Automate the remediation of security issues

Microsoft Intune, part of Microsoft Endpoint Manager, is a cloud-based MDM and MAM (Mobile Device Management and Mobile Application Management) solution that enables organizations to manage and secure their employees‘ devices and applications. One of the powerhouses of Intune is the ability to use Proactive Remediation scripts to automatically remediate security issues on endpoints.

Proactive Remediation Scripts are PowerShell scripts that run on endpoints to identify and fix specific security issues. For example, with these scripts you can:

• Check whether certain security software is installed on the device and install it if necessary
• Check whether certain Windows settings are configured correctly and correct them if necessary
• Check whether certain registry settings are configured correctly and correct them if necessary

Once the script runs on the device, it sends the results back to Intune so you can see which issues have been fixed and which ones are still there. You can also be notified when certain conditions are met, such as when a specific security issue has been discovered on a device.

How to create a Proactive Remediation Script?

First you have to create two PowerShell scripts. The first script is used to detect if a specific problem exists, the second script runs commands to fix it. There are some examples of Proactive Remediation Scripts provided by Microsoft as well as by the community via Github.

Once you’ve created a script, or found one of the examples, all you have to do is upload it to Intune and schedule it to run.

To upload a script to Intune, we have to switch to Endpoint Analytics via the Reports item and there we will find the „Proactive remediations“ area.

Here we see scripts that have already been uploaded and can upload new scripts via the „+ Create script package“ item.

Now, to add a new remediation script, we first need to define a name and an optional description:

In this example we will include a script that sends a Windows notification to the user when the free hard disk space is low.

For this we now have to upload a script to detect the problem and one to fix it. Optional execution parameters can be defined.

At the beginning of this post I wrote that you can use the Proactive Remediation Scripts to fix security problems. This is correct, but other use cases can also be mapped, such as displaying a message when the hard drive is low on free space.

Finally, we need to assign the script to a group of devices:

After we have selected the group of desired devices here, we can create a schedule at which time the script will be executed. This schedule can contain the following parameters:

• Frequency (Once, Hourly or Daily)

• Repeats every (Number of days, for example)

• Time (Time of execution)

• Use UTC? (Set the execution time to the UTC Format)

Monitoring

After the script has been created, a dashboard for the execution can be found by clicking on the script:

It lists successful and failed executions and gives a good overview of how the script performs and whether detection or remediation works.