|
Essential to core system functions such as networking, printing, updates, and system management. If any of these services are not in their expected state, whether stopped or incorrectly configured, it can lead to failed updates, broken group policies, delayed troubleshooting, or degraded user experience.
|
- An endpoint fails compliance if one of the set of monitored services is not in the expected state
- Compliance check is run if any monitored service changes state (no fixed check interval).
|
- For the BITS Service, remediation consists of setting the service startup mode to Manual and stopping the service.
- For all other services, remediation consists of setting the service startup mode to Automatic and starting the service.
|
|
The Disk Space Management Insight monitors free disk space on endpoints. When disk space falls below a trigger value, the insight check indicates that the endpoint is not compliant. Disk space can then be freed manually or automatically.
|
- An endpoint fails compliance if its primary drive (OS drive) free space falls below 10 GB.
- Compliance check is run every 4 hours.
|
- The Windows disk cleanup manager (cleanmgr.exe) is run with the /autoclean parameter.
- This removes temporary setup files and other files that should not be required on the endpoint, which may have been retained after Windows updates.
- User files are not affected. This includes the contents of the Recycle Bin.
|
|
The Office 365 Crashes Insight examines the activity history of core Office 365 components to determine whether any of them have crashed within a 24-hour window.
|
- An endpoint fails compliance if any monitored Office 365 component has crashed more than once in that period.
- Compliance check if Office 365 has crashed more than once in a 24-hour period.
|
- Remediation is attempted only for the first logged-on user who is found.
- The Office File Cache is deleted.
- The Office Roaming Cache is deleted.
|
|
Operating system crashes and BSODs are serious indicators of system instability, often caused by driver issues, hardware faults, or corrupted OS files. Even a single crash can disrupt work, lead to data loss, and signal deeper reliability problems.
|
- An endpoint fails compliance if any monitored OS component has crashed at least once in that period.
- Compliance check once every 4 hours.
|
The Windows System File Checker tool (SFC) is run with the /scannow parameter to detect and repair corrupt Windows operating system files.
|
|
The Page File Size Insight determines whether the page file on the operating system disk is sized appropriately for the device's physical memory. It allows this to be automatically adjusted to the appropriate size.
|
- An endpoint is compliant if the page file size is considered appropriate for the amount of physical memory reported by the endpoint.
- Compliance check once every 48 hours.
|
- If the endpoint reports that it has SSD-based storage, Windows will automatically manage the pagefile size.
- If the endpoint reports HDD-based storage, the pagefile size is set to 1.5 * the physical memory reported by the endpoint UNLESS this would result in less than 3 GB free disk space. In that event, no change is made to the page file size.
|
|
The System Restore Insight verifies that system restore functionality has been activated on an endpoint.
|
- An endpoint fails compliance if System Restore functionality is found to be disabled.
- Compliance check once every 48 hours.
|
Remediation consists of running the PowerShell Enable-ComputerRestore cmdlet on drive C
|
|
Frequent Teams crashes can disrupt meetings, reduce user productivity, delay decision-making, and cause department frustration.
|
- An endpoint fails compliance if any monitored Teams component crashes more than once during that period.
- Compliance check if Microsoft Teams has crashed more than once in a 24-hour period.
|
- Teams cache is deleted, and required updates are being run.
- Remediation is attempted for all logged-on users.
|
|
The Time Sync Insight verifies that the endpoint local clock is correctly synchronized with the time reported by the platform switch component.
|
- An endpoint fails compliance if the endpoint's local time differs by more than 30 seconds in either direction from the reported Platform Switch time.
- Compliance check once every 4 hours.
|
Remediation consists of running the Windows w32tm executable with the /resync parameter
|
|
The Windows Fast Startup Insight checks whether an endpoint is configured for Windows Fast Startup. If it is, the remediation instruction allows the feature to be turned off on the target endpoints.
|
- An endpoint fails compliance if the Fast Startup option is enabled.
