How to Use Proactive Remediations in Intune

 Wouldn’t it be great to fix issues before users open a ticket?

That’s exactly what Proactive Remediations in Microsoft Intune allow you to do. Using detection and remediation scripts, you can automatically identify and resolve common problems silently, on a schedule, and at scale.

Here’s how it works, how to set it up, and examples you can use right away.

Proactive Remediations are part of the Intune Device Remediations feature, available to tenants with:

  • Windows 10/11 Enterprise or Education
  • Microsoft Intune Suite or E5 licenses
  • Endpoint Analytics enabled

They consist of:

  • A detection script: checks whether a problem exists
  • A remediation script: runs only if detection reports a failure

Think of them as Intune’s way to enable self-healing endpoints.

Use Cases You Can Automate

  • Restarting Windows Update service if stuck
  • Re-enabling BitLocker if encryption is off
  • Resetting a corrupted OneDrive sync folder
  • Removing unwanted local admin accounts
  • Reapplying registry-based settings (e.g. Teams optimization)

How to Set It Up (Updated Navigation)

Step 1: Go to the Intune Admin Center

Navigate to: Devices > Remediations

Step 2: Click + Create Package

Step 3:

  • Give your script a name and description
  • Upload a Detection Script (.ps1)
  • Upload a Remediation Script (.ps1)

Step 4: Assign the package to the appropriate device group

Step 5: Choose the frequency (e.g., every 1 hour, 8 hours, daily)

Monitor status from the Deployment Status tab

Article content

Scripting Best Practices

  • Detection scripts must return exit code 0 for compliant, 1 for non-compliant
  • Remediation only runs if detection fails
  • Always test scripts on pilot devices first
  • Avoid forcing restarts or UI interaction
  • Log outcomes to Event Viewer or a custom log file for auditing

Monitoring Remediation Results

Once deployed, go back to:

Devices > Remediations > [Your Script] > Device Status

There you’ll see:

  • Detection passed/failed
  • Remediation success/failure
  • Timestamp of last run

Example Scripts

Example 1: Detection – BitLocker Not Enabled

$bitlocker = Get-BitLockerVolume -MountPoint "C:"
if ($bitlocker.ProtectionStatus -eq 1) {
    exit 0 # BitLocker is enabled
} else {
    exit 1 # BitLocker is not enabled
}

Example 2: Remediation – Enable BitLocker (Silent)

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector

Example 3: Detection – Windows Update Service Not Running

$service = Get-Service -Name wuauserv
if ($service.Status -eq 'Running') {
    exit 0
} else {
    exit 1
}

Example 4: Remediation – Start Windows Update Service

Start-Service -Name wuauserv
Set-Service -Name wuauserv -StartupType Automatic

Proactive Remediations are one of the most valuable tools in Intune for keeping devices healthy, especially in distributed environments.

They help you prevent tickets, reduce user frustration, and maintain compliance silently and automatically.

Start simple, test scripts in pilot groups, and build a library of reusable checks as your environment matures.

Comments

Post a Comment

Popular posts from this blog

4 Most common Issues while registering devices with Microsoft Intune MDM

Image
  The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports. During implementation or deployment, there are some common issues which occur in many of the environment  1-   Windows Update Sometimes you will notice that Windows Update is showing-Up-To-Date but in actual, the version needed for the MDM Registration is not updating automatically and eventually fails every time in the loop Solution Suggested Go to this  link  upgrade your Windows 10 to the latest version You will find a home page like the screenshot below. Click on UPDATE Now button. It will download a .exe file. Run the file and click on UPDATE Now button and press YES. Here it will update your Windows 10 to the Latest Version Note:  You can still work during downloading a...
Read more

Managing Windows Updates with Intune: Best Practices with Update Rings

Image
  Keeping Windows devices up to date is one of the most critical, and often most overlooked, aspects of endpoint security. With Microsoft Intune, you can manage Windows updates centrally using Update Rings , giving you control over when updates install, how users experience restarts, and how you test updates before broad deployment. In this guide, I’ll walk you through: What update rings are Why they’re essential for patch compliance How to configure them in Intune Best practices for rollout and user experience 1. What Are Windows Update Rings in Intune? Update rings in Intune allow you to: Define when and how Windows updates are delivered Set deadlines for installation and restarts Delay feature updates (e.g., to test before production) Control user experience during updates They apply to Windows 10 and 11 devices enrolled in Intune, including those provisioned via Autopilot. 2. Why Update Management Matters Without structured update management, you risk: Devices missing crit...
Read more

The Intune Device Lifecycle: From Onboarding to Retirement (Best Practices)

  Managing endpoints isn’t just about deployment, it’s about handling the entire device lifecycle : from onboarding and day-to-day management to secure deprovisioning when a device is no longer in use. Microsoft Intune provides a streamlined, policy-driven approach to each phase of this lifecycle, and when done right, it reduces IT overhead, increases security, and improves the user experience. In this post, I’ll walk you through the key stages of managing a device in Intune from start to finish, and how to handle each one effectively. Stage 1: Provisioning & Onboarding This is where the device journey begins, and it sets the tone for everything that follows. Tools and features to use: Windows Autopilot for zero-touch setup Enrollment Status Page (ESP) to control setup sequence Dynamic groups to assign configurations automatically Baseline security policies (compliance, Defender, encryption) Goal: Make the first experience smooth, secure, and consistent for every user. Sta...
Read more