The one with proactive remediations and Microsoft Intune

About Proactive remediations

Proactive remediations are script packages that can detect and fix common support issues on a user's device before they even realize there's a problem. You can create your own script packages, or deploy one of the script packages that are supplied by Microsoft or perhaps even from the community. Through Intune, you can deploy these script packages and see reports on their effectiveness.

Prerequisites

• Devices enrolled into Endpoint Analytics (with either Configuration Manager or Microsoft Intune)
• The enrolled device requires a Windows 10 Enterprise E3/E5, Education A3/A5 or Windows Virtual Desktop Access E3/E5 license.
• Device must be Azure AD joined or Hybrid Azure AD joined and has to meet one of the following conditions:
  • A Windows 10 Enterprise, Professional, or Education device that is managed by Intune.
  • A co-managed device running Windows 10, version 1903 or later.

Built-in script packages

There are two built-in script packages available that you can use to get started with Proactive remediations. The Microsoft Intune Management Extension service gets the scripts from Intune and runs them. The scripts are rerun every 24 hours by default.

The following built-in scripts or available and need assignment if you'd like to use them:

• Update stale Group Policies – This script package detects if last Group Policy refresh is greater than 7 days ago. The script remediates by running gpupdate /target:computer /force and gpupdate /target:user /force
• Restart Office Click-to-run service – This script package detects if the Click to Run Service is running. The script remediates by changing the startup type to automatic and eventually starts the service.

Creating Proactive remediations

Not that long ago a customer asked me to address some small issues the end-users have been experiencing with their Azure AD joined Windows 10 device, that are enrolled in Microsoft Intune. Most probably I could have fixed the issues with Powershell scripts, but since the customer is using Microsoft 365 E3 licenses, I was able to use Proactive remediations, so why not make use of it?

The customer asked me to address the following 2 minor issues:

• Automatically create the 'This PC' shortcut on the desktop of the end-user, when missing.
• Enable Navigation pane in File Explorer. (for some reason it often was disabled, making navigation more difficult for the end-user).

Remediate 'This PC'

Normally, you can enable the desktop icon 'This PC' in Settings - Themes - Desktop icon settings. When enabled, it will create or set registry key {20D04FE0-3AEA-1069-A2D8-08002B30309D}, located in HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel with DWORD value 0.

Based on this information, we can create a detection script and remediation script. The remediation script will create the registry key when missing and will set the correct DWORD value.

<#
.SYNOPSIS
    Manage the 'This PC' shortcut on the desktop in Microsoft Windows.
    This script is used as detection script with Proactive Remediations in Microsoft Endpoint Manager

.DESCRIPTION
    Manage various application settings in Windows, which currently consists of:
    - Enable This PC shortcut on desktop

.NOTES
    Filename: Detect-ThisPCDesktop.ps1
    Version: 1.0
    Author: Wesley van den Heuvel
    Twitter: @wjpvandenheuvel

.LINK
    https://scildan.cloud
        
#>

# Discovery script
$Path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel"
$AttrName = "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
$AttrValue = "0"

# Check registry value
Try {
    $Registry = Get-ItemProperty -Path $Path -Name $AttrName -ErrorAction Stop | Select-Object -ExpandProperty $AttrName
    If ($Registry -eq $AttrValue){
        Write-Output "Compliant"
        Exit 0
    } Else {
    Write-Warning "Not Compliant"
    Exit 1
 } 
}
Catch {
    Write-Warning "Not Compliant"
    Exit 1
}

<#
.SYNOPSIS
    Manage the 'This PC' shortcut on the desktop in Microsoft Windows.
    This script is used as remediation script with Proactive Remediations in Microsoft Endpoint Manager

.DESCRIPTION
    Manage various application settings in Windows, which currently consists of:
     - Enable This PC shortcut on desktop

.NOTES
    Filename: Remediate-ThisPCDesktop.ps1
    Version: 1.0
    Author: Wesley van den Heuvel
    Twitter: @wjpvandenheuvel

.LINK
    https://scildan.cloud
#>

# Desired values to reset This PC shortcut on desktop
$Path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel"
$AttrName = "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
$AttrType = "DWORD"
$AttrValue = "0"

# set values in registry
If (!(Test-Path $Path)) {
    New-Item -Path $Path -Force | Out-Null
    New-ItemProperty -Path $Path -Name $AttrName -Value $AttrValue -PropertyType $AttrType -Force | Out-Null
} else {
    Set-ItemProperty -Path $Path -Name $AttrName -Type $AttrType -Value $AttrValue 
}

Remediate 'Navigation Pane'

Normally, you enable the Navigation pane in File Explorer, by clicking on the View tab, clicking on the Navigation pane button in the ribbon, and clicking on Navigation pane in the menu to toggle to show (checked) and hide (unchecked) the navigation pane.

