Tutorial: Proactive remediations


This information relates to a preview feature which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

For more information about changes to Endpoint analytics, see What's new in Endpoint analytics.

Proactive remediations in Endpoint analytics helps you fix common support issues before end-users notice issues. Use Proactive remediations to help increase your User experience score.

In this tutorial, you learn how to:

  • Review prerequisites for Proactive remediations
  • Deploy a built-in script package
  • Deploy a custom script package
  • Monitor the script packages

About Proactive remediations

Proactive remediations are script packages that can detect and fix common support issues on a user's device before they even realize there's a problem. These remediations can help reduce support calls. You can create your own script package, or deploy one of the script packages we've written and used in our environment for reducing support tickets.

Each script package consists of a detection script, a remediation script, and metadata. Through Intune, you'll be able to deploy these script packages and see reports on their effectiveness. We're actively developing new script packages and would like to know your experiences using them. Reach out to your Endpoint analytics preview contact if you have any feedback on the script packages.


Whether enrolling devices via Intune or Configuration Manager, Proactive remediation scripting has the following requirements:

  • Devices must be Azure AD joined or hybrid Azure AD joined and meet one of the following conditions:
    • A Windows 10 Enterprise, Professional, or Education device that is managed by Intune.
    • A co-managed device running Windows 10, version 1903 or later. Co-managed devices on preceding versions of Windows 10 will need the Client apps workload pointed to Intune (only applicable up to version 1607).


Proactive remediations also requires the licensing for Endpoint analytics and one of the following licenses for the enrolled devices:

  • Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5


  • For Proactive remediations, the user needs permissions appropriate to their role under the Device configurations category. Permissions in the Endpoint Analytics category aren't needed if the user only uses Proactive remediations.

  • An Intune Service Administrator is required to confirm licensing requirements before using proactive remediations for the first time.

  • The PowerShell execution policy on the device can't be set to Restricted or AllSigned. For more information, see PowerShell execution policies.

Script requirements

If the option Enforce script signature check is enabled in the Settings page of creating a script package, then make sure that the scripts are:

  • Encoded in UTF-8 not UTF-8 BOM
  • Scripts have line breaks indicated by LF and not CR LF, which is the Windows default.
    • LF is the default line break for Unix. For more information, see Encoding and line endings.
    • Currently, the encoding and line breaks are a known issue.

Deploy built-in script packages

There are built-in script packages you can use to get started with Proactive remediations. The Microsoft Intune Management Extension service gets the scripts from Intune and runs them. The scripts are rerun every 24 hours by default. The following built-in script packages just need to be assigned:

  • Update stale Group Policies – Stale Group Policies can lead to helpdesk tickets related to connectivity and internal resource access.
  • Restart Office Click-to-run service – When the Click-to-run service is stopped, Office apps fail to start leading to helpdesk calls.

To assign the script package:

  1. From the Proactive remediations node, select one of the built-in script packages.
  2. Select Properties, then next the Assignments heading, select Edit.
  3. Choose the groups you want to Assign to and any Excluded groups for the script package.
  4. If you would like to change the schedule, click the ellipses and choose Edit to specify your settings then Apply to save them.
  5. When you're done, select Review + save.

Create and deploy custom script packages

The Microsoft Intune Management Extension service gets the scripts from Intune and runs them. The scripts are rerun every 24 hours. You can copy the provided scripts and deploy them, or you can create your own script packages. To deploy script packages, follow the instructions below:

Copy the provided detection and remediation scripts

  1. Copy the scripts from the PowerShell scripts article.
    • Script files whose names start with Detect are detection scripts. Remediation scripts start with Remediate.
    • For a description of the scripts, see the Script descriptions.
  2. Save each script using the provided name. The name is also in the comments at the top of each script.
    • You can use a different script name, but it won't match the name listed in the Script descriptions.

Deploy the script packages

  1. Go to the Proactive remediations node in the console.
  2. Click the Create script package button to create a script package. Endpoint analytics Proactive remediations page. Select the create link.
  3. In the Basics step, give the script package a Name and optionally, a description. The Publisher field can be edited, but defaults to your tenant name. Version can't be edited.
  4. On the Settings step, copy the text from the provided scripts or put your own scripts into the Detection script and Remediation script fields.
    • You need the corresponding detection and remediation script to be in the same package. For example, the Detect_Expired_User_Certificates.ps1 detection script corresponds with the Remediate_Expired_User_Certificates.ps1 remediation script. Endpoint analytics Proactive remediations script settings page.
  5. Finish the options on the Settings page with the following recommended configurations:
    • Run this script using the logged-on credentials: This setting is dependent on the script. For more information, see the Script descriptions.
    • Enforce script signature check: No
    • Run script in 64-bit PowerShell: No
  6. Click Next then assign any Scope tags you need.
  7. In the Assignments step, select the device groups to which you want to deploy the script package.
  8. Complete the Review + Create step for your deployment.

Monitor your script packages

  1. Under Reporting > Endpoint analytics - Proactive remediations, you can see an overview of your detection and remediation status. Endpoint analytics Proactive remediations report, overview page.
  2. Click on Device status to get status details for each device in your deployment. Endpoint analytics Proactive remediations device status.

Next steps