Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Scripts and Remediation: Complete Guide

Learn how to use Intune proactive remediations to detect and fix common device issues automatically, including detection scripts, remediation scripts, and monitoring.

By Ali Alame
intuneremediationsscriptsproactive-remediationautomationdevice-healthwindows

Intune proactive remediations enable you to automatically detect and fix common device issues using detection and remediation scripts. This capability helps maintain device health, reduce support tickets, and ensure devices remain compliant and properly configured.

Understanding Proactive Remediations

Proactive remediations in Intune use detection scripts to identify issues and remediation scripts to fix them automatically. Scripts run on a schedule, detect problems, and apply fixes without user intervention.

Key Benefits

  • Automated Issue Resolution: Fix problems automatically
  • Proactive Maintenance: Address issues before they impact users
  • Reduced Support Tickets: Automate common fixes
  • Device Health: Maintain optimal device configuration
  • Custom Solutions: Create custom detection and remediation logic

For an overview, see Remediations.

Creating Remediation Script Packages

Step 1: Prepare Scripts

Create two PowerShell scripts:

  1. Detection Script: Detects if issue exists (returns exit code 0 if issue found, 1 if not)
  2. Remediation Script: Fixes the issue (returns exit code 0 on success)

Script Requirements:

  • Must be PowerShell (.ps1) files
  • Encoded in UTF-8
  • Detection script: Exit 0 = issue found, Exit 1 = no issue
  • Remediation script: Exit 0 = success, Exit 1 = failure

Step 2: Access Remediations

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > Manage devices > Scripts and remediations > Remediations
  3. Select Create script package

Step 3: Configure Basics

  1. Name: Enter descriptive name
  2. Description: Optional description
  3. Publisher: Publisher name (defaults to your name)
  4. Version: Auto-generated (read-only)
  5. Select Next

Step 4: Upload Scripts

  1. Detection script file: Upload detection script
  2. Remediation script file: Upload remediation script
  3. Run this script using the logged-on credentials: Yes/No
  4. Enforce script signature check: Yes/No
  5. Run script in 64-bit PowerShell host: Yes/No

Important: Scripts must be encoded in UTF-8. Upload scripts rather than editing in browser to ensure proper encoding.

Select Next.

Step 5: Assign to Groups

  1. Select + Select groups to include
  2. Choose device or user groups
  3. Select Next

Step 6: Review and Create

  1. Review all settings
  2. Select Create to save

For detailed guidance, see Remediations.

Example Remediation Scripts

Example: Fix Registry Setting

Detection Script:

$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows"
$Name = "SettingName"
$ExpectedValue = "ExpectedValue"

if (Test-Path $Path) {
    $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
    if ($CurrentValue -ne $ExpectedValue) {
        Write-Output "Issue detected: Setting is $CurrentValue, expected $ExpectedValue"
        exit 0  # Issue found
    }
}
exit 1  # No issue

Remediation Script:

$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows"
$Name = "SettingName"
$Value = "ExpectedValue"

try {
    if (-not (Test-Path $Path)) {
        New-Item -Path $Path -Force | Out-Null
    }
    Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type String -Force
    Write-Output "Setting fixed successfully"
    exit 0
}
catch {
    Write-Error "Failed to fix setting: $_"
    exit 1
}

Monitoring Remediations

View Remediation Status

  1. Go to Devices > Scripts and remediations > Remediations
  2. Select a remediation
  3. Review Device status and Policy status

Status Types

  • Succeeded: Issue detected and fixed
  • Conflict: Conflicting remediation detected
  • Failed: Remediation failed
  • Not applicable: Script doesn't apply

Detailed Reports

View detailed remediation results:

  • Device status: Per-device remediation status
  • Policy status: Overall remediation status
  • Execution history: Historical remediation data

Best Practices

1. Design Reliable Scripts

  • Idempotent: Scripts should be safe to run multiple times
  • Error Handling: Include proper error handling
  • Logging: Log actions for troubleshooting
  • Testing: Test thoroughly before deployment

2. Use Appropriate Detection Logic

  • Clear Detection: Detection should be unambiguous
  • Efficient: Keep detection scripts fast
  • Accurate: Avoid false positives/negatives
  • Documented: Document detection logic

3. Safe Remediation

  • Reversible: Remediations should be reversible when possible
  • Tested: Test remediations in isolated environment
  • Non-Destructive: Avoid destructive operations
  • Logged: Log all remediation actions

4. Monitor Regularly

  • Review Status: Check remediation status regularly
  • Address Failures: Investigate and fix failures
  • Optimize: Improve scripts based on results
  • Document: Document successful remediations

Additional Resources

Conclusion

Proactive remediations provide powerful automation capabilities for maintaining device health. By following these best practices:

✅ Design reliable and idempotent scripts
✅ Use clear detection logic
✅ Implement safe remediation actions
✅ Monitor remediation status regularly
✅ Test thoroughly before deployment

You can automate common device maintenance tasks and reduce support overhead while ensuring devices remain properly configured and healthy.

Remember: Remediations run automatically on a schedule. Ensure scripts are well-tested and safe to run repeatedly, as they will execute automatically when issues are detected.