Manage Intune Proactive Remediation scripts with PowerShell and Graph

In this post I will show you how to manage Proactive Remediation scripts with PowerShell and Graph.

We will see how to list proactive remediation packages, list details of a remediation or create a new one.

Find the right resource

In order to manage Proactive Remediation scripts with PowerShell and Graph the first step is to find the appropriate resource.

For that proceed as below:

1. Go to the Graph reference web page here   

2. In the search bar type something like remediation

3. Click on Device Health Script Remediation History 

4. Now go to Device health script

5. Go to Get 

On the Get page you will find the appropriate resource to manage Proactive Remediation scripts.

This one is deviceHealthScripts.

The full resource path will be https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts

We will first set the resource path in a variable for later, as below:

Now let's play with it.

For that we will use the Graph Intune module with the cmdlet Invoke-MSGraphRequest.

You can find on my post here, how to use this module.

You can find here, how to use an Azure app to to authentificate to your Intune tenant and execute Graph queries.

List remediation scripts

In this part we will list all our remediation packages (scripts).

See below the list from the Endpoint Manager portal.

See below the code for that:

See below the result:

Get remediation summary 

In this part we will list the main summary of a remediation package.

See below the list from the Endpoint Manager portal.

We will list summary of a specific package.

For that we have to add the package id to the resource path.

Then we will add runsummary to our resource path.

See the link about this here.

See below the code for that:

See below the result:

Get remediation details

In this part we will list details of a remediation script meaning status, output and error message.

See below the list from the Endpoint Manager portal.

For that we will add deviceRunStates to our resource path as below:

$Main_Path/f841d07e-5f7b-49d5-9049-3f73cfded97a/deviceRunStates

The issue is this won't return things relattive to the device.

For that just add ?$expand=* to the path.

See below the new code:

See below the result:

Upload a remediation script

Now let's create a new remediation package and import both detection and remediation scripts.

See below information we will upload:

- Remediation package name: Remediation package test

- Publisher Syst and deploy

- Run as user: No, system

- Run as 32 bit: No

The detection script is the following one:

The remediation script is the following one:

To upload our script we have to convert them to Base64.

For that, use the code below:

Now we will create the JSON structure:

The last step is to upload content using method POST, as below:

Remove a remediation package

In this part we will remove the previously created package.

For that we will use method DELETE and add the id of the package to the resource path.

See below the code to remove the package:

What's next ?

In the next post, I will share a script allowing you to export result of a remediation script to Excel.