Tutorial: Proactive remediations
This information relates to a preview feature which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
For more information about changes to Endpoint analytics, see What's new in Endpoint analytics.
Proactive remediations in Endpoint analytics helps you fix common support issues before end-users notice issues. Use Proactive remediations to help increase your User experience score.
In this tutorial, you learn how to:
- Review prerequisites for Proactive remediations
- Deploy a built-in script package
- Deploy a custom script package
- Monitor the script packages
About Proactive remediations
Proactive remediations are script packages that can detect and fix common support issues on a user's device before they even realize there's a problem. These remediations can help reduce support calls. You can create your own script package, or deploy one of the script packages we've written and used in our environment for reducing support tickets.
Each script package consists of a detection script, a remediation script, and metadata. Through Intune, you'll be able to deploy these script packages and see reports on their effectiveness. We're actively developing new script packages and would like to know your experiences using them. Reach out to your Endpoint analytics preview contact if you have any feedback on the script packages.
- Devices enrolled into Endpoint analytics.
Whether enrolling devices via Intune or Configuration Manager, Proactive remediation scripting has the following requirements:
- Devices must be Azure AD joined or hybrid Azure AD joined and meet one of the following conditions:
Proactive remediations also requires the licensing for Endpoint analytics and one of the following licenses for the enrolled devices:
- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
For Proactive remediations, the user needs permissions appropriate to their role under the Device configurations category. Permissions in the Endpoint Analytics category aren't needed if the user only uses Proactive remediations.
An Intune Service Administrator is required to confirm licensing requirements before using proactive remediations for the first time.
The PowerShell execution policy on the device can't be set to Restricted or AllSigned. For more information, see PowerShell execution policies.
If the option Enforce script signature check is enabled in the Settings page of creating a script package, then make sure that the scripts are:
- Encoded in UTF-8 not UTF-8 BOM
- Scripts have line breaks indicated by
CR LF, which is the Windows default.
LFis the default line break for Unix. For more information, see Encoding and line endings.
- Currently, the encoding and line breaks are a known issue.
Deploy built-in script packages
There are built-in script packages you can use to get started with Proactive remediations. The Microsoft Intune Management Extension service gets the scripts from Intune and runs them. The scripts are rerun every 24 hours by default. The following built-in script packages just need to be assigned:
- Update stale Group Policies – Stale Group Policies can lead to helpdesk tickets related to connectivity and internal resource access.
- Restart Office Click-to-run service – When the Click-to-run service is stopped, Office apps fail to start leading to helpdesk calls.
To assign the script package:
- From the Proactive remediations node, select one of the built-in script packages.
- Select Properties, then next the Assignments heading, select Edit.
- Choose the groups you want to Assign to and any Excluded groups for the script package.
- If you would like to change the schedule, click the ellipses and choose Edit to specify your settings then Apply to save them.
- When you're done, select Review + save.
Create and deploy custom script packages
The Microsoft Intune Management Extension service gets the scripts from Intune and runs them. The scripts are rerun every 24 hours. You can copy the provided scripts and deploy them, or you can create your own script packages. To deploy script packages, follow the instructions below:
Copy the provided detection and remediation scripts
- Copy the scripts from the PowerShell scripts article.
- Script files whose names start with
Detectare detection scripts. Remediation scripts start with
- For a description of the scripts, see the Script descriptions.
- Script files whose names start with
- Save each script using the provided name. The name is also in the comments at the top of each script.
- You can use a different script name, but it won't match the name listed in the Script descriptions.
Deploy the script packages
- Go to the Proactive remediations node in the console.
- Click the Create script package button to create a script package.
- In the Basics step, give the script package a Name and optionally, a description. The Publisher field can be edited, but defaults to your tenant name. Version can't be edited.
- On the Settings step, copy the text from the provided scripts or put your own scripts into the Detection script and Remediation script fields.
- Finish the options on the Settings page with the following recommended configurations:
- Run this script using the logged-on credentials: This setting is dependent on the script. For more information, see the Script descriptions.
- Enforce script signature check: No
- Run script in 64-bit PowerShell: No
- Click Next then assign any Scope tags you need.
- In the Assignments step, select the device groups to which you want to deploy the script package.
- Complete the Review + Create step for your deployment.
Monitor your script packages
- Under Reporting > Endpoint analytics - Proactive remediations, you can see an overview of your detection and remediation status.
- Click on Device status to get status details for each device in your deployment.