So there you are, sipping your fourth coffee of the morning, when yet another ticket comes in:

"My OneDrive isn't syncing. Again."

You sigh. You mutter something about cursed registry keys and ghosted Group Policies. And then you remember: Proactive Remediations. The unsung hero of Microsoft Intune. A way to automate the pain away with custom detection and remediation scripts, all lovingly shoved down to the endpoints via Intune.

Welcome to Proactive Remediations — Intune's built-in scripting voodoo that lets you find and fix problems on autopilot, before users even realize something’s broken (or have the chance to hysterically call IT Support).

🧠 What is a Proactive Remediation?

Alright, real talk: Proactive Remediations are just scheduled PowerShell duos that live in Intune and do your dirty work for you. There’s a detection script (snitch) and a remediation script (cleaner).

  • Detection script: Checks if something’s broken or non-compliant. Think of it like a snitch, who tells your Boss that you made left Work 30mins earlier yesterday.
  • Remediation script: Fixes the mess so you don’t have to. Think of it as a MMA Fighter, that's going to read-naked-choke that Snitch.

They run on a schedule (daily, hourly, whatever you choose) and quietly report back to Endpoint Analytics like good little bots.

But hold up — you’ll need some prerequisites first.

🧰 Prerequisites to Even Use This Thing

  • Devices must be Windows 10/11 Enterprise/Education with at least version 1903. (If your Devices are older that 1903, you need therapy my bro... 🧑‍⚕️)
  • Devices must be Azure AD joined or Hybrid Azure AD joined. (But real OG's never Hybrid Join. Cloud only FTW!👨‍🍳)
  • Intune must have Endpoint analytics enabled.
  • You’ll need the Intune Management Extension installed on target devices (automatically deployed if you assign a script or an App or just use Intune.).
  • Users need an Endpoint Analytics-enabled license (usually part of Microsoft 365 E3/E5).

If you’re missing any of those, Intune will just silently ignore your hard work — or worse, deploy nothing and tell you it succeeded. There are some Workarounds to get it still running, but these are illegal 😄

🔍 Deeper Into the Script Logic

Behind the scenes, the Intune Management Extension (IME) is the overworked assistant here. It grabs the scripts from the cloud, stashes them locally, and runs them on the device. You can find them hanging out in:

C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts

First up, the detection script runs. If it returns an exit code 0, Intune gives the machine a pat on the back and skips remediation. But if the script returns anything other than zero — be it 1, 187, or 666 — IME lights the signal fire and launches the remediation script.

Yes, you control this logic. It’s like writing your own little compliance check engine.

Example Detection Script:

<#
    Script:       Template-ProactiveDetection.ps1
    Author:       Cloudcook
    Purpose:      Detection Template for using Proactive Remediations
    Date:         2025-04-10

    Notes:
    - Use Detect script to check for problems.
    - Use Remediate script to fix them.
    - Keep detection logic idempotent and fast.
    - Log everything unless you enjoy debugging with a blindfold.
#>

# =======================
# Section: Configuration
# =======================

$BasePath = "C:\ProgramData\cloudcook"
$LogPath = Join-Path -Path $BasePath -ChildPath "Logs\PR-Template.log"
$TempPath = Join-Path -Path $BasePath -ChildPath "Temp"
$ScriptName = "PR-Template"

# =======================
# Section: Folder Setup
# =======================

$RequiredFolders = @(
    $BasePath,
    (Join-Path $BasePath "Logs"),
    $TempPath
)

foreach ($folder in $RequiredFolders) {
    if (-not (Test-Path -Path $folder)) {
        try {
            New-Item -Path $folder -ItemType Directory -Force | Out-Null
        }
        catch {
            Write-Error "Failed to create folder: $folder - $_"
            exit 1
        }
    }
}

# =======================
# Section: Logging
# =======================

function Write-Log {
    param (
        [string]$Message,
        [string]$Level = "INFO"
    )
    $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $LogEntry = "$Timestamp [$Level] $Message"
    Add-Content -Path $LogPath -Value $LogEntry
}

# =======================
# Section: Detection Logic
# =======================
# Exit 0 = Compliant
# Exit 1 = Non-compliant (Remediation will run)

function Test-Compliance {
    Write-Log "Starting compliance check..."

    # EXAMPLE: Check if OneDrive is running
    $OneDrive = Get-Process -Name "OneDrive" -ErrorAction SilentlyContinue
    if ($null -eq $OneDrive) {
        Write-Log "OneDrive not running - non-compliant"
        return $false
    }

    Write-Log "OneDrive is running - compliant"
    return $true
}

# =======================
# Section: Main
# =======================

try {
    $isCompliant = Test-Compliance
    if ($isCompliant) {
        Write-Log "Device is compliant. Exiting with code 0."
        exit 0
    }
    else {
        Write-Log "Device is NOT compliant. Exiting with code 1 to trigger remediation."
        exit 1
    }
}
catch {
    Write-Log "Exception occurred: $_" "ERROR"
    # Exit with 1 to trigger remediation if detection fails
    exit 1
}

Example Remediation Script:

<#
    Script:       Template-ProactiveReneduatuib.ps1
    Author:       Cloudcook
    Purpose:      Remediation Template for using Proactive Remediations
    Date:         2025-04-10

    Notes:
    - This is the "fixer" script.
    - Keep it safe and *not* destructive unless you're sure.
    - Logs everything to the same folder used by the detection script.
#>

