In this post I will show you how to deploy remediation script using Intune. With remediation script, we can easily fix the common issues related to our environment. Those issues could be restarting the services, making changes to registry values etc.

What is Remediation script?

Remediations (previously knowns as Proactive remediations) consists of two scripts. One is to detect the existing setting and another one is to remediate the setting. The combination of both scripts are called script package. Following is the explanation of two scripts:

Detection Script: The purpose of this first PowerShell script is to detect the setting. Usage of exit codes are must. For example, if a setting/registry key we wanted to search exists, it should return exit 0 which is an indication of setting exists. If setting is missing. exit 1 should be returned, which means setting is not detected.

Remediation Script: The second PowerShell script will only trigger if first detection script indicated the error. In other words, if exit 1 was returned (missing setting), remediation script will trigger and will fix the issue by running the script.

Pre-requisites for Remediations

There are few pre-requisites for using the remediations feature:

  • Remediations feature requires Windows license verification. You need to have Windows 10/11 Enterprise E3 or E5 license (part of Microsoft 365 E3/E5) assigned for the user apart from Intune license such as Intune Plan 1, EMS+E3/E5. Infact, if you don’t have Windows 10 license in your tenant you will see the error when navigating to Devices > Remediations – Use of remediations requires Windows license verification to be enabled. You will also see Create script package option greyed out.
Use of remediations requires Windows license verification
  • Device should be Microsoft Entra joined or Microsoft Entra hybrid joined.

Currently 200 script packages are supported with Intune with a maximum output size of 2048 characters.

Benefits of Remediations

Following are the benefits of using the remediation script:

  1. It can be used to increase the compliance of the device by applying the correct setting.
  2. Remediation comes with the schedule feature which will retrigger the event based upon the frequency we have set.
  3. Remediation can help organizations reducing the help desk calls & support tickets by remediating few of the most common issues you see in the environment.
  4. Remediation can be run on-demand as well. You can run this as one of the device action present with the name Run remediation which is currently in preview.
Device action Run remediation

Remediations vs Scripts

  • Remediations feature consists of two scripts for detection and remediating while Scripts is only meant to run one script.
  • Remediations can be scheduled to run at specific frequency while Scripts are meant to run once only.
  • Remediations requires you to have Windows license apart from Intune license, there is no separate requirement for Scripts (though Intune license is still required).

Prepare for PowerShell scripts for script package

Before creating the script package, we need to have our two scripts ready, one for detection and another for remediation. Let’s take an example of – disabling the Java script for Adobe Acrobat reader which simply requires bDisableJavaScript value to be 1. Following are the scripts:

Detect-AdobeDisableJavaScript.ps1

Try {
    $Registry = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -ErrorAction Stop).bDisableJavaScript
    If ($Registry -eq 1){
        Write-Host "Compliant"
        Exit 0
    }
    else
    {
    Write-Host "Not Compliant, initiating remediation script"
    Exit 1
    }
}
Catch {
    Write-Host "Registry key does not exist, initiating remediation script"
    Exit 1
}

Remediate-AdobeDisableJavaScript.ps1

New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name "bDisableJavaScript" -Value 1 -PropertyType DWord -Force

As you can see from Detection script, if key is not 1 or missing, it will return exit 1 and will force remediation script to kick in.

For a huge range of available remediation scripts shared for the community, you may follow https://github.com/JayRHa/EndpointAnalyticsRemediationScripts

Create Script Package

Navigate to Devices > Remediations and click on Create script package. You can also navigate it via Devices > Windows > Scripts and clicking on Remediations tab.

Create script package

You will see two additional remediation scripts readily available for you by Microsoft (for your reference only):

  • Restart stopped Office C2R svc
  • Update stale Group Policies

Under Basics page specify the name as Disable Adobe JavaScript and click Next.

Under Settings page, we have to specify Detection script file and Remediation script file. Browse and select the scripts for each file.

Run this script using the logged-on credentials: No
Enforce script signature check: No
Run script in 64-bit PowerShell: No

Detection script and remediation script file

Under Assignments page, add the groups where you wanted to target. By default schedule is set to run 24 hours. Click on Daily to change it. We have option to set the Frequency and how often this repeat.

Create custom script frequency

Complete rest of the wizard.

Device will receive the policy when:

  • When device is restarted
  • When user logs in to the device
  • Every 8 hours as Intune management extension service starts at this interval.

Once the device receives the policy and runs the script. It will remediate if issue exists. This process can be monitored on device via Intune management extension log files located under c:\programdata\Microsoft\IntuneManagementExtension\logs

AgentExecutor.log

This log file will invoke the detection script first and will show you the result. If error is detected, you will see:

Create custom script frequency

cmd line for running powershell is -NoProfile -executionPolicy bypass -file  “C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\detect.ps1
write output done. output = Not Compliant, initiating remediation script
Adding argument remediationScript with value C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\remediate.ps1 to the named argument list.

We are seeing Not Compliant which is coming from our detection script. Agent Executor will force remediation script to execute.

The scripts are downloaded to IME cache which is located under c:\windows\IMECache\HealthScripts along with folder with the guid of the script package.

Location of IME scripts in IMECache

IntuneManagementExtension.log

This log file will show the actual execution of the script. The first script showing exitcode = 1 (detection script) and later remediation script running and showing exitCode = 0

"C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe"  -remediationScript  ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\detect.ps1"" ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\19be85d8-ef2f-478c-921e-20e404718bf1_PreDetectScript.output"" ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\19be85d8-ef2f-478c-921e-20e404718bf1_PreDetectScript.error"" ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\19be85d8-ef2f-478c-921e-20e404718bf1_PreDetectScript.timeout"" 3600 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\19be85d8-ef2f-478c-921e-20e404718bf1_PreDetectScript.exit"" True ""
"C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe"  -remediationScript  ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\remediate.ps1"" ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\38771661-5012-4cc8-82eb-22de13c23cff_RemediationScript.output"" ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\38771661-5012-4cc8-82eb-22de13c23cff_RemediationScript.error"" ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\38771661-5012-4cc8-82eb-22de13c23cff_RemediationScript.timeout"" 3600 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 ""C:\WINDOWS\IMECache\HealthScripts\10527b7f-2a7e-4ce4-bd80-83843418c12e_1\38771661-5012-4cc8-82eb-22de13c23cff_RemediationScript.exit"" True ""
IntuneManagementExtension.log

The execution of script will save the values in registry under:
For Execution: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\SideCarPolicies\Scripts\Execution

For Reporting along with result: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\SideCarPolicies\Scripts\Reports

SideCarPolicies in registry
Remediations Device status

Navigate to Script package. Under Monitor > Device status, we will be able to see the Detection status and Remediation status.

Conclusion

Remediations is one of the best features of Intune for the organizations which help them applying the correct by remediating the existing issue. Helping organizations to reduce the service desk / help desk calls. The script package consists of detection script to detect the issue and raise exit 1. Remediation script will pick from there and run the script if exit 1 issued.

Important Links

Remediations | Microsoft Learn