Endpoint Analytics Proactive Remediation: Check devices with drivers issues

Reply A+ A-

In this post I will share how to use Endpoint Analytics Proactive Remediation to check devices that have missing or disabled drivers.


- You want to check device that have disabled drivers in the device manager

- You want to check device tat have missing drivers in the device manager

The script

Click on the picture below to get the script

How works detection script ?

In order to check wrong drivers from the device manager, you have to use the WMI class Win32_pnpnEntity then search the configmanagererrorcode.

The detection script will display error for this code as below:

- Configmanagererrorcode = 22: meaning disabled drivers

- Configmanagererrorcode = 28: meaning missing drivers

See here more informations about this class. You can of course add other code for detection.

How works remediation script ?

The remediation script will just display a warning to the user informing him to contact his help desk, as below:

Endpoint Analytics Proactive Remediation

A really cool feature available in the Endpoint manager portal is Proactive Remediation.

This one allows you to do the below actions:

- Check a specific case, like antivirus definitions, local admin...

- Resolve this case like update antivirus definitions, remove local admin...

You can find it as below:

- Go to the Microsoft Endpoint manager admin center

- Go to Reports

- Go to Endpoint analytics

- Go to Proactive remediations

- Enable the feature

See below some Proactive Remediation examples:

Battery replacement

Last reboot time

Check local admin

Detection and Remediation scripts

The Proactive Remediation is divided in two scripts part:

- Detection script

- Remediation script

The Detection script allows you to check a specific case like missing drivers on the device.

See below the exit code to add:

- If the detection script does not anwser to your recommandation: 1 

- If the detection script does not anwser to your recommandation: 0 

If the exit code is configured to 1, the Remediation script will be executed.

You also need to configure an exit code to the remediation script:

- If remediation is OK, set the exit code to 0

- If remediation is KO, set the exit code to 1

Create the remediation package

1. Click on Create script package

2. Type a name in our case Microsoft Defender last scan and update

3. Click on Next

4. Click on Detection script file

5. Select the detection script 

6. Click on Remediation script file

7. Select the remediation script 

8. Choose run the script as user

9. Click on Next

10. Select your assignment 

11. In the Schedule part, choose when the package should be run.

12. In our case we will run it every 3 hours (for our test)

13. Click on Apply

14. Click on Next

15. Click on Create

Log file
In my detection script, I create a log in ProgramData, as below:

Proactive_Remediations 1439265131781387434

Enregistrer un commentaire

Accueil item



Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French