How to use Intune remediation scripts to fix common issues on Windows devices
Intune remediation scripts are a powerful feature that allows you to detect and fix common support issues on Windows devices before they affect the user experience. In this blog post, I will explain what Intune remediation scripts are, how they work, and how you can create and deploy your own custom scripts or use the built-in ones provided by Microsoft.
What are Intune remediation scripts?
Intune remediation scripts are script packages that consist of a detection script, a remediation script, and metadata. The detection script checks for a specific condition or issue on the device, such as an expired certificate, a stale group policy, or a missing registry key. The remediation script performs an action to resolve the issue, such as deleting the expired certificate, refreshing the group policy, or creating the registry key. The metadata contains information such as the name, description, and settings of the script package. Think of these like ‘if - then’ statements; if x is true then do y.
You can deploy Intune remediation scripts to your devices using the Intune portal or the Microsoft Endpoint Manager admin centre. You can also monitor the status and effectiveness of the scripts using reports and dashboards.
How do Intune remediation scripts work?
Intune remediation scripts run on the device using the Microsoft Intune Management Extension (MIME), which is a lightweight agent that enables PowerShell scripting on Windows 10 devices. The MIME agent periodically checks for new or updated script packages from Intune and downloads them to the device. The MIME agent then executes the detection script on the device and reports the result back to Intune. If the detection script returns an exit code of 1, which means that the issue was detected, the MIME agent runs the remediation script on the device and reports the result back to Intune. If the detection script returns an exit code of 0, which means that no issue was detected, the MIME agent skips the remediation script.
You can configure various settings for your Intune remediation scripts, such as:
The frequency of running the detection script (daily, weekly, monthly, or custom)
The time window for running the detection script
The number of retries for running the detection script
The timeout for running the detection script
The run mode for running the remediation script (user or system)
The notification option for running the remediation script (silent or toast)
The signature check option for running the scripts (enforce or ignore)
How to create and deploy Intune remediation scripts?
You can create your own custom Intune remediation scripts using PowerShell. You need to ensure that your scripts are encoded in UTF-8 and follow some best practices, such as:
Use try-catch blocks to handle errors and exceptions
Use Write-Output to log messages and Write-Error to log errors
Use exit codes to indicate success or failure of the scripts
Use parameters to make your scripts configurable and reusable
Use comments to document your scripts
You can also use some of the built-in Intune remediation scripts provided by Microsoft or some of the community-contributed scripts available on GitHub. Some examples of these scripts are:
Check network certificates: This script detects certificates issued by a CA in either the machine’s or user’s personal store that are expired or near expiry and notifies the user with a toast message.
Clear stale certificates: This script detects and deletes expired certificates issued by a CA from the current user’s personal store.
Update stale group policies: This script detects if the last group policy refresh is greater than a certain number of days ago and runs gpupdate /force to refresh both computer and user policies.
To deploy your Intune remediation scripts, you need to follow these steps:
Open the Intune portal or the Microsoft Endpoint Manager admin center
Navigate to Reports > Endpoint analytics > Remediations
Click + Create script package
Enter a name and description for your script package
Upload your detection script and remediation script files
Configure your settings for your script package
Assign your script package to a group of devices
Review and create your script package
How to monitor Intune remediation scripts?
You can monitor the status and effectiveness of your Intune remediation scripts using various reports and dashboards in Intune. Some of these are:
Remediations overview: This dashboard shows you an overview of all your deployed script packages, such as their names, descriptions, run modes, run frequencies, assignment counts, success rates, last run dates, etc.
Script package details: This report shows you more details about a specific script package, such as its settings, assignments, run history, device status, etc.
Device details: This report shows you more details about a specific device that ran a script package, such as its name, OS version, serial number, last sync date, last check-in date, etc.
Script output: This report shows you the output of the detection and remediation scripts for a specific device, such as the messages, errors, exit codes, etc.
You can also export the script output to a CSV file for further analysis or troubleshooting.
Conclusion
Intune remediation scripts are a powerful feature that can help you fix common support issues on Windows devices before they affect the user experience. You can create and deploy your own custom scripts or use the built-in ones provided by Microsoft. You can also monitor the status and effectiveness of your scripts using various reports and dashboards in Intune. I hope this blog post has given you an introduction to Intune remediation scripts and how to use them. If you have any questions or feedback, please Contact me. Thanks for reading!
