Browse all topics
All guidesGlossary

Intune scripts and proactive remediations

How Intune runs PowerShell scripts and proactive remediations on managed Windows devices.

Beyond configuration profiles and app deployments, Intune can run arbitrary PowerShell scripts on managed Windows devices for one-off actions and ongoing remediation. Two distinct features handle different use cases: Platform scripts for one-time execution and Proactive remediations (now part of Endpoint Analytics) for ongoing detect-and-fix scenarios.

Platform scripts

A platform script is a PowerShell script that Intune deploys to assigned devices and runs once:

  • Run in system context (most common) or user context.
  • 64-bit or 32-bit PowerShell host.
  • Enforce signature for security.
  • Retry on failure for a configurable number of attempts.

Use cases for platform scripts:

  • One-off configuration that isn't in the built-in policy catalogue.
  • Bootstrap actions for new devices (install LOB tools, register with monitoring).
  • Migration scripts during major Windows or app upgrades.
  • Removal scripts to clean up legacy artifacts.

Platform scripts don't re-run if a device drifts back to a non-compliant state — they're fire-and-forget.

Proactive remediations

Proactive remediations (also called remediation scripts) are pairs of PowerShell scripts that run on a recurring schedule:

  • A detection script — returns success (exit 0) if the condition is healthy, failure (exit 1) if remediation is needed.
  • A remediation script — runs only when detection returns failure. Fixes the condition.

Intune runs the pair on the configured schedule (hourly, daily, weekly) and reports outcomes in the Endpoint Analytics dashboard. Use cases:

  • Ensure a service is running — detect if stopped, remediate by starting.
  • Ensure a registry value is set — detect if missing, remediate by setting.
  • Clean up temp files if they exceed N GB.
  • Re-register a device with a monitoring agent if registration lapsed.
  • Custom compliance checks that feed back to compliance policies.

Microsoft also publishes a library of pre-built remediation scripts for common scenarios (network drive mapping, certificate renewal, Defender configuration).

Writing remediation pairs

A trivial example — ensure the Time Service is running:

# Detection
$svc = Get-Service -Name w32time -ErrorAction Stop
if ($svc.Status -eq 'Running') { exit 0 } else { exit 1 }

# Remediation
Start-Service -Name w32time
Set-Service -Name w32time -StartupType Automatic

Intune evaluates the detection on schedule; if it returns 1, remediation runs.

Reporting

The Endpoint Analytics dashboard reports:

  • How many devices match the detection condition (healthy vs needs-fix).
  • Remediation success rate.
  • Trend over time.
  • Per-device drill-down for troubleshooting.

This is the right surface for understanding fleet health on specific dimensions — far better than ad-hoc PowerShell across the estate.

Operational considerations

  • Test scripts thoroughly — a remediation that runs across thousands of devices can do real damage if buggy.
  • Sign your scripts — Intune enforces signing if configured.
  • Use exit codes consistently — 0 for success, 1 for failure; the system reads these.
  • Log to local file as well as exit code — useful for forensics on rare failures.
  • Be idempotent — remediation should be safe to run multiple times.

Licensing

Platform scripts are included with Intune (Microsoft 365 Business Premium, E3, E5, F3, standalone Intune). Proactive remediations require Endpoint Analytics, which is part of the Intune Suite or Microsoft 365 E5.

For Intune-managed estates, scripts and remediations are how you handle the long tail of operational scenarios that don't fit cleanly into configuration profiles.