Intune : 15 Must-Have Remediation Scripts

Intune remediation refers to the process of using Microsoft Intune to automatically detect and fix common issues on managed devices. This is achieved through remediation scripts, which consist of a detection script to identify problems and a remediation script to resolve them. These scripts help maintain device compliance and security by addressing issues proactively, often before users even notice them. By leveraging Intune remediation, IT administrators can reduce support calls and ensure a smoother, more secure IT environment.

I have already written an article about remediation scripts you can check it from this link :

Intune Remediation : Step by step guide to create remediation script packages | LinkedIn

1 – SMB v1 disabling :

  • Detection Script :
$smbv1 = get-smbserverconfiguration | Select-Object -ExpandProperty EnableSMB1Protocol
if ($smbv1 -eq $false) {
    write-host "SMBv1 is disabled"
    exit 0
}
else {
    write-host "SMBv1 is enabled"
    exit 1
}
  • Remediation script :
Set-SmbServerConfiguration -EnableSMB1Protocol 0

2 – IPv6 disabling :

  • Detection Script :
# Check if IPv6 is disabled using the DisabledComponents registry key

# Define the registry path and key
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
$registryName = "DisabledComponents"
$expectedValue = 255  # 0xFF means IPv6 is fully disabled

try {
    $currentValue = Get-ItemProperty -Path $registryPath -Name $registryName -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $registryName -ErrorAction SilentlyContinue
    if ($currentValue -eq $expectedValue) {
        Write-Output "IPv6 is disabled"
        exit 0 # Return compliant state
    } else {
        Write-Output "IPv6 is Enabled"
        exit 1 # Return non-compliant state
    }
} catch {
    Write-Output "IPv6 is Enabled"
    exit 1 # Return non-compliant state
}
  • Remediation script :
# Remediation Script: Disable IPv6 using the DisabledComponents registry key
# This script sets the registry value to completely disable IPv6

# Define the registry path and key
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
$registryName = "DisabledComponents"
$expectedValue = 255  # 0xFF means IPv6 is fully disabled

try 
{
    # Check if the registry path exists
    if (!(Test-Path $registryPath)) {
        New-Item -Path $registryPath -Force | Out-Null
    }
    
    # Set the DisabledComponents registry key to disable IPv6 completely
    Set-ItemProperty -Path $registryPath -Name $registryName -Value $expectedValue -Force
    
    Write-Output "IPv6 has been disabled. A system restart may be required."

    exit 0
} catch 
{
    Write-Error "Failed to disable IPv6: $_"
    exit 1
}

3 – Credential Guard enabling :

  • Detection Script :
# Check if Credential Guard is enabled
$credentialGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
 
if ($credentialGuardStatus.SecurityServicesConfigured -contains 1 -and $credentialGuardStatus.SecurityServicesRunning -contains 1) {
    Write-Output "Credential Guard is enabled."
    exit 0
} else {
    Write-Output "Credential Guard is not enabled."
    exit 1
}
  • Remediation script :
 # Enable Credential Guard
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
 
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA"
Set-ItemProperty -Path $regKey -Name "LsaCfgFlags" -Value 1
 
Write-Output "Credential Guard has been enabled."

4 – Device Guard enabling :

  • Detection Script :
# Check if Device Guard is enabled
$deviceGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
 
if ($deviceGuardStatus.SecurityServicesConfigured -contains 2 -and $deviceGuardStatus.SecurityServicesRunning -contains 2) {
    Write-Output "Device Guard is enabled."
    exit 0
} else {
    Write-Output "Device Guard is not enabled."
    exit 1
}
  • Remediation script :
# Enable Device Guard
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
 
Write-Output "Device Guard has been enabled."

5 – Windows Firewall enabling :

  • Detection Script :
# Check if the firewall is enabled
$firewallStatus = Get-NetFirewallProfile -Profile Domain,Public,Private
 
foreach ($profile in $firewallStatus) {
    if ($profile.Enabled -eq $false) {
Write-Output "Firewall is disabled for profile: $($profile.Name)"
        exit 1
    }
}
 
Write-Output "Firewall is enabled for all profiles."
exit 0
  • Remediation script :
# Enable the firewall for all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
 
Write-Output "Firewall has been enabled for all profiles."

6 – Perform disk cleanup if Low disk space detected :

  • Detection Script :
# Check for low disk space
$freeSpace = (Get-PSDrive -Name C).Free
if ($freeSpace -lt 10GB) {
    Write-Output "Low disk space"
    exit 1
} else {
    Write-Output "Sufficient disk space"
    exit 0
}
  • Remediation script :
# Perform disk cleanup
Start-Process -FilePath "cleanmgr.exe" -ArgumentList "/sagerun:1" -Wait
Write-Output "Disk cleanup performed"

7 – UAC enabling :

  • Detection Script :
# Check if UAC is enabled
$uacStatus = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -ErrorAction SilentlyContinue
 
if ($null -eq $uacStatus) {
    Write-Output "UAC status: NotConfigured"
    exit 1
} elseif ($uacStatus -eq 0) {
    Write-Output "UAC status: Disabled"
    exit 1
} else {
    Write-Output "UAC status: Enabled"
    exit 0
}
  • Remediation script :
# Check if UAC is enabled
$uacStatus = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -ErrorAction SilentlyContinue
 
if ($null -eq $uacStatus -or $uacStatus -eq 0) {
    # Enable UAC
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 1
    Write-Output "UAC has been enabled."
} else {
    Write-Output "UAC is already enabled."
}

