So, Proactive Remediations What? Why? How? My insight into Proactive Remediations. I didn’t have time yet to check out the “Proactive Remediations” feature. I see a lot of solutions with Proactive Remediations but they only show the solution. Don’t get me wrong, I have seen some awesome stuff built. I hope to give you some insight into the feature to help you better understand it. Of course, I’m showing an example. A simple one. Just so you get the idea.

Prerequisites

Firstly, your device is enrolled in Intune and has the proper licenses:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user

You can deploy a maximum of 200 script packages.

Proactive Remediations What?

Let’s talk about what the feature is. You can use Proactive Remediations to deploy script packages with a detect and remediate option. You can find it here in the reporting part of the Endpoint Manager Portal:

Proactive Remediations - Location in Portal

What does that mean? detect and remediate? Firstly, you write a detection script. This script detects if the managed device has an issue. This script must output an exit code of 1. For example:

$Path = Test-Path -Path "C:\Users\Public\Desktop\test.txt"

If ($Path -eq $True) {
    Write-Host "File exists, file doesn't need to be created"
    Exit 0
}
else {
    Write-Host "File does not exist, file needs to be created"
    Exit 1
}

The script above is fairly simple. Firstly, the script detects whether the file “C:\Users\Public\Desktop\test.txt” exists. If it does, the exit code is 0. If it doesn’t the exit code is 1.

When the exit code of the detection script is 1, the remediation script applies to the managed device. (The detection and remediation script can be the same script if you code it well)

This is the remediation script:

$Path = "C:\Users\Public\Desktop\test.txt"

$Test = Test-Path -Path $Path -ErrorAction SilentlyContinue

If ($Test -eq $False) {
    try {
        New-Item -Path $Path -ItemType File
        Exit 0
    }
    catch {
        Write-Error $_
        Exit 1
    }
}

It again checks whether the file exists and it creates the file if it doesn’t exist. I could have used the same file but for explaining purposes I have separated these scripts.

After that, it outputs the creation of the file. You can see that here. It states that the device has issues after detection:

Next, it shows the remediation status:

And, after that, it shows the output for post-detection:

Furthermore, you need to select these columns first:



Lastly, the Intune Management Extension handles the detection and remediation of these script packages.

Proactive Remediations Why?

Why should you use this feature? First of all, I think it’s brilliant. That’s also because I have seen multiple solutions deployed with proactive remediations. You should use this feature when you want to continuously run a script against a managed device based on a detection you can design yourself. For example, you can use this to apply BIOS updates on Lenovo machines. You can create a local admin account from which the password is changed every day and the output is found in the portal. (links to these solutions are stated at the bottom of the page)

I hear you saying, what is the difference between a regular Powershell script or a Win32App where a Powershell script is packaged?

A Powershell script is only deployed once. Where Proactive remediations use detection and remediate solutions. You can schedule these to run hourly, daily, and so forth.

A Win32App can’t post output back in the portal where Proactive remediations can. In addition, you can’t schedule these deployments to run hourly, daily, etc.

So, this feature is far more versatile than a simple Powershell script or Win32App. I think this makes it so that you need Windows Enterprise licensing.

Proactive Remediations How?

Lastly, the how. To show you how it works I wrote a simple example. It creates a file if it doesn’t exist. It’s a text file on the Public desktop just to show the mechanism but you get the idea from that. I am demonstrating this with the example scripts above. Please save these as .ps1 files. It is fairly simple to create this in the portal. Log on to the MEM portal.

After that, go to reports and Endpoint Analytics:

Proactive Remediations - Endpoint Analytics
Choose this option:
Proactive Remediations - Location in portal

Create a script package:

Proactive Remediations - create script package

Enter a name and click on next.

After that, select your detect and remediation scripts:

Furthermore, you probably recognize the options below. Use these accordingly. In order for my script to run we don’t select these.

After that, assign scope tags if needed.

Next, assign a group to the script package. When you have assigned a group the option appears to add a schedule to the script package:

The options for the schedule are: “Daily, Hourly, and Once”. After that, you can choose at what frequency the schedule runs.

Save the schedule and go to review + create the save the script package.

I hope this blog shed some light on the Proactive Remediations Feature for you!

Check out some awesome solutions below from my fellow community members.

References

Microsoft Doc about Proactive Remediations

Proactive Remediations Solutions:
LeanLaps by Jos Lieben
Unpinning the Microsoft Store by Andrew Taylor
Update Lenovo BIOS by Damian van Robaeys

Other posts by me:
Intune Managed Device Rapport with a post in Teams
Packer YAML Windows 365 Image

2 thoughts on “Proactive Remediations What? Why? How?”

Leave a Reply

Your email address will not be published.