Deploy a Remediation Scriptusing Intune

Computer Uptime MPA Tools

How to deploy a Remediation Script using Intune

In this post, we will show you how to deploy a remediation script using Intune. Intune Remediations (which was previously known as Proactive Remediations) helps you fix common support issues on a user’s device before they even notice there is a problem. With remediation scripts, we can easily fix issues like restarting crucial services, or making changes to registry keys, etc.

Following our earlier post on how to enable the WMI firewall rules for client accessibility in MPA Tools, we will demonstrate how to enable the WMI firewall rules using an Intune Remediation script. The firewall configuration profile in the Endpoint Security blade (shown in the example below) could be used to enable the WMI rules. However, the firewall configuration profile causes a duplication of the WMI firewall rules (same as enabling firewall rules using Group Policy). It would have been great if there was a configuration profile for enabling/disabling built-in firewall rules but sadly, there isn’t.
A screenshot of a computer Description automatically generated

What are Remediations in Intune?

Remediations are script packages that can detect and fix common support issues on a user’s device. Each script package consists of a detection script, a remediation script, and metadata. Through Intune, you can deploy these script packages and see reports on their effectiveness. For more information, see Remediations | Microsoft Learn.

Pre-requisites for Intune Remediations

Whether enrolling devices via Intune or Configuration Manager, Remediation scripting has the following pre-requisites:

  • Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and meet one of the following conditions:
    • Is managed by Intune and runs an Enterprise, Professional, or Education edition of Windows 10 or later.
    • co-managed device running Windows 10, version 1903 or later. Co-managed devices on preceding versions of Windows 10 will need the Client apps workload pointed to Intune (only applicable up to version 1607).
  • Remediations requires users of the devices to have one of the following licenses:
    • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
    • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
    • Windows 10/11 Virtual Desktop Access (VDA) per user
  • The licensing verification must be confirmed in the Windows Data configuration under Tenant Admin > Connectors and tokens (as shown below).

A screenshot of a computer Description automatically generated

Remediation script requirements

  • You can have up to 200 script packages.
  • A script package can contain a detection script only or both a detection script and a remediation script.
  • A remediation script only runs if the detection script uses exit code exit 1, meaning the issue was detected.
  • Ensure the scripts are encoded in UTF-8.
  • If the option Enforce script signature check is enabled in the Settings page of creating a script package, then make sure that the scripts are encoded in UTF-8 not UTF-8 BOM.
  • The maximum allowed output size limit is 2048 characters.
  • If the option Enforce script signature check is enabled in the Settings page of creating a script package, the script runs using the device’s PowerShell execution policy. The default execution policy for Windows client computers is Restricted. The default execution for Windows Server devices is RemoteSigned. For more information, see PowerShell execution policies.
  • Scripts built into Remediations are signed and the certificate is added to the Trusted Publishers certificate store of the device.
  • When using third-party scripts that are signed, make sure the certificate is in the Trusted Publishers certificate store. As with any certificate, the certificate authority must be trusted by the device.
  • Scripts without Enforce script signature check use the Bypass execution policy.
  • Don’t put reboot commands in detection or remediations scripts.
  • Do not include any type of sensitive information in scripts (such as passwords)
  • Do not include Personally Identifiable Information (PII) in scripts
  • Do not use scripts to collect PII from devices
  • Always follow privacy best practices

Configuring an Intune Remediation to enable the WMI firewall rules

In the Intune management portal, navigate to Devices > Windows > Scripts. Under Remediations, click the Create button.

A screenshot of a computer Description automatically generated

Enter the name for the custom script. You can also optionally enter the description and publisher. Then click Next.

A screenshot of a computer Description automatically generated

Creating the detection script

In PowerShell ISE, create a PowerShell detection script using the following script snippet and save it to a location that can be accessed from the Intune portal.

$NetFirewallRuleList = Get-NetFirewallRule -Direction Inbound -DisplayGroup “Windows Management Instrumentation (WMI)”

Try {

$Count = $NetFirewallRuleList.Count

ForEach ($NetFirewallRule in $NetFirewallRuleList) {

If ($NetFirewallRule.Enabled -eq “False”) { Write-Host “Firewall Rule [$($NetFirewallRule.DisplayName)] is disabled”; Exit 1 }

Else { $Count-=1 }

}

If ($Count -eq 0) { Write-Host “All [$($NetFirewallRuleList.Count)] firewall rules in Windows Management Instrumentation (WMI) group are enabled”; Exit 0 }

}

Catch {

$ErrorMessage = $_.Exception.Message

Write-Error $ErrorMessage; Exit 1

}

Next, for the detection script file in the remediation configuration, click on the folder button to browse to the detection script.

A screenshot of a computer Description automatically generated

Once selected, the detection script will be uploaded to the Azure storage blob.

Creating the remediation script

In PowerShell ISE, create a PowerShell remediation script using the following script snippet, save the script and then select the script file.

$NetFirewallRuleList = Get-NetFirewallRule -Direction Inbound -DisplayGroup “Windows Management Instrumentation (WMI)”

ForEach ($NetFirewallRule in $NetFirewallRuleList) { Enable-NetFirewallRule -Name $NetFirewallRule.Name }

A screenshot of a computer Description automatically generated

Leave the three script execution options as set to No and then click Next.

Under assignments, select the group of devices that you would like to assign the remediation script to. Then click Next.

A screenshot of a computer Description automatically generated

Or alternatively, assign the remediation script to All Devices. Then click Next.

A screenshot of a computer Description automatically generated

Review the configuration and then click Create.

A screenshot of a computer Description automatically generated

Deploying & testing the Intune remediation

On the client device, under Settings, navigate to Accounts > Access work or school and then click the Info button for the Azure tenant connection.

A screenshot of a computer Description automatically generated

Scroll down and click the Sync button.

To validate that script executed successfully and that the detection script returns a successful result, you can check the log file “C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log”.

A screenshot of a computer program Description automatically generated

Finally, you can confirm in the Windows Defender Firewall with Advanced Security management console, that all the firewall rules within the group “Windows Management Instrumentation (WMI)” are enabled and have a green check icon next to them.

A screenshot of a computer Description automatically generated

Not using Intune? Want to enable the WMI firewall rules using SCCM? Then have a look at the deploying a SCCM Configuration Baseline post.

Or if you are looking to enable the WMI firewall rules using Group Policy, see the enable Windows firewall rules with Group Policy post.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This