in the environment. | Yes | | WMI – Repository Integrity | Checks and Remediates: The integrity of the WMI repository. | Yes | | WMI – Service Running | Checks and Remediates: The WinMgmt service is running, and its start mode is set to desired type. | Yes |