Automate issue resolution using remediation scripts

  • 7 minutes

Even with perfectly designed configuration profiles, device states can drift. A user might accidentally disable a critical background service, a required registry key might get modified by a legacy application, or a local cache might fill up and cause an app to crash.

Instead of waiting for the user to experience a failure and call the helpdesk, you can use Remediations (formerly known as Proactive Remediations) in Microsoft Intune to detect and fix these issues silently, before they impact productivity.

Remediations rely on PowerShell scripts pushed to Windows devices. By understanding how to structure and deploy these scripts, you can automate your IT department's most common Tier 1 troubleshooting steps.

Use built-in remediation packages

Before you invest time writing scripts, check the built-in Remediations packages that Microsoft provides. These require no custom PowerShell and can be assigned immediately:

  • Update stale Group Policies: Helps resolve issues related to connectivity and access to internal resources when Group Policy processing is stale.
  • Restart Office Click-to-run service: Helps resolve Office apps failing to start by restarting the Click-to-run service.

How Remediations work

A remediation package consists of two distinct PowerShell scripts working together:

  1. The Detection Script: This script runs on a schedule to evaluate a specific condition on the device. It checks if an issue exists (e.g., "Is the Print Spooler service stopped?").
    • If the device is healthy, the script exits with Exit 0. Intune logs the device as "Without issues" and stops.
    • If the device has the issue, the script exits with Exit 1. Intune flags the device as "With issues" and triggers the next step.
  2. The Remediation Script: This script only runs if the Detection script returns an Exit 1. It contains the actual commands to fix the problem (e.g., Start-Service -Name Spooler).

Common use cases for Remediations

Remediations are ideal for enforcing baseline states that cannot be easily managed through standard Intune configuration profiles.

  • Restarting stopped services: Automatically restarting critical security or line-of-business application services if they crash.
  • Clearing stale caches: Deleting temporary files or clearing the Microsoft Teams cache if it exceeds a certain size and causes performance degradation.
  • Registry key enforcement: Reapplying custom registry keys that legacy software frequently overwrites.
  • Fixing broken shortcuts: Replacing missing desktop shortcuts for essential web applications.

How to deploy a Remediation in Intune

Once you have written and tested your two PowerShell scripts locally, you are ready to upload and deploy them via the Intune admin center.

Step 1: Create the Remediation package

  1. Navigate to Devices > Manage devices > Scripts and remediations.
  2. Select Create.
  3. On the Basics tab, provide a clear Name (e.g., Auto-Fix: Restart Print Spooler) and a Description. Click Next.

Step 2: Upload the scripts

  1. On the Settings tab, upload your Detection script file (.ps1).
  2. Upload your Remediation script file (.ps1).
  3. Configure script settings:
    • Run this script using the logged-on credentials: Leave as No (runs as SYSTEM) if you are modifying services or HKLM registry keys. Change to Yes if you are modifying HKCU keys or clearing user-specific app data.
    • Enforce script signature check: Choose No (recommended). Enable only if your organization requires signed scripts.
    • Run script in 64-bit PowerShell: Generally recommended as No for modern Windows 10/11 devices. Use Yes only when your scripts explicitly require 64-bit registry paths or 64-bit APIs.

Step 3: Assign and schedule

  1. On the Assignments tab, select the Microsoft Entra ID group containing the target devices.
  2. Click on Daily under schedule next to the assigned group to set the Schedule.
  3. You can configure the script to run daily, weekly, or even hourly, depending on how critical the configuration is.
  4. Click on Next to "Review + Create" and then select Create.

Note

You can also add a filter in here if needed.

Monitor the automated fixes

Once deployed, you can track approximately how much time and effort your script is saving the helpdesk.

  1. Go back to Devices > Manage devices > Scripts and remediations and select your newly created script package.
  2. Review the Device status report.
  3. You will see devices categorized into distinct states:
    • Without issues: The detection script ran and everything was fine.
    • Issue fixed: The detection script found the problem, ran the remediation script, and successfully resolved it.
    • Failed: The script ran into an error (e.g., access denied, or syntax error in your PowerShell).

By monitoring the "Issue fixed" metric, you can quantify how many helpdesk tickets were prevented by your automation.

Run a remediation on demand (preview)

If you need to validate a fix during an active support call, you can trigger a remediation immediately on a single device by using the Run remediation (preview) remote action without waiting for the next scheduled run.

  1. In the Microsoft Intune admin center, go to Devices > By platform > Windows and select the target device.
  2. Select ... > Run remediation (preview).
  3. Choose the remediation script package you want to run, then confirm the action.