This chapter covers Intune PowerShell scripts and remediations, a powerful feature for managing device configurations and enforcing compliance proactively. For the MS-102 exam, this topic appears in domain 'Manage endpoint management' under objective 2.4 'Manage devices with Intune'. Expect 5-10% of exam questions to cover scripting and remediation concepts, including detection and remediation script pairs, assignment, reporting, and troubleshooting. Mastering these capabilities is critical because they allow administrators to automate fixes for common issues without manual intervention, directly impacting device compliance and security posture.
Jump to a section
Imagine a large office building with hundreds of workstations. Instead of sending a technician to each desk to check for issues and apply fixes, the building manager deploys a team of automated maintenance bots. Each bot carries a set of instructions (the PowerShell script) and a checklist of conditions to verify (the detection script). The bots roam the building, executing their scripts on each workstation. For example, a bot might check if the firewall is enabled; if not, it runs a repair script to enable it. Once a bot finishes, it reports back to the manager, who logs the result. If a bot fails to complete its task, the manager can schedule a retry or escalate. This system is proactive: bots run on a schedule, identify problems before they cause downtime, and fix them automatically. In Intune, PowerShell scripts and remediations work the same way: they are deployed to devices, run with system context, detect non-compliance or misconfigurations, and automatically execute remediation steps. The reporting and logging provide visibility into success or failure, allowing administrators to monitor device health at scale.
What Are Intune PowerShell Scripts and Remediations?
Intune PowerShell scripts and remediations are part of Microsoft Intune's proactive remediation capabilities, introduced as a feature within Endpoint Analytics. They allow administrators to deploy custom PowerShell scripts to Windows 10/11 devices to detect and automatically fix common configuration issues. The feature is designed to reduce helpdesk tickets by automatically resolving problems like disabled services, incorrect registry values, or missing security settings.
PowerShell scripts in Intune fall into two categories: - Device configuration scripts: Traditional PowerShell scripts that run once or on a schedule to configure settings. These are deployed via the 'PowerShell scripts' blade under 'Devices' > 'Windows'. - Proactive remediations: A pair of scripts (detection and remediation) that run on a recurring schedule. The detection script checks for a condition (e.g., 'Is the Windows Firewall disabled?') and returns an exit code. If the exit code indicates non-compliance, the remediation script runs to fix the issue.
How Proactive Remediations Work Internally
Proactive remediations are executed by the Intune Management Extension (IME) agent on Windows devices. The IME is an essential component that runs as a service on enrolled devices, handling communication with Intune and executing scripts. Here is the step-by-step mechanism:
Assignment: An administrator creates a remediation in the Microsoft Endpoint Manager admin center, specifying a detection script, a remediation script, and a schedule (e.g., daily). The remediation is assigned to Azure AD groups.
Policy Sync: The device checks in with Intune (typically every 8 hours, but can be forced via manual sync). The IME downloads the remediation policy.
Detection Execution: On schedule, the IME runs the detection script with system context (NT AUTHORITY\SYSTEM). The script must output a specific exit code: 0 for compliant (no remediation needed) or 1 for non-compliant (remediation required). Optionally, the script can output a string to the stdout for logging.
Remediation Execution: If the exit code is 1, the IME runs the remediation script, also as SYSTEM. The remediation script should fix the issue and then ideally return exit code 0 on success.
Reporting: The result (success, failed, or skipped) is uploaded to Intune and visible in the 'Remediations' report under 'Endpoint Analytics' > 'Proactive remediations'.
Key Components, Defaults, and Timers
Script execution timeout: Default is 60 minutes per script (detection or remediation). Scripts exceeding this timeout are terminated and marked as failed.
Schedule: Remediations can run daily, weekly, or at a custom interval (e.g., every 1-30 days). The default is daily.
Max script size: Each script (detection or remediation) can be up to 200 KB.
Supported platforms: Windows 10/11 (pro, enterprise, education) and Windows 10/11 IoT Enterprise. Not supported on macOS or Linux.
Exit codes: Detection script must return 0 (compliant) or 1 (non-compliant). Any other exit code is treated as detection failure.
Log location: On the device, logs are stored in %ProgramData%\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log.
