A feature that was somewhat hidden under the wrong location is finally rising. Intune remediation script, formerly known as ProActive Remediation, can automate tasks in your environment based on the result of a check. PowerShell scripting knowledge is needed as this is fully customizable to your needs.

In this post, we will describe how to use Intune’s Remediation script with an example to uninstall an application based on the detection script.

Prerequisites

  • The device must be enrolled in Intune
  • The device must be Entra ID joined or Entra Hybrid joined
  • Users of the device must have one of the following license
  • Co-managed devices with Configuration Manager (MECM)

Note that the documentation is somewhat confusing about the Windows Enterprise/Education requirement.

For more details about the prerequisites, see Microsoft Learn.

Create Intune Detection script

Before diving into Intune portal, we need to create the scripts for the detection and the remediation of the configurations we want to validate and fix.

The main purpose of the detection script is to evaluate the status of a particular configuration. The Powershell script should be built with 2 exit strategies.

  • Returning 0 when the device is compliant with the configuration.
  • Returning 1 when the device is NOT compliant with the configuration.

When the script ends up in error(1 exit code), the Remediation script will be triggered to correct the configuration.

As an example, here a code to evaluate if the application TightVNC is installed, no matter the version, with the goal to uninstall it. Notice the Exit 1 and Exit 0. These will define if the device is compliant or need remediation

$app = Get-WmiObject -Class Win32_Product -Filter “Name = ‘TightVNC'”
if($app.Name -eq “TightVNC”)
{
Write-host “tightVNC found. Trigger Remediation script to uninstall”
Exit 1
}
else
{
Write-host “tightVNC not found. Computer is compliant”
Exit 0
}

Create Intune Remediation script

The main purpose of this Remediation script is to correct a configuration that isn’t compliant, based on the return of the detection script. There isn’t a particular return code needed for this script. Once it runs, the Detection script will re-evaluate the status of a device to determine it is now compliant.

As an example, here a code to uninstall the application TightVNC is installed, no matter the version.

$app = Get-WmiObject -Class Win32_Product -Filter “Name = ‘TightVNC'”
$app.Uninstall()

Intune Remediation script

  • To create a new Remediation script, go to the Intune portal, Devices/Remediation, and click on Create script package
  • Click on Create script package, and input the name of the script.
  • Provide both Powershell scripts files.
  • Additional options are available for your scripts. they are pretty self-explanatory
  • Set the Scope tag if needed.
  • When selecting the assignment group, pay special attention to the schedule. This will be the frequency of the check

Reporting Remediations

The default view provides quick details of the progress of a remediation script.

Looking into the details of a specifc remediation script.

And finally per device status.

As anything Intune, be patient for reporting to show up!

Built-in Remediation scripts

Microsoft provides 2 built-in scripts.

  • Update Stale Group policies
    • Help force a refresh of GPOs if it hasn’t happened within the last 7 days.
  • Restart Office Click-to-run service.
    • Ensure that the Click-to-run service is running.

For more details about the built-in Remediation script, see Microsoft Learn

Microsoft also provides many Powershell scripts examples, that can be found here.

Run Remediation on-Demand (Preview)

this is a new feature that allow Intune admin to run Remediation on a specific device. It currently support doing it on a single device at a time.

  • Select a device, and choose Run Remediation
  • Select which Remediation to run, and voila!

For more details about Intune Remediation script, see Microsoft Learn.

Comments (0)