- Compliance check once every 48 hours
|
- Customers may choose to configure the insight to be remediated manually (the default) or automatically. In either case, the actual remediation process is identical.
- The Fast Startup registry key is updated to disable Fast Startup.
|
|
The WMI (Windows Management Instrumentation) repository is a core Windows component used by system tools, scripts, and management platforms to retrieve hardware and software information. If the repository becomes inconsistent or corrupted, it can cause failed inventory scans, broken automation, and inaccurate device reporting, impacting everything from software deployments to compliance audits.
|
- An endpoint is compliant if the WMI integrity check returns success.
- The WMI integrity check is performed using the Microsoft WinMGMT tool.
- Compliance check once every 48 hours
|
Remediation consists of running the wmimgmt tool with the /salvagerepository option. This will attempt to repair any repository corruption.
|
Windows Defender Signature Age
|
The Windows Defender Signature Age insight determines the age of the most recent Windows Defender Signature file. It allows the file update to be manually or automatically initiated to ensure that the most recent signature file has been uploaded.
|
- An endpoint fails compliance if the signature file is more than one day (24 hours) old.
- Compliance check once every 24 hours.
|
The PowerShell cmdlet Update-MpSignature is run as shown below:
Update-MpSignature -UpdateSource MMPC.
|
|
If OneDrive is not syncing correctly, the user may find that files they update locally in their OneDrive folder are not synchronized with the cloud copy or that changes they make to the local OneDrive folder, such as adding or deleting files, are not mirrored in the cloud. This can cause data loss or other productivity issues.
|
- An endpoint fails compliance if the latest entry in the OneDrive log folder for the user is more than one day old.
- Compliance check once every 24 hours.
|
The OneDrive.exe control program is run as shown below:
OneDrive /reset
|
|
If the Windows Firewall is not enabled, or not configured to block inbound ports, this can allow malicious software to make connections inbound to the endpoint and potentially exfiltrate information from the endpoint.
|
- An endpoint fails compliance if the firewall status is enabled for all profiles and inbound ports are blocked.
- Compliance check once every 24 hours.
|
Remediation consists of running the PowerShell cmdlet get-netfirewallprofile. This is run twice, first to ensure all profiles are enabled and secondly to ensure that inbound ports are blocked and outbound ports are allowed.
|
|
If an endpoint running ThreatDown is not correctly configured, essential antivirus protection might be lost, allowing an attack against the endpoint.
|
- An endpoint fails compliance if any of the monitored services are not running or their startup mode is not Automatic.
- Compliance check every 5 minutes
|
- If any monitored service is not running or not configured with a startup mode of Automatic, it is started, and the startup mode is configured to Automatic.
- Note that some MalwareBytes services are marked as Protected. This should mean that they cannot be changed in their state or startup mode.
|
|
Windows Update is critically important to ensure that endpoints are fully protected from malware and to ensure that all defects in software corrected by updates are deployed in a timely manner.
|
- An endpoint fails compliance if the latest update has not run in the last 24 hours or there are pending updates
- Compliance check once every 24 hours.
|
Remediation consists of running the usoclient utility. It is run twice, as follows:
usoclient startinteractivescan
usoclient startscan
|
|
The TeamViewer agent allows the system administrator to access and control endpoints remotely. If the service is not running, the agent will not be able to allow this functionality.
|
- An endpoint fails compliance if the TeamViewer service is not running or not registered.
- Compliance check once every 24 hours.
|
The TeamViewer service is started, and its startup mode is set to ‘Automatic’.
|
Microsoft System File Checker
|
Microsoft’s System File Checker is intended to scan for and optionally repair scenarios in which one or more system files, such as DLLs, appear to be corrupt.
For more information on the SFC tool, see the link below
SFC scannow - Microsoft Community
|
- An endpoint fails compliance if sfc /VerifyOnly reports any errors.
- Compliance check once every 24 hours.
|
Remediation consists of running sfc /ScanNow. This will attempt to repair any detected corrupt files.
|