# Appendix - Remediations
The following is a list of built-in remediations available to add to health polices.
### Account Checks
| Health Check | Remediation Details |
| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- |
| User Account – Running Service | Checks a specific user account is running a specific service on the device. Stops or Stops and Disables the service if not set correctly. |
### Adaptiva Client Checks
| Health Check | Remediation Details |
| ------------------------------------------ | -------------------------------------- |
| Adaptiva Client – Not Integrated with SCCM | Configures integration with ConfigMgr. |
### Background Intelligent Transfer Service (BITS) Health Checks
| Health Check | Remediation Details |
| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| BITS – Service Running | Starts BITS service and sets its start mode to automatic. |
| BITS – Service Startup Failing | Removes BITS DAT files from "%ALLUSERSPROFILE%\Microsoft\Network\Downloader" folder. |
| BITS - Version | A UNC path must be provided to the BITS installation executable. A command line execute activity installs BITS, waits until the execution is complete, and determines success or failure based on the return value from the executable. |
### ConfigMgr Client Configuration Checks
| Health Check | Remediation Details |
| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ConfigMgr Client - Cache Available Space | Non-qualified cache elements are deleted sequentially until available space requirements are met. After deleting all elements, if the requirement is not met, Cache size is increased by the required number of bytes. |
| ConfigMgr Client - Cache Location | Sets the cache location to the specified path. |
| ConfigMgr Client - Site Assignment | If configured to perform auto site discovery, then performs auto site discovery. If a specific site is specified, the client will be assigned to the specified site. |
### ConfigMgr Client Health Checks
| Health Check | Remediation Details |
| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ConfigMgr Client – Cache Size | Sets the cache size to the specified value. |
| ConfigMgr Client – CCM Folders | Deletes the folders named ccm and ccmsetup. |
| ConfigMgr Client – Installed | Installs the ConfigMgr client directly using command line or by generating CCR on the site server for the client machine. |
| ConfigMgr Client - Orphaned Cache Folders | Deletes any orphaned folders in the ccmcache. |
| ConfigMgr Client – Provisioning Mode | Resets the **Paused** registry value to 0 in **HKLM\Software\Microsoft\SMS\Mobile Client\Software Distribution\State** and restarts the SMS Agent Host Service if TSManager is not running. |
| ConfigMgr Client – Service Running | Starts the SMS Agent Host service and sets its start mode to automatic. |
| ConfigMgr Client - Version | Installs the ConfigMgr client directly using command line or by generating CCR on the site server for the client machine. |
### ConfigMgr Client Installation Checks
| Health Check | Remediation Details |
| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| CCMSetup – DiscoveryStatus MOF | The following command is executed: MofComp.exe %SystemDrive%\Program Files\Microsoft Policy Platform\ExtendedStatus.mof. |
| CCMSetup – Visual C++ msvcr100 dll | If incorrect version of msvcr100.dll is detected, the correct version will be copied from the defined UNC path. |
### ConfigMgr Client Status Checks
| Health Check | Remediation Details |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------- |
| ConfigMgr Client Status – Hardware Inventory | Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected. |
| ConfigMgr Client Status – Heartbeat Discovery | Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected. |
| ConfigMgr Client Status – Package Ping | Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected. |
| ConfigMgr Client Status – Policy Retrieval | Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected. |
| ConfigMgr Client Status – Software Distribution | Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected. |
| ConfigMgr Client Status – Software Inventory | Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected. |
| ConfigMgr Client Status – Status Message Submission | Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected. |
### Data Execution Prevention Checks
| Health Check | Remediation Details |
| ------------ | ----------------------------------------------------------- |
| DEP - Policy | Sets Data Execution Prevention Policy to specified setting. |
### DCOM Checks
| Health Check | Remediation Details |
| -------------------------------- | ----------------------------------------------------------------------- |
| DCOM – Remote Connection Enabled | Writes registry EnableDCOM Value: Y in **HKLM/Software/Microsoft/Ole**. |
### Network Checks
| Health Check | Remediation Details |
| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| (Lanman) Server – Service Running | Starts the LanmanServer service and sets its start mode to automatic. |
| Network - DNS Name Resolution | Registers the current IP with DNS by executing the command: ipconfig /registerdns |
| Network – DNS Settings | Sets the provided Primary DNS suffix and/or syncs with domain membership. Sets the Primary DNS domain. Sets the NIC DNS domain and/or Enable Dynamic DNS Registration. |
| Network – Hosts file entries present | If specified entries in the hosts file are not present, they will be appended to the hosts file. |
### Operating System (OS) Health Checks
| Health Check | Remediation Details |
| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| OS – Admin Share Available | The admin$ share is created and mapped to the %WINDIR% folder. |
| OS – Clear Windows print queues | The Windows print queues will be cleared. |
| OS – File Associations | File associations are defined in the format =, if not present or incorrect, the file associations will be set. |
| OS – Remote Desktop Settings | Allows for the options:
Enable / Disable All Remote Assistance connections
Enable / Disable Remote Desktop connections
Enable / Disable Remote Desktop with NLA (Network Level Authentication)
|
| OS – Run Key Entries | Sets 64-bit, 32-bit, or both registry run keys based on a specified list. |
| OS – Screen Saver Settings | Sets screen saver settings for New and Existing Users, Existing Users Only, or New Users Only for the following settings:
Enabling a screen saver
Require a password to exit screen saver
Set a specific screen saver timeout
|
| OS – Security Group Presence | Adds a specific member to a specified local user group if the user does not exist. |
| OS – Windows Explorer Settings | Sets Windows Explorer settings for New and Existing Users, Existing Users Only, or New Users Only for the following settings:
Show Hidden Files
Show Protected System Files
Hide File Extensions
Compress Files in a Different Color
Show Run on Start Menu
Hide Empty Drives
Show Full Path
|
| Remote Registry Service Running (OS Specific) | Starts the Remote Registry service and sets its start mode to automatic. |
### PowerShell Health Checks
| Health Check | Remediation Details |
| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| PowerShell – Set PowerShell Execution Policy | Sets the PowerShell Execution Policy setting to one of the following:
Restricted: Do not load configuration files or run scripts
All Signed: Requires all scripts to be signed by a trusted publisher
Remote Signed: Requires all scripts downloaded from the Internet to be signed
Unrestricted: Runs all scripts. Unsigned scripts from the Internet will prompt for permission
Bypass: Nothing is blocked and no warnings or prompts will occur
Undefined: Removes the current execution policy form the current scope
|
| PowerShell - WinRM | If WinRM is disabled, WinRM will be enabled. |
### SCCM Miscellaneous Checks
| Health Check | Remediation Details |
| ------------------------------------- | ---------------------------------- |
| SCCM – Client Actions must be Present | Performs a machine policy refresh. |
### Security Health Checks
| Health Check | Remediation Details |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Security - Bad Rabbit Immunisation | Removes the infection and immunizes against future attack. |
| Security – BitLocker Drive Encryption | Enables BitLocker on either:
Operating System Drive Only
All Fixed Drives
Specific Drive Letter
|
| Security – User Access Control (UAC) Enabled | UAC is enabled. |
| Security - WannaCry Vulnerability Assessment | Sets the registry name SMB1 value to REG\_DWORD Value: 0 in HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and shuts down the system.
For more information please see Disable SMB1 in Windows
|
### Software Health Checks
| Health Check | Remediation Details |
| -------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| Software – Internet Explorer Home Page | Sets a defined Internet Explorer Home Page for New and Existing Users, Existing Users Only, or New Users Only. |
### System Performance Health Checks
| Health Check | Remediation Details |
| --------------------- | ------------------------------------------------------------------------------- |
| System - Disk Cleanup | Initiates a system disk cleanup by executing the cleanmgr built-in application. |
### System Settings Checks
| Health Check | Remediation Details |
| ------------------------------------ | ------------------------------------------------------------- |
| System – Registry Setting must Exist | Sets the specific registry to the specified value. |
| Unquoted Service Binary Path | Fixes binary paths which are not surrounded by double quotes. |
### Tanium Health Checks
| Health Check | Remediation Details |
| ------------------------------- | ------------------------------- |
| Tanium – Verify Client Settings | Set the Tanium Client settings. |
### Windows 10 Health Checks
| Health Check | Remediation Details |
| --------------------------------------------------- | ----------------------------------------------------------------- |
| Windows 10 - Credential Guard Active | Enables Credential Guard Feature on the system. |
| Windows 10 - Device Guard & Credential Guard Active | Enables Device Guard and Credential Guard features on the system. |
| Windows 10 - Device Guard HVCI Active | Enables Device Guard feature on the system. |
### Windows Update Agent (WUA) Health Checks
| Health Check | Remediation Details |
| --------------------------------- | --------------------------------------------------------------------------------------------------- |
| Windows Update - Last Scan Cycle | Initiates an SCCM Software updates scan cycle on the system. |
| Windows Update - Metadata Version | Initiates an SCCM Software updates scan cycle on the system to retrieve the latest update metadata. |
| WUA – Service Missing | The following command is executed to restore the Windows Update service: regsvr32 -s wuaueng.dll |
| WUA – Service Running | Starts the Windows Update service and sets its start mode to automatic. |
| WUA - Version | Installs the specified version of WSUS client on the client machine. |
### WMI Health Checks
| Health Check | Remediation Details |
| --------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
| WMI – ConfigMgr Client Namespaces | The remediation is the same as WMI – Repository Integrity remediation below, except that the execmgr.log is deleted. |
| WMI – ExecMgr Connection Error | The remediation is the same as WMI – Repository Integrity remediation below, except that the execmgr.log is deleted. |
| WMI – In Path | The System32\WBEM folder is added to the %PATH% environment variable. |
| WMI – Repository Integrity | The WMI repository is recreated. |
| WMI – Service Running | Starts the Windows Management Instrumentation service and sets its start mode to automatic. |