Template scripts for Intune Proactive Remediation
Need to create an Intune Proactive Remediation and don’t want to start from scratch? These simple template scripts can be used to easily create an Intune Proactive Remediation, which reports back success or error messages to the Intune portal.
The payload of the scripts is up to you, but I have added an example which sets a registry value in the HKLM hive.
Detection script
The detection script will check if the desired registry value exists. If not, it will instruct Intune to run the remediation script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
$version = "D1" # Detection script version $ErrorActionPreference = 'Stop' try { $registrykeypath = 'HKLM:\SOFTWARE\Policies\Citrix\Citrix Files' $registryvalueName = 'DisableTutorial' $registryvaluePropertyTarget = 'int DisableTutorial=1' # int for dword, string for string $registryvaluePropertyObject = Get-ItemProperty -LiteralPath $registrykeypath | Get-Member -MemberType NoteProperty | Where-Object {$_.Name -eq $registryvalueName} $registryvaluePropertyDefinition = $registryvaluePropertyObject.Definition If ($registryvaluePropertyDefinition -eq $registryvaluePropertyTarget) { Write-Output "$version Compliant: $registryvaluePropertyDefinition" # exit 0 to signal compliance to Intune. exit 0 } else { Write-Output "$version Non-compliant: $registryvaluePropertyDefinition" # exit 1 to signal non-compliance to Intune. This will trigger the remediation script. exit 1 } } catch { Write-Output "$version Failed: $_" # exit 1 to signal non-compliance to Intune. This will trigger the remediation script. exit 1 } |
Remediation script
The remediation script will attempt to create the desired registry value. After the remediation script has run, the detection script will run again in order to confirm the success of the remediation script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$version = "R1" # Remediation script version $ErrorActionPreference = 'Stop' try { $registrykeypath = 'HKLM:\SOFTWARE\Policies\Citrix\Citrix Files' $registryvalueName = 'DisableTutorial' $registryvalueData = '1' $registryvalueType = 'dword' # Since the parent registry keys don't neccessarily exist already, they should be created first New-Item -Path "HKLM:\SOFTWARE\Policies" -Name "Citrix" -ErrorAction SilentlyContinue | Out-Null # Don't use -force when creating registry keys, unless you want to overwrite an existing key New-Item -Path "HKLM:\SOFTWARE\Policies\Citrix" -Name "Citrix Files" -ErrorAction SilentlyContinue | Out-Null # Create the desired registry value New-ItemProperty -LiteralPath $registrykeypath -Name $registryvalueName -PropertyType $registryvalueType -Value $registryvalueData -Force | Out-Null Write-Output "$version Success" exit 0 # Return 0 to signal success to Intune } catch { Write-Output "$version Failed: $_" # The error will be returned to Intune exit 1 # Return 1 to signal failure to Intune } |
In Intune you will now be able to monitor the success of your Proactive Remediation and see relevant error messages returned from the client. For example, as shown below where the Proactive Remediation runs the detection script, fails to detect the desired registry value and thereby triggers the remediation script.
After the remediation script has run, the detection script is run again and now successfully detects the created registry value.