Configuration and Verification Commands
To create a proactive remediation: 1. Sign in to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). 2. Navigate to 'Endpoint Analytics' > 'Proactive remediations'. 3. Click 'Create remediation' and provide a name, description, and schedule. 4. Upload detection and remediation PowerShell scripts. 5. Assign to Azure AD groups.
To verify deployment, you can check the device's Intune Management Extension logs using:
Get-Content "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log" -Tail 50To test scripts locally, run them in a PowerShell session with elevated privileges to simulate SYSTEM context (though not identical, it helps validate logic).
Interaction with Related Technologies
Endpoint Analytics: Proactive remediations are a feature of Endpoint Analytics, which provides insights into device health. Remediations contribute to the 'Proactive remediations' score.
Compliance policies: While compliance policies enforce settings, remediations can automatically fix non-compliant configurations. For example, a compliance policy might require BitLocker to be enabled; a remediation can enable it if disabled.
Configuration profiles: Scripts can complement configuration profiles by handling settings not available in the built-in CSPs.
Azure AD: Assignments use Azure AD groups, including dynamic groups.
Important Considerations
Script signing: While not required, signed scripts are recommended to avoid execution policy issues. By default, Intune runs scripts with Bypass execution policy.
Error handling: Detection scripts should be designed to exit with 0 or 1 only. Use try-catch to handle errors gracefully.
Performance: Running complex scripts on many devices can impact performance. Keep scripts lightweight and test thoroughly.
Reporting: Use the 'Remediations' report to monitor success rates and investigate failures. Failed remediations can be retried manually.
Exam-Relevant Details
The detection script must output an exit code of 0 or 1. Exit code 0 means compliant; exit code 1 means non-compliant.
Remediations run as SYSTEM, not as the logged-in user.
The default schedule is daily.
Scripts are limited to 200 KB each.
The timeout per script is 60 minutes.
Proactive remediations are available only for Windows 10/11 devices.
The feature is part of Endpoint Analytics, not Device configuration profiles.
Common Exam Scenarios
Scenario: A company wants to automatically re-enable Windows Defender if it is turned off. Create a detection script that checks the service status and returns 1 if disabled, and a remediation script that starts the service.
Scenario: An administrator needs to deploy a custom registry key to all devices. Use a PowerShell script (device configuration script) assigned to a group.
Scenario: A remediation fails repeatedly. Check the AgentExecutor.log on a device for error details.
Trap Patterns
Wrong exit code: Candidates often think detection scripts should return 0 for non-compliant. The opposite is true: 0 = compliant, 1 = non-compliant.
User context: Remediations run as SYSTEM, not as the user. Some scripts requiring user interaction will fail.
Schedule vs. trigger: Remediations run on a schedule, not triggered by compliance policy evaluation.
Platform: Proactive remediations are Windows-only. Do not assume macOS support.
Create Detection Script
Write a PowerShell script that checks for the condition you want to detect. The script must exit with code 0 if the condition is compliant (no action needed) or 1 if non-compliant (remediation required). For example, to check if Windows Firewall is enabled: `$firewall = Get-NetFirewallProfile -Profile Domain,Public,Private; if ($firewall.Enabled -contains $false) { exit 1 } else { exit 0 }`. The script should be idempotent and handle errors gracefully. Test locally with an elevated PowerShell session. Ensure the script is under 200 KB. The exit code is critical: any code other than 0 or 1 is treated as a detection failure.
Create Remediation Script
Write a PowerShell script that fixes the issue detected. For example, to enable Windows Firewall: `Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True; exit 0`. The remediation script should ideally leave the environment in a compliant state and exit with 0 on success. If the remediation fails, it can exit with a non-zero code, but the detection script will re-run on the next schedule and trigger remediation again. The remediation script runs as SYSTEM, so it has high privileges. Ensure the script is robust and does not rely on user interaction.
Configure Remediation in Intune
In the Microsoft Endpoint Manager admin center, navigate to 'Endpoint Analytics' > 'Proactive remediations'. Click 'Create remediation'. Provide a name and description (e.g., 'Enable Windows Firewall'). Set the schedule: choose 'Daily' for most cases. Upload the detection script and remediation script. Optionally, you can set a custom schedule (e.g., every 2 days). Under 'Assignments', select the Azure AD groups that should receive the remediation. Save the policy. Intune will push the policy to devices on their next sync.