8 – WDAC enabling :

  • Detection Script :
# Check if WDAC is enabled
$wdacStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
 
if ($wdacStatus.SecurityServicesConfigured -contains 2 -and $wdacStatus.SecurityServicesRunning -contains 2) {
    Write-Output "WDAC is enabled."
    exit 0
} else {
    Write-Output "WDAC is not enabled."
    exit 1
}
  • Remediation script :
# Define the path to the WDAC policy binary file
$policyBinaryPath = "C:\Path\To\Your\Policy.cip"
 
# Copy the policy binary to the correct location
$destinationFolder = "$env:windir\System32\CodeIntegrity\CIPolicies\Active\"
Copy-Item -Path $policyBinaryPath -Destination $destinationFolder
 
# Enable WDAC policy
Start-Process -FilePath "powershell.exe" -ArgumentList "-Command", "ciTool.exe --update-policy $policyBinaryPath" -NoNewWindow -Wait

Write-Output "WDAC policy has been applied. A system reboot is required for changes to take effect."

9 – Fixing Time zone :

  • Detection Script :
# Define the required time zone
$requiredTimeZone = "Pacific Standard Time"
 
# Get the current time zone
$currentTimeZone = (Get-TimeZone).Id
 
if ($currentTimeZone -ne $requiredTimeZone) {
    Write-Output "Incorrect time zone: $currentTimeZone"
    exit 1
} else {
    Write-Output "Time zone is correct: $currentTimeZone"
    exit 0
}
  • Remediation script :
# Define the required time zone
$requiredTimeZone = "Pacific Standard Time"
 
# Set the time zone
Set-TimeZone -Id $requiredTimeZone
 
Write-Output "Time zone has been set to: $requiredTimeZone"

10 – Enabling Defender real time protection :

  • Detection Script :
if((Get-MpComputerStatus).RealTimeProtectionEnabled  -eq "True") {
    Write-Output "Device Compliant"
    exit 0
} else {
    Write-Output "Device Non-Compliant"
    exit 1
}
  • Remediation script :
try {
    Set-MpPreference -DisableRealtimeMonitoring $false
    Write-Output "Device Remediated"
    exit 0
}
catch {
    Write-Output "Remediation Failed"
    exit 1
}

11 – Enabling Defender network protection :

  • Detection Script :
# Check if network protection is enabled
$networkProtection = Get-MpPreference | Select-Object -ExpandProperty EnableNetworkProtection

if ($networkProtection -eq 1) {
    Write-Output "Network protection is enabled."
    exit 0
} else {
    Write-Output "Network protection is disabled."
    exit 1
}
  • Remediation script :
# Enable network protection
Set-MpPreference -EnableNetworkProtection Enabled
exit 0

12 – Enabling Defender exploit protection :

  • Detection Script :
# Check if exploit protection settings are applied
$exploitProtection = Get-MpPreference | Select-Object -ExpandProperty ExploitProtection

if ($exploitProtection) {
    Write-Output "Exploit protection settings are applied."
    exit 0
} else {
    Write-Output "Exploit protection settings are not applied."
    exit 1
}
  • Remediation script :
# Apply recommended exploit protection settings
Add-MpPreference -ExploitProtectionSettings "Recommended"
exit 0

13 – Enabling Defender PUA Protection :

  • Detection Script :
if((Get-MpPreference).PUAProtection -eq 1) {
    Write-Output "Device Compliant"
    exit 0
} else {
    Write-Output "Device Non-Compliant"
    exit 1
}
  • Remediation script :
try {
    Set-MpPreference -PUAProtection Enabled
    Write-Output "Device Remediated"
    exit 0
}
catch {
    Write-Output "Remediation Failed"
    exit 1
}

14 – Force maping network drive :

  • Detection Script :
# Define the network drive letter and path
$driveLetter = "Z:"
$networkPath = "\\server\share"
 
# Check if the drive is mapped
$drive = Get-PSDrive -Name $driveLetter -ErrorAction SilentlyContinue
 
if ($null -eq $drive -or $drive.Root -ne $networkPath) {
    Write-Output "Network drive not mapped: $driveLetter"
    exit 1
} else {
    Write-Output "Network drive is mapped: $driveLetter"
    exit 0
}
  • Remediation script :
# Define the network drive letter and path
$driveLetter = "Z:"
$networkPath = "\\server\share"
 
# Map the network drive
New-PSDrive -Name $driveLetter -PSProvider FileSystem -Root $networkPath -Persist
 
Write-Output "Network drive has been mapped: $driveLetter"

15 – LLMNR disabling :

  • Detection Script :
$Path = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"
$Name = "EnableMulticast"
$Type = "DWORD"
$Value = 0

Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value){
        Write-Output "Compliant"
        Exit 0
    } 
    Write-Warning "Not Compliant"
    Exit 1
} 
Catch {
    Write-Warning "Not Compliant"
    Exit 1
}
  • Remediation script :
$Path1 ="HKLM:\Software\policies\Microsoft\Windows NT"
$Path = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"
$Name = "EnableMulticast"
$Type = "DWORD"
$Value = 0


$DNSclient = (Get-ItemProperty $path1).psobject.properties.name -contains "dnsclient"

If ($DNSclient -eq $false) 
       {
            New-Item -Path $Path
        }

Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value

Very important : I recommand you test PowerShell scripts in test environement before you deploy them in production.

Thanks

Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance