Deploy Proactive Remediation Script using Intune | Easy Method

Let’s see how to Deploy a Proactive Remediation Script using Intune. First, you need to ensure that Tenant Attach and Endpoint Analytics are enabled for the SCCM environment. You can use built-in script packages to get started with Proactive remediations.

You can refer to the prerequisites of the proactive remediation script before the start the following activity. Proactive remediations are script packages from the Intune portal that can detect and fix common support issues on a user’s device before they even realize there’s a problem.

Video Proactive Remediation Script Package

Let’s discuss Intune Proactive Remediation Script Package and PowerShell Script in this video. Advanced workflow to detect and remediate common issues with the PowerShell script package. Proactive remediations are part of Endpoint analytics.

Detection Script – Intune Proactive Remediation

Let’s check out the sample PowerShell script to detect whether the BITs log file size is set to 2 or not. If it’s not set to 2 then a remediation script will kick in to fix this issue.

# Define the path to the registry key
$Path = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\BITS"

# Define the name of the registry value to check = VALUENAME
$Name = "LogFileSize"

# Define the expected value of the registry value = VALUE DATA
$Value = "2"

# Retrieve the value of the registry value
$Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $Name

# If the registry value matches the expected value, output "Compliant"
If ($Registry -eq $Value){
    Write-Output "Compliant"
    Exit 0
} 
# If the registry value does not match the expected value, output "Not Compliant"
Else {
    Write-Warning "Not Compliant"
    Exit 1
}

Remediation Script – Intune Proactive Remediation

Let’s now check the Remediation Script for Intune Proactive Remediation functionality that will help fix BITs log file size issues.

# Define the path to the registry key
$Path = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\BITS"

# Define the name of the registry value to check
$Name = "LogFileSize"

# Define the expected value of the registry value
$Value = "2"

# Retrieve the value of the registry value
$Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $Name

# If the registry value matches the expected value, output "Compliant"
If ($Registry -eq $Value){
    Write-Output "Compliant"
    #Exit 0
} 
# If the registry value does not match the expected value, remediate and output "Fixed"
Else {
    Write-Warning "Not Compliant. Attempting remediation..."
    # Set the registry value to the expected value
    Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force
    # Verify remediation
    $RemediatedRegistry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $Name
    if ($RemediatedRegistry -eq $Value) {
        Write-Output "Fixed"
        Exit 0
    } else {
        Write-Warning "Remediation failed"
        Exit 1
    }
}

Built-in Script Packages

Let’s understand the built-in scripts available while writing this post. I will try to keep this updated. I will provide the community to use the comments section to notify you of the availability of new built-in scripts in the portal.

While writing the post, the following Proactive Remediation Script Packages are available in the Intune portal.

• Update Stale Group Policies – Stale Group Policies can lead to helpdesk tickets related to connectivity and internal resource access.
• Restart Office Click-to-run service – When the Click-to-run service is stopped, Office apps fail to start leading to helpdesk calls.

Background

The Microsoft Intune Management Extension is the agent that helps Intune to deploy Proactive Remediation Script Packages. The IME service gets the scripts from Intune and runs them on Windows 10 co-managed devices (SCCM + Intune).

The scripts are rerun every 24 hours by default. The following built-in script packages just need to be assigned to the device groups from Intune.

Deploy

Let’s check the Proactive Remediation Script Packages steps in the below section:

• Launch endpoint.mirosoft.com portal
• Navigate to Reports – Endpoint Analytics
• Click on Proactive Remediation
• Click on the built-in script – Restart stopped Office C2R svc
• Click on Properties
• Navigate to the Assignment section and click on Edit to deploy the built-in Proactive Remediation Script Package called Restart stopped Office C2R svc.

• You can either deploy the script package to all Devices or all users.
• You also have the option to select any Azure AD custom groups using the + Select Groups to Include option.

NOTE! – Include or Exclude either device groups or user groups. Don’t mix user and device groups across, include and excluding assignments.

Select groups include: Click on the Select button after selecting a particular AAD Group. Click the Review + Save button.

Click on the Save button to complete the deployment process.

Scripts

Let’s check the detection and remediation scripts in the below section of the post. You can check the detection and remediation scripts from the settings section of the proactive remediation script package.

Detection Script for Restart stopped Office C2R svc!

=============================================================================================================================
#
Script Name: DetectClickToRunServicecState.ps1
Description: Purpose of this script is to detect if Office 16 installed and further if "Click to Run Service" is running
Notes: No variable substitution should be necessary
#
=============================================================================================================================
Define Variables
$curSvcStat,$svcCTRSvc,$errMsg = "","",""
Main script
If (-not (Test-Path -Path 'hklm:\Software\Microsoft\Office\16.0')){
Write-Host "Office 16.0 (or greater) not present on this machine"
exit 0
}
Try{
$svcCTRSvc = Get-Service "ClickToRunSvc"
$curSvcStat = $svcCTRSvc.Status
}
Catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}
If ($curSvcStat -eq "Running"){
Write-Output $curSvcStat
exit 0
}
Else{
If($curSvcStat -eq "Stopped"){
Write-Output $curSvcStat
exit 1
}
Else{
Write-Error "Error: " + $errMsg
exit 1
}
}
SIG # Begin signature block
#Signature Removed - But will be available in the Intune portal.
SIG # End signature block

Remediation Script for Restart stopped Office C2R svc!

=============================================================================================================================
#
Script Name: RemediateClickToRunServiceState.ps1
Description: Purpose of this script is to start the "Click to Run Service" and change its startup type to Automatic
Notes: No variable substitution needed
#
=============================================================================================================================
Define Variables
$svcCur = "ClickToRunSvc"
$curSvcStat,$svcCTRSvc,$errMsg = "","",""
$ctr = 0
First, let's make sure nothing has changed since detection and service exists and is stopped
Try{
$svcCTRSvc = Get-Service $svcCur
$curSvcStat = $svcCTRSvc.Status
}
Catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
Exit 1
}
If the service got started between detection and now (nested if) then return
If the service got uninstalled or corrupted between detection and now (else) then return the "Error: " + the error
If ($curSvcStat -ne "Stopped"){
If ($curSvcStat -eq "Running"){
Write-Output "Running"
Exit 0
}
Else{
Write-Error $errMsg
Exit 1
}
}
Okay, the service should be there and be stopped, we'll change the startup type and get it running
Try{
Set-Service $svcCur -StartupType Automatic
Start-Service $svcCur
$svcCTRSvc = Get-Service $svcCur
$curSvcStat = $svcCTRSvc.Status
While ($curSvcStat -eq "Stopped"){
Start-Sleep -Seconds 5
ctr++
if(ctr -eq 12){
Write-Output "Service could not be started after 60 seconds"
Exit 1
}
}
}
Catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
Exit 1
}
SIG # Begin signature block
#Removed the Signature
SIG # End signature block

Results

You can check the results of the remediation script from the below section of the Intune portal. You can check the overview & Device status tab to check the results.

NOTE! – This gives information about how your script package is performing and the health of your devices. The scripts run according to your defined scheduling preferences. The detection bar chart reflects the returned value from the detection script while the remediation bar chart describes the remediation script output.

Resources

• Intune MEM Endpoint Analytics with Joy | Learn and Discover #1
• Microsoft Docs – Tenant attach: Deploy endpoint security Antivirus policy from the admin center (preview).
• Microsoft Docs – Settings for Microsoft Defender Antivirus policy for tenant attached devices in Microsoft Intune.