Upgrading to Prime Version 5: Remediation
For the most part version 5 looks and operates the same way as previous versions, but under the hood there are some significant changes. The most significant are changes to how deviations and remediation work.
In previous versions of Prime it was necessary to pre-generate remediation actions, a process that was very sensitive to which revision of a benchmark was being assessed.
But with version 5 this is no longer necessary. Remediation actions are now directly derived from the assessment content. As a result it is no longer necessary to wait for updated remediation content to be made available when a benchmark is updated. And remediation can be performed if you write your own custom content (or edit the existing content).
Remediation actions are also sensitive to deviations. If a deviation is defined for a failed rule, the values used for remediation are set by the deviation, not by the original compliance rule conditions.
There are some limitations to the remediation system, the biggest being that it is reliant on the quality of the assessment content. As an example, if a compliance check for determining if disallowed software is installed is written by checking for a registry key, the remediation system will only have knowledge of that registry key: removing it would cause the rule to pass, but would not in fact remove the disallowed software.
There are also a few remediation actions that will not be performed, just to be safe. Renaming user accounts, for example.