Intune Remediation : Step by step guide to create remediation script packages

1 – What is Intune Remediation ?

Intune remediation refers to the process of using Microsoft Intune to automatically detect and fix common issues on managed devices. This is achieved through remediation scripts, which consist of a detection script to identify problems and a remediation script to resolve them. These scripts help maintain device compliance and security by addressing issues proactively, often before users even notice them. By leveraging Intune remediation, IT administrators can reduce support calls and ensure a smoother, more secure IT environment.

2 – Why Using Intune Remediation ?

Using Intune remediation offers several key benefits for managing and securing devices in an IT environment :

• Proactively identify and fix common issues before they impact users, reducing the number of support calls and improving overall user experience.
• Automate routine maintenance tasks, ensuring devices remain compliant with organizational policies without requiring manual intervention. This automation not only saves time for IT administrators but also ensures consistency across all managed devices.
• secure and stable IT environment, which is crucial for protecting sensitive data and maintaining operational efficiency.

Overall, Intune remediation enhances device management by combining proactive problem-solving with automation and security.

3 – Prerequisites

Whether enrolling devices via Intune or Configuration Manager, Remediation scripting has the following requirements:

• Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and meet one of the following conditions :

• Is managed by Intune and runs an Enterprise, Professional, or Education edition of Windows 10 or later.
• A co-managed device running Windows 10, version 1903 or later.

4 – Licensing

Remediations requires users of the devices to have one of the following licenses:

• Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
• Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
• Windows 10/11 Virtual Desktop Access (VDA) per user

5 – Script requirements

• You can have up to 200 script packages.
• A script package can contain a detection script only or both a detection script and a remediation script.
• A remediation script only runs if the detection script uses exit code exit 1, meaning the issue was detected.
• The maximum allowed output size limit is 2048 characters.
• Don’t put reboot commands in detection or remediations scripts.
• Do not include any type of sensitive information in scripts (such as passwords)
• Do not include Personally Identifiable Information (PII) in scripts
• Do not use scripts to collect PII from devices
• Always follow privacy best practices
• For more details check Microsoft Link : https://learn.microsoft.com/en-us/mem/intune/fundamentals/remediations#script-requirements

6 – Enable script Remediation :

Script remediation is disabled by default, to activate the “Scripts and Remediations” feature, you need to enable Windows license verification in Intune. Here’s how to do it :

Step 1: Access settings

1. Log in to the Microsoft Intune portal
2. Navigate to Tenant Administration
3. Connectors and tokens

1. Select “Windows data” from menu bar.
2. In the “Windows license verification” section , Activate the toggle “I confirm that my tenant owns one of these licenses”
3. Click on “Save“.

7 – Create Remediation Script :

Here are the steps for creating a remediation script in Microsoft Intune :

1. Access the Microsoft Intune admin center
2. Select “Devices” from the main menu
3. Expand “Manage devices“
4. Click on “Scripts and remediations”.
5. Select the “Remediations” tab
6. Click on the “Create” button

• Fill in basic information (name, description)

Settings step

In this section I’m gonna use 2 scripts (1 for detection, 1 for remediation).

1. Go to Settings tab

2. Upload detection script file (save following script in *.ps1 powershell script file)

# Detection logic
$ipv6DisabledInterfaces = Get-NetAdapterBinding -ComponentID ms_tcpip6 | Where-Object { $_.Enabled -eq $false }

if ($ipv6DisabledInterfaces.Count -eq (Get-NetAdapterBinding -ComponentID ms_tcpip6).Count) {
    # IPv6 is disabled on all interfaces
    Write-Host "Compliant: IPv6 is disabled on all network interfaces."
    exit 0  # Return compliant state
} else {
    # IPv6 is still enabled on one or more interfaces
    Write-Host "Non-compliant: IPv6 is enabled on one or more network interfaces."
    exit 1  # Return non-compliant state
}

3. Upload Remediation script file (save following script in *.ps1 powershell script file)

try {
    Write-Host "Starting remediation: Disabling IPv6 on all network interfaces." -ForegroundColor Green

    # Retrieve all network interfaces with IPv6 enabled
    $interfaces = Get-NetAdapterBinding -ComponentID ms_tcpip6 | Select-Object -ExpandProperty Name

    if ($interfaces.Count -eq 0) {
        Write-Host "No interfaces with IPv6 found. No changes needed." -ForegroundColor Yellow
    } else {
        foreach ($interface in $interfaces) {
            try {
                # Disable IPv6 binding on each interface
                Disable-NetAdapterBinding -Name $interface -ComponentID ms_tcpip6 -ErrorAction Stop
                Write-Host "IPv6 has been disabled on interface: $interface" -ForegroundColor Green
            } catch {
                Write-Host "Error disabling IPv6 on interface: $interface. $_" -ForegroundColor Red
            }
        }

        # Update registry to disable IPv6 components system-wide
        try {
            New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ `
            -Name DisabledComponents -Type DWord -Value 255 -Force
            Write-Host "Registry updated to disable IPv6 components. A system restart is required for changes to take effect." -ForegroundColor Cyan
        } catch {
            Write-Host "Error updating registry: $_" -ForegroundColor Red
        }
    }

    Write-Host "Remediation completed successfully. A system restart is required to apply changes." -ForegroundColor Green
} catch {
    Write-Host "An unexpected error occurred during remediation: $_" -ForegroundColor Red
}

4. Configure run parameters :

– Run script using logged-on credentials (No)

– Enforce script signature check (No)

– Run script in 64-bit PowerShell (No)

5. Click Next to continue

Assignments step

1. Go to the Assignments tab

2. Select target groups (e.g. “All devices”)

3. Click Next to finalize configuration

• Click “Create” to create Remediation package.

• Here is Remediation Package created.

9 – Test Remediation :

Remediation packages are executed in two ways :

1. Automatically : when system detect that IPv6 is enabled (get 1 as result with detection script).
2. Manually : from Intune admin center

As you can see in the following screenshot, IPv6 is enabled.

So let’s start manually remediation.

To apply manually remediation from Intune admin center :

• Select device you want to remediate from intune devices
• Select three points in right hand menu “…”
• Select “Run Remediation“

New window will be displayed.

• Select Remediation script the select “Run Remediation“

• Execution can take up 10 minutes.
• We can check remediation result from “Remediation” menu in selected windows machine, as you can see IPv6 was successfully disabled.

• Double check in client Windows machine : IPv6 successfully disabled

10 – Conclusion :

Creating and deploying remediation script packages in Intune can significantly enhance your device management strategy. By following the steps outlined in this guide, you can address compliance issues proactively and maintain a secure IT environment. Remember, the key to successful remediation is thorough testing and validation of your scripts before deployment. With these best practices in mind, you’ll be well-equipped to leverage Intune’s full potential, ensuring your devices are always up-to-date and secure.

Thanks