Appendix - Remediations

User Account – Running Service

Checks a specific user account is running a specific service on the device. Stops or Stops and Disables the service if not set correctly

Adaptiva Client – Not Integrated with SCCM

Configures integration with ConfigMgr.

BITS – Service Running

Start BITS service and set its start mode to automatic.

BITS – Service Startup Failing

Removes BITS DAT files from "%ALLUSERSPROFILE%\Microsoft\Network\Downloader" folder.

BITS - Version

A UNC path must be provided to the BITS installation executable. A command line execute activity installs BITS, waits until the execution is complete, and determines success or failure based on the return value from the executable.

ConfigMgr Client - Cache Available Space

Non-qualified cache elements are deleted sequentially until available space requirements are met. After deleting all elements, if the requirement is not met, Cache size is increased by the required number of bytes.

ConfigMgr Client - Cache Location

Sets the cache location to the specified path.

ConfigMgr Client - Site Assignment

If configured to perform auto site discovery, then perform auto site discovery. If a specific site is specified, the client will be assigned to the specified site.

ConfigMgr Client – Cache Size

Sets the cache size to the specified value.

ConfigMgr Client – CCM Folders

Deletes the folders named ccm and ccmsetup.

ConfigMgr Client – Installed

Installs the ConfigMgr client directly using command line or by generating CCR on the site server for the client machine.

ConfigMgr Client - Orphaned Cache Folders

Deletes any orphaned folders in the ccmcache.

ConfigMgr Client – Provisioning Mode

Resets the Paused registry value to 0 in HKLM\Software\Microsoft\SMS\Mobile Client\Software Distribution\State and restarts the SMS Agent Host Service if TSManager is not running.

ConfigMgr Client – Service Running

Starts the SMS Agent Host service and sets its start mode to automatic.

ConfigMgr Client - Version

Installs the ConfigMgr client directly using command line or by generating CCR on the site server for the client machine.

CCMSetup – DiscoveryStatus MOF

The following command is executed: MofComp.exe %SystemDrive%\Program Files\Microsoft Policy Platform\ExtendedStatus.mof.

CCMSetup – Visual C++ msvcr100 dll

If incorrect version of msvcr100.dll is detected, the correct version will be copied from the defined UNC path.

ConfigMgr Client Status – Hardware Inventory

Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected.

ConfigMgr Client Status – Heartbeat Discovery

Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected.

ConfigMgr Client Status – Package Ping

Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected.

ConfigMgr Client Status – Policy Retrieval

Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected.

ConfigMgr Client Status – Software Distribution

Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected.

ConfigMgr Client Status – Software Inventory

Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected.

ConfigMgr Client Status – Status Message Submission

Executes a full policy reset or re-installs the ConfigMgr Client if the option is selected.

DEP - Policy

Settings Data Execution Prevention Policy to specified setting

DCOM – Remote Connection Enabled

Writes registry EnableDCOM Value: Y in HKLM/Software/Microsoft/Ole

(Lanman) Server – Service Running

Starts the LanmanServer service and sets its start mode to automatic.

Network - DNS Name Resolution

Registers the current IP with DNS by executing the command: ipconfig /registerdns

Network – DNS Settings

Sets the provided Primary DNS suffix and/or syncs with domain membership. Sets the Primary DNS domain. Sets the NIC DNS domain and/or Enable Dynamic DNS Registration.

Network – Hosts file entries present

If specified entries in the hosts file are not present, they will be appended to the hosts file.

OS – Admin Share Available

The admin$ share is created and mapped to the %WINDIR% folder.

OS – Clear Windows print queues

The Windows print queues will be cleared.

OS – File Associations

File associations are defined in the format =, if not present or incorrect, the file associations will be set.

OS – Remote Desktop Settings

Allows for the options: Enable / Disable All Remote Assistance connections Enable / Disable Remote Desktop connections Enable / Disable Remote Desktop with NLA (Network Level Authentication)

OS – Run Key Entries

Sets 64-bit, 32-bit, or both registry run keys based on a specified list.

OS – Screen Saver Settings

Sets screen saver settings for New and Existing Users, Existing Users Only, or New Users Only for the following settings: Enabling a screen saver Require a password to exit screen saver Set a specific screen saver timeout

OS – Security Group Presence

Adds a specific member to a specified local user group if the user does not exist.

OS – Windows Explorer Settings

Sets Windows Explorer settings for New and Existing Users, Existing Users Only, or New Users Only for the following settings: Show Hidden Files Show Protected System Files Hide File Extensions Compress Files in a Different Color Show Run on Start Menu Hide Empty Drives Show Full Path

Remote Registry Service Running (OS Specific)

Starts the Remote Registry service and sets its start mode to automatic.

PowerShell – Set PowerShell Execution Policy

Sets the PowerShell Execution Policy setting to one of the following: Restricted: Do not load configuration files or run scripts All Signed: Requires all scripts to be signed by a trusted publisher Remote Signed: Requires all scripts downloaded from the Internet to be signed Unrestricted: Runs all scripts. Unsigned scripts from the Internet will prompt for permission Bypass: Nothing is blocked and no warnings or prompts will occur Undefined: Removes the current execution policy form the current scope

PowerShell - WinRM

If WinRM is disabled, WinRM will be enabled.

SCCM – Client Actions must be Present

Performs a machine policy refresh

Security - Bad Rabbit Immunisation

Removes the infection and immunizes against future attack

Security – BitLocker Drive Encryption

Enables BitLocker on either: Operating System Drive Only All Fixed Drives Specific Drive Letter

Security – User Access Control (UAC) Enabled

UAC is enabled.

Security - WannaCry Vulnerability Assessment

Sets the registry name SMB1 value to REG_DWORD Value: 0 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and shuts down the system. For more information please see Disable SMB1 in Windows

Software – Internet Explorer Home Page

Sets a defined Internet Explorer Home Page for New and Existing Users, Existing Users Only, or New Users Only.

System - Disk Cleanup

Initiates a system disk cleanup by executing the cleanmgr built-in application.

System – Registry Setting must Exist

Sets the specific registry to the specified value

Unquoted Service Binary Path

Fixes binary path which are not surrounded by double quotes

Tanium – Verify Client Settings

Set the Tanium Client settings

Windows 10 - Credential Guard Active

Enables Credential Guard Feature on the system.

Windows 10 - Device Guard & Credential Guard Active

Enables Device Guard and Credential Guard features on the system.

Windows 10 - Device Guard HVCI Active

Enables Device Guard feature on the system.

Windows Update - Last Scan Cycle

Initiate an SCCM Software updates scan cycle on the system.

Windows Update - Metadata Version

Initiate an SCCM Software updates scan cycle on the system to retrieve the latest update metadata.

WUA – Service Missing

The following command is executed to restore the Windows Update service: regsvr32 -s wuaueng.dll

WUA – Service Running

Starts the Windows Update service and sets its start mode to automatic.

WUA - Version

Installs the specified version of WSUS client on the client machine.

WMI – ConfigMgr Client Namespaces

The remediation is the same as WMI – Repository Integrity remediation below, except that the execmgr.log is deleted.

WMI – ExecMgr Connection Error

The remediation is the same as WMI – Repository Integrity remediation below, except that the execmgr.log is deleted.

WMI – In Path

The System32\WBEM folder is added to the %PATH% environment variable.

WMI – Repository Integrity

The WMI repository is recreated.

WMI – Service Running

Starts the Windows Management Instrumentation service and sets its start mode to automatic.