Remediate device issues using compliance and configuration policies

Completed

In this unit, you will learn how to transition your endpoint management strategy from simply detecting security violations to actively fixing them.

In a Zero Trust architecture, a Compliance Policy acts as your alarm system. It detects when a device falls out of bounds (e.g., a disabled firewall or a missing registry key) and triggers Microsoft Entra Conditional Access to block the user. However, detecting the issue is only half the battle. Relying solely on the helpdesk to manually troubleshoot every blocked user is inefficient and scales poorly. Microsoft Intune allows you to build automated remediation workflows using Configuration Policies and custom scripts. Here is how to design an environment that self-heals.

Declarative fixes: Device Configuration Profiles

The most efficient way to remediate a compliance failure is to ensure a Device Configuration Profile is actively enforcing the required setting. Intune's native configuration profiles are declarative; they don't just set a preference during enrollment, they continuously evaluate and re-apply the setting if it drifts.

  • The Scenario: A user with local administrator rights temporarily disables the Windows Defender Firewall to troubleshoot a legacy application. The Intune Compliance Policy detects this state change, marks the device Noncompliant, and Entra ID blocks their access to corporate email.
  • The Remediation: You have an Endpoint Security Firewall policy deployed to that same device. At the next Intune sync cycle, the configuration policy detects the localized configuration drift, overrides the user's manual change, and forcefully turns the firewall back on.
  • The Result: The device self-heals. The compliance policy re-evaluates the device as healthy, and Entra ID automatically restores the user's access without a single helpdesk ticket being generated.

Custom fixes: Intune Remediations

Configuration profiles are excellent for native Windows, iOS, and Android settings, but what happens when a device is noncompliant due to a complex, custom application error or a missing specific registry key?

For advanced, customized fixes, you utilize Remediations (formerly known as Proactive Remediations). This feature leverages the Intune Management Extension to execute a two-part script package (typically PowerShell for Windows or Bash for macOS).

  • Part 1: The Detection Script: This script runs on a recurring schedule (e.g., every hour or daily) to evaluate a highly specific condition. For example, “Does the registry key HKLM\Software\CorpApp\Version equal 2.0?” If the script returns an exit code indicating failure (Exit Code 1), the device is flagged as having an issue.
  • Part 2: The Remediation Script: If the detection script fails, Intune immediately triggers the remediation script. This script executes the fix: “Set the registry key HKLM\Software\CorpApp\Version to 2.0.”
  • The Benefit: Remediations fix the underlying issue silently in the background, often before the compliance policy even has a chance to mark the device as noncompliant.

Targeted Remediation Workflows

Running heavy PowerShell remediation scripts constantly across your entire fleet can consume unnecessary compute resources. Instead, you can trigger targeted remediations only when a device breaks a rule.

To build an effective self-healing workflow, you have two options for managing the group of non-compliant devices.

This approach is ideal for a fully automated lifecycle, as it automatically removes devices from the remediation group once they are fixed.

  1. Create a Dynamic Entra ID Group: Instead of an assigned group, create a dynamic device group named “Remediation - Broken VPN Client”. Set a dynamic membership rule based on Intune compliance status (e.g., (device.deviceComplianceStatus -eq "nonCompliant")).
  2. Assign the Remediation Script: Deploy your PowerShell remediation script (designed to forcefully restart or reinstall the VPN service) explicitly to that “Remediation - Broken VPN Client” group.
  3. The Workflow in Action:
    • A device fails the VPN compliance check and is marked as non-compliant.
    • Entra ID dynamically adds the device to the remediation group.
    • This new group membership triggers the assignment of the PowerShell script.
    • The script executes, fixes the VPN, and the device reports back as compliant.
    • Once compliant, the device no longer matches the dynamic rule and automatically drops out of the remediation group.

Option B: Actions for Noncompliance with Manual Cleanup

You can also use Intune's native compliance actions combined with an assigned group, though this method lacks automatic cleanup.

  1. Create an Entra ID Security Group: Create an assigned group named “Remediation - Broken VPN Client”.
  2. Configure the Action for Noncompliance: In your VPN compliance policy, configure an action to Add device to Entra ID group and select the assigned group you just created. Set the schedule to 0 days.
  3. Assign the Remediation Script: Deploy your PowerShell remediation script to the “Remediation - Broken VPN Client” group.
  4. The Workflow in Action:
    • A device fails the VPN compliance check.
    • Intune immediately drops the device into the Entra ID remediation group.
    • This triggers the script to execute and fix the VPN, returning the device to compliance.
    • Important: The device does not automatically drop out of the group. Administrators must periodically audit the group and manually remove devices that have returned to compliance.

Manual Remediation Actions

When automated workflows fail or an immediate intervention is required, administrators can trigger manual remediation actions remotely from the Intune admin center. Navigate to the specific device's overview page to initiate:

  • Sync: Forces the device to immediately bypass its standard schedule and check in with Intune to download missing configuration profiles or updated compliance policies.
  • Update Windows Defender Security Intelligence: Forces an immediate download of the latest antivirus signatures if the device was flagged as noncompliant due to outdated definitions.
  • Restart: Reboots the device remotely, which is often required to finalize pending Windows Updates or clear hung background processes causing compliance failures.