How to Use Proactive Remediations in Intune

calendar Aug 8, 2023 · 4 min read · Intune Powershell  ·
Share on: linkedin copy

Using Proactive Remediations in Intune.

This article will cover the use of proactive remediations in Intune, why they are great and how to start using them instead of standard scripts.

Why use them?

Remediations allow you to write PowerShell scripts that can checked against a condition (any condition you can write in PowerShell) in intervals (once, hourly, or daily, and at specific times). This gives you a much more granular control over how your scripts run on endpoint devices. For example, if you need to make sure your end users keep the Windows 11 taskbar aligned to the left, then you can create a remediation that runs every hour or two, checking if the taskbar is aligned to the left. If it is not, then you can make changes to remediate that condition.

If you just wrote that in a single script and uploaded it under Devices -> Scripts, then it would be run once on the endpoint devices, and never run again. With remediations, we have the power to run scripts on a schedule.

How to start using them?

When creating a Remediation, you will need to write two PowerShell scripts. There is the Detection script and the Remediation script. The names are pretty straightforward.

The Detection script is the condition that you want to check for. When the checked condition is true, you want to send the exit code exit 1 to notify Intune that the condition has been found and the remediation script needs to run.

Here's an example detection script that checks if the target device is running any version of Windows 11, and has the Taskbar Alignment set to Left.

If you are following along, copy and paste the following code block into a file called detection.ps1.

 1$regKey = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
 2$regValue = "TaskbarAl"
 3if ((Get-ComputerInfo | Select-Object -expand OsName) -match "Windows 11"){
 4  # regKey does not exist, run remediation
 5  if (-not(Test-Path $regKey)){ 
 6    exit 1
 7  } 
 8  # If regKey exists and the regValue.Value is not equal to 0, run remediation
 9  elseif (-not(Get-ItemProperty $regKey -Name $regValue).TaskbarAl -eq 0){ 
10    exit 1
11  }
12}

The Remediation script is supposed to contain the code that fixes the problem you are trying to detect. The following code is built off of the detection script. It checks for a registry key and value that will control the alignment of the Taskbar.

If you are following along, copy and paste the following code block into a file called remediation.ps1.

 1$regKey = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
 2$regValue = "TaskbarAl"
 3
 4try {
 5  if (-not(Test-Path $regKey)) {
 6    # regKey does not exist, create it
 7    New-Item -Path $regKey -Force
 8    # Set TaskbarAl to 0 to align taskbar to the Left, set to 1 to align to the Center
 9    New-ItemProperty -Path $regKey -Name $regValue -Value 0 -PropertyType DWORD -Force
10  }
11  else {
12    # regKey exists, create/set the value for TaskbarAl
13    New-ItemProperty -Path $regKey -Name $regValue -Value 0 -PropertyType DWORD -Force   
14  }
15}
16catch {
17  Write-Error $_.Exception.Message
18}

Once you have the detection.ps1 and remediation.ps1 script ready to go, we can create the remediation in Intune.

Lets create the Remediation in Intune

  • Navigate to the Intune Admin Center (either endpoint.microsoft.com or intune.microsoft.com).

  1. Go to Devices -> Remediations -> click Create script package

  2. Under the Basic tab:

    • Enter a Name. I called this one: Set Taskbar Alignment | Windows 11
    • Optionally enter a Description and Publisher

  3. Under the Settings tab:

    • Select the Detection script file (detection.ps1)
    • Select the Remediation script file (remediation.ps1)
    • Set the next three switches according to your environment. For this remediation, I set them to the following:
      1. Run this script using the logged-on credentials : No
      2. Enforce script signature check : No
      3. Run script in 64-bit PowerShell : No

  4. Under the Scope tags tab:

    • Select scope tags according to your environment. I did not select any for this remediation.

  5. Under the Assignments yab:

    • Select the Included groups and Excluded groups accordingly.
    • When you select any Included groups you can set the schedule to run the detection script. The schedule can be set to Daily, Hourly, or Once. Select the schedule according to your environment requirements.

  6. Under the Review + create tab:

    • Review your settings and confirm they are right before clicking Create.

Once you have created the remediation, just wait for Intune to start reporting back. It will report any devices found with issues, without issues, and the status on any remediations.