Intune remediation is all about using Microsoft Intune to automatically find and fix common issues on managed devices. It works through remediation scripts, which include a detection script to spot problems and a remediation script to solve them. These scripts keep devices compliant and secure by tackling issues proactively, often before users even realize something’s wrong. With Intune remediation, IT admins can cut down on support calls and create a smoother, safer IT environment.
1 – SMB v1 disabling:
Detection script:
$smbv1 = get-smbserverconfiguration | Select-Object -ExpandProperty EnableSMB1Protocol
if ($smbv1 -eq $false) {
write-host "SMBv1 is disabled"
exit 0
}
else {
write-host "SMBv1 is enabled"
exit 1
}Remediation script:
Set-SmbServerConfiguration -EnableSMB1Protocol 0
2 – IPv6 disabling:
Detection script:
# Check if IPv6 is disabled using the DisabledComponents registry key
# Define the registry path and key
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
$registryName = "DisabledComponents"
$expectedValue = 255 # 0xFF means IPv6 is fully disabled
try {
$currentValue = Get-ItemProperty -Path $registryPath -Name $registryName -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $registryName -ErrorAction SilentlyContinue
if ($currentValue -eq $expectedValue) {
Write-Output "IPv6 is disabled"
exit 0 # Return compliant state
} else {
Write-Output "IPv6 is Enabled"
exit 1 # Return non-compliant state
}
} catch {
Write-Output "IPv6 is Enabled"
exit 1 # Return non-compliant state
} Remediation script:
# Remediation Script: Disable IPv6 using the DisabledComponents registry key
# This script sets the registry value to completely disable IPv6
# Define the registry path and key
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
$registryName = "DisabledComponents"
$expectedValue = 255 # 0xFF means IPv6 is fully disabled
try
{
# Check if the registry path exists
if (!(Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
# Set the DisabledComponents registry key to disable IPv6 completely
Set-ItemProperty -Path $registryPath -Name $registryName -Value $expectedValue -Force
Write-Output "IPv6 has been disabled. A system restart may be required."
exit 0
} catch
{
Write-Error "Failed to disable IPv6: $_"
exit 1
} 3 – Credential Guard enabling :
Detection script:
# Check if Credential Guard is enabled
$credentialGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
if ($credentialGuardStatus.SecurityServicesConfigured -contains 1 -and $credentialGuardStatus.SecurityServicesRunning -contains 1) {
Write-Output "Credential Guard is enabled."
exit 0
} else {
Write-Output "Credential Guard is not enabled."
exit 1
}Remediation script:
# Enable Credential Guard
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA"
Set-ItemProperty -Path $regKey -Name "LsaCfgFlags" -Value 1
Write-Output "Credential Guard has been enabled." 4 – Device Guard enabling :
Detection script:
# Check if Device Guard is enabled
$deviceGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
if ($deviceGuardStatus.SecurityServicesConfigured -contains 2 -and $deviceGuardStatus.SecurityServicesRunning -contains 2) {
Write-Output "Device Guard is enabled."
exit 0
} else {
Write-Output "Device Guard is not enabled."
exit 1
} Remediation script:
# Enable Device Guard
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
Write-Output "Device Guard has been enabled." 5 – Windows Firewall enabling :
Detection script:
# Check if the firewall is enabled
$firewallStatus = Get-NetFirewallProfile -Profile Domain,Public,Private
foreach ($profile in $firewallStatus) {
if ($profile.Enabled -eq $false) {
Write-Output "Firewall is disabled for profile: $($profile.Name)"
exit 1
}
}
Write-Output "Firewall is enabled for all profiles."
exit 0Remediation script:
# Enable the firewall for all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Write-Output "Firewall has been enabled for all profiles." 6 – Perform disk cleanup if Low disk space detected :
Detection script:
# Check for low disk space
$freeSpace = (Get-PSDrive -Name C).Free
if ($freeSpace -lt 10GB) {
Write-Output "Low disk space"
exit 1
} else {
Write-Output "Sufficient disk space"
exit 0
} Remediation script:
# Perform disk cleanup
Start-Process -FilePath "cleanmgr.exe" -ArgumentList "/sagerun:1" -Wait
Write-Output "Disk cleanup performed" 7 – UAC enabling :
Detection script:
# Check if UAC is enabled
$uacStatus = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -ErrorAction SilentlyContinue
if ($null -eq $uacStatus) {
Write-Output "UAC status: NotConfigured"
exit 1
} elseif ($uacStatus -eq 0) {
Write-Output "UAC status: Disabled"
exit 1
} else {
Write-Output "UAC status: Enabled"
exit 0
} Remediation script:
# Check if UAC is enabled
$uacStatus = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -ErrorAction SilentlyContinue
if ($null -eq $uacStatus -or $uacStatus -eq 0) {
# Enable UAC
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 1
Write-Output "UAC has been enabled."
} else {
Write-Output "UAC is already enabled."