Assign to Target Devices
Remediations are assigned to Azure AD groups, not individual devices. You can assign to a group containing users or devices. For example, assign to 'All Windows 10 devices' or a dynamic group based on device category. The assignment is evaluated during sync. If a device is removed from the group, the remediation policy is removed. Note that assignments can be targeted to 'All devices' or specific groups. There is no exclusion group for remediations (unlike configuration profiles).
Monitor Remediation Reports
After deployment, monitor the remediation's performance. In the admin center, go to 'Endpoint Analytics' > 'Proactive remediations' and select the remediation. The report shows: 'Total devices', 'Compliant', 'Remediated', 'Failed', and 'Not yet evaluated'. Click into the report to see per-device status. For failed devices, check the 'Failure reason' column. Common failures include script timeout, script errors, or device offline. Use the 'Export' feature to download the report for further analysis. Also, check the Intune Management Extension logs on a problematic device using the path mentioned earlier.
In a large enterprise environment, proactive remediations are commonly used to enforce security baselines and reduce helpdesk calls. For example, a financial institution with 10,000 Windows 10 devices uses remediations to ensure that BitLocker drive encryption is always enabled. The detection script checks the BitLocker status of the OS drive; if it is off or suspended, the remediation script enables BitLocker using the TPM protector. This automation reduces the number of non-compliant devices from hundreds to near zero, and the security team can focus on exceptions rather than manual fixes.
Another scenario is automatically disabling legacy protocols like SMBv1. Many organizations have a security policy to disable SMBv1 due to known vulnerabilities. A detection script checks the registry key HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters for SMB1 value set to 0. If it is not 0, the remediation script sets it to 0 and restarts the server service. This ensures that even if a user accidentally enables SMBv1, it is automatically disabled within 24 hours.
A third common use case is managing local user accounts. A company might require that the built-in Administrator account is disabled. The detection script checks if the account is enabled; if so, the remediation script disables it using Disable-LocalUser -Name 'Administrator'. This is particularly useful for contractors or temporary devices where local account management is lax.
Performance considerations: Running remediations on thousands of devices simultaneously can cause a spike in network traffic as each device uploads results. Intune throttles reporting to avoid overload, but administrators should schedule remediations during off-peak hours. Also, scripts should be efficient; a script that takes 5 minutes per device on 10,000 devices can cause the IME to be busy for extended periods, delaying other operations.
Common misconfigurations: A frequent mistake is writing detection scripts that do not exit with 0 or 1. For example, a script that outputs 'True' or 'False' without an explicit exit code will exit with 0 (default), causing the remediation to never run. Another issue is relying on user context; for instance, a script that tries to access a user's registry hive (HKCU) will fail because it runs as SYSTEM. Use reg load or target HKU if necessary, but better to avoid user-specific settings.
In production, always test remediations on a pilot group before broad deployment. Use the 'Remediations' report to track success rates and investigate failures. If a remediation fails on many devices, review the script logic and logs. Sometimes, a script works on most devices but fails on specific models due to driver differences; handle such cases with error handling and logging.
The MS-102 exam tests Intune PowerShell scripts and remediations under objective 2.4 'Manage devices with Intune', specifically focusing on proactive remediations. Expect questions that require you to identify the correct exit codes, scheduling options, and platform support. The most common wrong answers stem from confusion about exit codes: many candidates think detection scripts return 0 for non-compliant and 1 for compliant, when the opposite is true. Another trap is assuming remediations run in user context; they run as SYSTEM. Also, candidates often confuse proactive remediations with device configuration scripts; remember that remediations require a detection script and remediation script pair, while configuration scripts are standalone.
Key numbers to memorize:
Exit code 0 = compliant (no remediation needed)
Exit code 1 = non-compliant (remediation runs)
Default schedule: Daily
Max script size: 200 KB per script
Timeout: 60 minutes per script
Supported platforms: Windows 10/11 only
Edge cases the exam loves:
What happens if the detection script returns an exit code other than 0 or 1? It is treated as a detection failure, and remediation does not run. The device is marked as 'Error' in reporting.
If the remediation script fails (returns non-zero), the detection script will run again on the next schedule and trigger remediation again. The device remains non-compliant until remediation succeeds.
If a device is offline during the scheduled time, the remediation runs on the next sync.
How to eliminate wrong answers:
If a question asks about running a script on a schedule to fix a recurring issue, the answer is 'proactive remediation' not 'device configuration script'.