When you enable the navigation pane, it will create or set registry key PageSpaceControlSizer, located in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\Sizer with a reg binary value.

Based on this information, we can create a detection script and remediation script. The remediation script will create the registry key when missing and will set the correct reg binary value. Setting a reg binary value with PowerShell is quite challenging, but I was able to achieve this by hexifying the reg binary value.

<#
.SYNOPSIS
    Manage the navigation pane setting in Explorer in Microsoft Windows.
    This script is used as detection script with Proactive Remediations in Microsoft Endpoint Manager

.DESCRIPTION
    Manage various application settings in Windows, which currently consists of:
    - Enable navigation pane in Explorer

.NOTES
    Filename: Detect-NavigationPaneSetting.ps1
    Version: 1.0
    Author: Wesley van den Heuvel
    Twitter: @wjpvandenheuvel

.LINK
    https://scildan.cloud
        
#>

# Discovery script
$Path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\Sizer"
$AttrName = "PageSpaceControlSizer"
$value = "a0,00,00,00,01,00,00,00,00,00,00,00,ec,03,00,00"
$hexified = $Value.Split(',') | % { "0x$_"}

# Check registry value
$AttrValue = @(Get-ItemProperty -Path $Path -Name $AttrName).PageSpaceControlSizer

if ((!$AttrValue)) {
    return $false
}

if ($AttrValue) {
    # Convert value to comparable data
    $compvalue = ([byte[]]$hexified)
    # Compare object. If $null then values match
    $compare = Compare-Object $AttrValue $compvalue
    if ($null -eq $compare) {
        # values match, return compliant
        Write-Host "Compliant"
        Exit 0
    }
    else {
    # values do not match, return not compliant
    Write-Host "Not Compliant"
    Exit 1
    }
}

<#
.SYNOPSIS
    Manage the navigation pane setting in Explorer in Microsoft Windows.
    This script is used as remediation script with Proactive Remediations in Microsoft Endpoint Manager

.DESCRIPTION
    Manage various application settings in Windows, which currently consists of:
    - Enable navigation pane in Explorer

.NOTES
    Filename: Remediate-NavigationPaneSetting.ps1
    Version: 1.0
    Author: Wesley van den Heuvel
    Twitter: @wjpvandenheuvel

.LINK
    https://scildan.cloud
        
#>

# Desired values to reset navigate pane
$Path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\Sizer"
$AttrName = "PageSpaceControlSizer"
$value = "a0,00,00,00,01,00,00,00,00,00,00,00,ec,03,00,00"
$hexified = $Value.Split(',') | % { "0x$_"}

# set values in registry
New-ItemProperty -Path $Path -Name $AttrName -PropertyType Binary -Value ([byte[]]$hexified) -Force

Assigning Proactive remediations

When assigning script-packages you can create a schedule for the script(s) to run on the devices in the group the scripts are assigned to. Assign the script-pacakges first and set the desired frequency.

The following frequencies are available:

• Once (Intune will attempt to run the script at the scheduled time. If Intune can't reach the device, it will try to run the script again when the device comes back online.)
• Hourly (Intune will run the script every hour)
• Daily (Intune will run the script repeatedly, every x days)

Monitoring Proactive remediations

Under Reporting > Endpoint analytics - Proactive remediations, you can see an overview of your detection and remediation status. Each report, per script package gives information about how the script package is performing and the health of your devices. The scripts run according to your defined scheduling preferences. The detection bar chart reflects the returned value from the detection script while the remediation bar chart describes the remediation script output.

Conclusion

In this blog post I explained how to create your own script packages and deploy them as Proactive remediations with Microsoft Intune. Proactive remediations is in my opinion a very nice feature and has some similarity to Group Policy Preferences that you can also use to deploy registry settings and such to domain-joined devices. The part where Proactive remediations shines is that it will only fix/remediate issues when something is detected first. The possibilities are endless.

More information:

• Proactive Remedations
• PowerShell scripts for Proactive remediations
• What is Endpoint analytics?