}8 – WDAC enabling :
Detection script:
# Check if WDAC is enabled
$wdacStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
if ($wdacStatus.SecurityServicesConfigured -contains 2 -and $wdacStatus.SecurityServicesRunning -contains 2) {
Write-Output "WDAC is enabled."
exit 0
} else {
Write-Output "WDAC is not enabled."
exit 1
} Remediation script:
# Define the path to the WDAC policy binary file
$policyBinaryPath = "C:\Path\To\Your\Policy.cip"
# Copy the policy binary to the correct location
$destinationFolder = "$env:windir\System32\CodeIntegrity\CIPolicies\Active\"
Copy-Item -Path $policyBinaryPath -Destination $destinationFolder
# Enable WDAC policy
Start-Process -FilePath "powershell.exe" -ArgumentList "-Command", "ciTool.exe --update-policy $policyBinaryPath" -NoNewWindow -Wait
Write-Output "WDAC policy has been applied. A system reboot is required for changes to take effect." 9 – Fixing Time zone :
Detection script:
# Define the required time zone
$requiredTimeZone = "Pacific Standard Time"
# Get the current time zone
$currentTimeZone = (Get-TimeZone).Id
if ($currentTimeZone -ne $requiredTimeZone) {
Write-Output "Incorrect time zone: $currentTimeZone"
exit 1
} else {
Write-Output "Time zone is correct: $currentTimeZone"
exit 0
}Remediation script:
# Define the required time zone
$requiredTimeZone = "Pacific Standard Time"
# Set the time zone
Set-TimeZone -Id $requiredTimeZone
Write-Output "Time zone has been set to: $requiredTimeZone" 10 – Enabling Defender real time protection :
Detection script:
if((Get-MpComputerStatus).RealTimeProtectionEnabled -eq "True") {
Write-Output "Device Compliant"
exit 0
} else {
Write-Output "Device Non-Compliant"
exit 1
} Remediation script:
try {
Set-MpPreference -DisableRealtimeMonitoring $false
Write-Output "Device Remediated"
exit 0
}
catch {
Write-Output "Remediation Failed"
exit 1
}11 – Enabling Defender network protection :
Detection script:
# Check if network protection is enabled
$networkProtection = Get-MpPreference | Select-Object -ExpandProperty EnableNetworkProtection
if ($networkProtection -eq 1) {
Write-Output "Network protection is enabled."
exit 0
} else {
Write-Output "Network protection is disabled."
exit 1
} Remediation script:
# Enable network protection
Set-MpPreference -EnableNetworkProtection Enabled
exit 0 12 – Enabling Defender exploit protection :
Detection script:
# Check if exploit protection settings are applied
$exploitProtection = Get-MpPreference | Select-Object -ExpandProperty ExploitProtection
if ($exploitProtection) {
Write-Output "Exploit protection settings are applied."
exit 0
} else {
Write-Output "Exploit protection settings are not applied."
exit 1
} Remediation script:
# Apply recommended exploit protection settings
Add-MpPreference -ExploitProtectionSettings "Recommended"
exit 0 13 – Enabling Defender PUA Protection :
Detection script:
if((Get-MpPreference).PUAProtection -eq 1) {
Write-Output "Device Compliant"
exit 0
} else {
Write-Output "Device Non-Compliant"
exit 1
} Remediation script:
try {
Set-MpPreference -PUAProtection Enabled
Write-Output "Device Remediated"
exit 0
}
catch {
Write-Output "Remediation Failed"
exit 1
} 14 – Force maping network drive :
Detection script:
# Define the network drive letter and path
$driveLetter = "Z:"
$networkPath = "\\server\share"
# Check if the drive is mapped
$drive = Get-PSDrive -Name $driveLetter -ErrorAction SilentlyContinue
if ($null -eq $drive -or $drive.Root -ne $networkPath) {
Write-Output "Network drive not mapped: $driveLetter"
exit 1
} else {
Write-Output "Network drive is mapped: $driveLetter"
exit 0
}Remediation script:
# Define the network drive letter and path
$driveLetter = "Z:"
$networkPath = "\\server\share"
# Map the network drive
New-PSDrive -Name $driveLetter -PSProvider FileSystem -Root $networkPath -Persist
Write-Output "Network drive has been mapped: $driveLetter" 15 – LLMNR disabling :
Detection script:
$Path = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"
$Name = "EnableMulticast"
$Type = "DWORD"
$Value = 0
Try {
$Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
If ($Registry -eq $Value){
Write-Output "Compliant"
Exit 0
}
Write-Warning "Not Compliant"
Exit 1
}
Catch {
Write-Warning "Not Compliant"
Exit 1
} Remediation script:
$Path1 ="HKLM:\Software\policies\Microsoft\Windows NT"
$Path = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"
$Name = "EnableMulticast"
$Type = "DWORD"
$Value = 0
$DNSclient = (Get-ItemProperty $path1).psobject.properties.name -contains "dnsclient"
If ($DNSclient -eq $false)
{
New-Item -Path $Path
}
Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value Note
Note: I recommand you test PowerShell scripts in test environement before you deploy them in production