If a question mentions 'detection script' and 'remediation script', it is definitely proactive remediation.
For platform-specific questions, remember that proactive remediations are Windows-only; do not select macOS or Linux options.
When asked about script context, always choose 'SYSTEM' or 'machine context'.
Additionally, understand that proactive remediations are part of Endpoint Analytics, not Device management > PowerShell scripts. The latter is for running scripts once or on a schedule without detection logic. The exam may ask about the difference: proactive remediations are for automatic detection and remediation, while PowerShell scripts are for one-time or recurring configuration tasks without automatic detection.
Finally, be aware that the Intune Management Extension (IME) is the component that executes scripts. Questions about logs or troubleshooting should reference the IME logs. The IME sync interval is every 8 hours by default, but this is not directly tested for remediations; however, it helps understand why a remediation might not appear immediately.
Detection script must exit with 0 for compliant, 1 for non-compliant.
Remediations run as SYSTEM, not user context.
Default schedule is daily; max script size is 200 KB per script.
Timeout per script is 60 minutes.
Proactive remediations are Windows 10/11 only.
Remediations are part of Endpoint Analytics, not device configuration profiles.
If detection script returns exit code other than 0 or 1, it's treated as detection failure.
Remediation will retry on next schedule if it fails.
These come up on the exam all the time. Here's how to tell them apart.
Proactive Remediations
Requires both detection and remediation scripts.
Runs on a schedule (daily, weekly, etc.).
Automatically fixes issues when detection finds non-compliance.
Part of Endpoint Analytics.
Supported only on Windows 10/11.
Device Configuration PowerShell Scripts
Single PowerShell script, no detection logic.
Can run once or on a schedule, but no automated detection.
Used for one-time configuration or recurring tasks without auto-fix.
Part of Devices > Windows > PowerShell scripts.
Supported on Windows 10/11 and Windows Holographic (HoloLens).
Mistake
Detection scripts should return exit code 0 for non-compliant and 1 for compliant.
Correct
In Intune proactive remediations, exit code 0 means compliant (no action needed) and exit code 1 means non-compliant (remediation required). This is the opposite of what many assume.
Mistake
Proactive remediations run in the context of the logged-on user.
Correct
Remediations run as NT AUTHORITY\SYSTEM, not as the user. Scripts that rely on user-specific registry hives (HKCU) or user environment variables will fail unless they explicitly load the user hive.
Mistake
Proactive remediations can be used on macOS and Linux devices.
Correct
Proactive remediations are only supported on Windows 10/11 devices. For macOS and Linux, use alternative methods like configuration profiles or custom scripts via other tools.
Mistake
The detection script and remediation script are optional; you can use only one.
Correct
A proactive remediation requires both a detection script and a remediation script. The detection script determines whether the remediation script runs. If you only need to run a script without detection, use a device configuration PowerShell script instead.
Mistake
If a remediation script fails, it will retry immediately.
Correct
There is no automatic immediate retry. The remediation will run again on the next scheduled interval (e.g., daily). You can manually trigger a sync from the device or wait for the next schedule.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The detection script must return exit code 1 to trigger remediation. Exit code 0 means compliant (no action). Any other exit code results in a detection failure. This is a common exam point: remember 0 = OK, 1 = fix needed.
No, proactive remediations are only supported on Windows 10/11 devices. For macOS, you can use configuration profiles or shell scripts via platform-specific methods, but not the proactive remediation feature.
By default, they run daily. You can configure a custom schedule (e.g., every 2 days, weekly) when creating the remediation. The schedule is set in the remediation policy.
Each script has a 60-minute timeout. If the remediation script exceeds this, it is terminated and marked as failed. The device will remain non-compliant until the next schedule when the detection script runs again.
Logs are stored in `%ProgramData%\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log`. You can view this file to troubleshoot script execution errors.
No, assignments are made to Azure AD groups (user or device groups). You cannot assign directly to a single device; you must create a group containing that device.
Proactive remediations use a detection-remediation pair to automatically fix issues on a schedule. PowerShell scripts are standalone scripts that run once or on a schedule without automatic detection. Remediations are part of Endpoint Analytics; scripts are in Devices > PowerShell scripts.
You've just covered Intune PowerShell Scripts and Remediations — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?