Proactive Remediation scripts from InTune

Photo by Windows / Unsplash

One of the challenges I've encountered moving from an MSP to a larger enterprise would be the lack of auditable and efficient script deployment due to our organization not having a traditional RMM platform (not to say we don't have all these features available within AAD/InTune). One of the greatest tools that I've found so far that my organization was already using was something that Microsoft squirrel away in a completely unintuitive location. Let me show you Proactive Remediations and what it can do.

First, what is the Proactive Remediation exactly? This is Microsoft solution to deploying scripts that resolve certain problems within your fleet but the way it's done is quite different than traditional monolithic scripts that include detection, remediation and another sweep to confirm the issue is solved. The great thing about proactive remediations is that you split your script up into 2 separate functions.

Function 1 of the proactive remediation is detecting whether you have a problem that needs to be fixed or if there is a reason for the script to run.

Function 2 of the proactive remediation only runs if the previous detection determined that the user/device is "With Issues" and it applies the actual fix in a separate script.

As I mentioned earlier, it's hard to find this feature so here is where to find it and get started:

  1. Browse to https://endpoint.microsoft.com and select the following
  2. Reports
  3. Endpoint Analytics
  4. Proactive Remediations

Once you've found it, create a new script package to get started. Give it a name, description and click on next to load up a script.

Unlike the serious shortfall of an InTune Script not displaying the content of scripts that are uploaded, once you've uploaded your script to this page you can actually see the contents of the script displayed for detection and remediation. This is already something that I thank Microsoft for fixing and hopefully this will be implemented into their scripts section soon too!

Once you've assigned the script and set a deployment schedule you'll now be able to see trends of whether or not your script is actually fixing the issues or not per the below screenshot.

Again however, this is great but sometimes you need to see the output of your script to determine what is happening and what the final result is. This is also a hidden function in this section that you need to turn on. Browse to the "Device Status" section of your proactive remediation and select the "Columns" button at the top. Turn on "Pre-remediation detection output" to see your scripts output. It will look something like this.

Finally, in case you needed some scripts as examples for your detection and remediation, you can find great examples here from Microsoft: PowerShell scripts for Proactive remediations - Microsoft Endpoint Manager | Microsoft Docs

Nathan Gemmill

Nathan Gemmill