# =======================
# Section: Configuration
# =======================

$BasePath = "C:\ProgramData\cloudcook"
$LogPath = Join-Path -Path $BasePath -ChildPath "Logs\PR-Template.log"
$TempPath = Join-Path -Path $BasePath -ChildPath "Temp"
$ScriptName = "Remediate-PR-Template"

# =======================
# Section: Folder Setup
# =======================

$RequiredFolders = @(
    $BasePath,
    (Join-Path $BasePath "Logs"),
    $TempPath
)

foreach ($folder in $RequiredFolders) {
    if (-not (Test-Path -Path $folder)) {
        try {
            New-Item -Path $folder -ItemType Directory -Force | Out-Null
        }
        catch {
            Write-Error "Failed to create folder: $folder - $_"
            exit 1
        }
    }
}

# =======================
# Section: Logging
# =======================

function Write-Log {
    param (
        [string]$Message,
        [string]$Level = "INFO"
    )
    $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $LogEntry = "$Timestamp [$Level] $Message"
    Add-Content -Path $LogPath -Value $LogEntry
}

# =======================
# Section: Remediation Logic
# =======================

function Invoke-Remediation {
    Write-Log "Starting remediation..."

    try {
        # EXAMPLE: Start OneDrive if it's not running
        $OneDrive = Get-Process -Name "OneDrive" -ErrorAction SilentlyContinue
        if ($null -eq $OneDrive) {
            $OneDrivePath = "$env:LOCALAPPDATA\Microsoft\OneDrive\OneDrive.exe"
            if (Test-Path $OneDrivePath) {
                Start-Process -FilePath $OneDrivePath -ArgumentList "/background"
                Write-Log "OneDrive started successfully."
            }
            else {
                Write-Log "OneDrive executable not found. Cannot remediate." "WARN"
            }
        }
        else {
            Write-Log "OneDrive already running. No action taken."
        }

        Write-Log "Remediation completed successfully."
        exit 0
    }
    catch {
        Write-Log "Remediation failed: $_" "ERROR"
        exit 1
    }
}

# =======================
# Section: Main
# =======================

Invoke-Remediation

Exit codes = everything. Detection says "problem found" (exit 1+), remediation gets summoned. If remediation fails (non-zero exit), you get a red dot of shame in Endpoint Analytics.

📦 Use Cases: What Can You Actually Fix?

Let’s be honest — this is where Proactive Remediations shines like a sweaty sysadmin under fluorescent lights.

  • 💥 OneDrive not syncing? Check the reg keys and fix the onedrive.exe tantrum.
  • 🐒 Defender AV mysteriously disabled (again)? Yeah, Gary from Finance totally didn’t click “Allow” on that popup.
  • 🧙‍♂️ Old apps creeping back into startup? Hunt them down and wipe their traces.
  • 🔐 BitLocker not turned on? Bring out the encryption stick.
  • 🧹 User installed “PDFConverterUltimateFREE_v7_FINAL_TRUSTME.exe”? Reboot, clean up, and maybe post a passive-aggressive toast message.
  • 🧼 Mysterious Scheduled Tasks? Kill ‘em with fire.
  • 🤦‍♂️ Someone renamed the local admin account to “H4xx0r”? Rename it back and reset the password.

If you want inspiration (or just need to shamelessly copy something to hit your Friday deadline), check out this absolute goldmine: 👉 https://github.com/JayRHa/EndpointAnalyticsRemediationScripts

It’s a community-driven repo with tons of examples — everything from OneDrive shenanigans to toast notifications for local admin usage. Honestly, it’s the Goldmine of PR scripts.

🛠️ How To Build One Like a Pro

  1. Write the detection script
    It’s your scout. Don’t overcomplicate it. Return 0 if all is fine. Return 1 (or anything else) if things are busted.
  2. Write the remediation script
    This is your fixer. Clean up, repair, replace — whatever it takes. Log your actions. Exit 0 if successful.
  3. Test locally
    Seriously, don’t YOLO this into prod. Test on a VM, or that cursed old laptop with 6 antivirus agents still installed.
  4. Deploy via Intune
    Proactive Remediations > Create script package. Upload scripts, assign them to a group, pick a schedule. Done.
  5. Sit back and enjoy fewer tickets
    Because if it works, your users will think you're a wizard. And if it doesn't? Well, hey, logs.

⚠️ Gotchas (Because Nothing's Ever Easy)

  • SYSTEM context means user hives are invisible unless you pull tricks with HKEY_USERS.
  • The logs live in IntuneManagementExtension.log — and they’re about as readable as Chinese poetry without CMTrace.
  • Detection doesn’t pass output to remediation. If you need data passed between them, you better write to a temp file or registry.
  • No version control. Seriously, back your scripts up. Git is your friend. Learn it, love it, stop overwriting your own work.
  • Some devices just won’t run scripts because reasons. Try not to scream.

💡 Pro Tip from Cloudcook

Give your scripts funny remarkable names. FixSync.ps1? Boring. YouShallNotDesync.ps1? Chef’s kiss.

And always log. Cloudcook drops everything into C:\ProgramData\Cloudcook\Logs\, because future-you deserves breadcrumbs when things go sideways.

Conclusion

Proactive Remediations are like silent assassins with PowerShell swords — fixing junk in the background so your users don’t have to open a ticket (or worse, call you).

It’s not rocket science. It’s just good scripting, smart logic, and a bit of Intune elbow grease. Once you get into the flow — detect, exit, remediate, exit, repeat — it’s weirdly satisfying.

So next time a user breaks something dumb, remember: you can fix it once, or write a remediation and never hear about it again.

Automation isn’t laziness. It’s sysadmin enlightenment.

And for once… Intune isn’t the enemy.👹