Proactive Remediation: detect devices with recent BSOD and automatically upload log files to SharePoint

In this post I will show you a quick Intune Proactive Remediation script allowing you to detect devices that have a recent BSOD and automatically send dump files to a SharePoint.

 

Context

- Some of you devices have BSOD

- You want to collect minidump file to investigate

- You want an easy way to upload those files

- You want an automated way

- You want to upload files on a SharePoint for help desk

- You want to be informed on Teams

 

The solution

I created two script:

- BSOD_Detection.ps1

- BSOD_Remediation.ps1

 

Detection script

1. This script will check in C:\Windows\Minidump folder if there is a .DMP file.

2. If yes it will check if the date is lesser than a specific period. There I defined it to 15 days.

3. If there are multiple files, the script will check for the latest.

4. Check in the system event log for lastest BugCheck mention and compare it with DMP file

5. Set script as alert is file date if < 30 days

 

You can set the delay by changing variable: $Delay_alert

 

Remediation script

The remediation script works as below:

1. Install module pnp.powershell if not installed

2. Create a folder for logs: C:\Windows\Temp\DMP_Logs_folder

3. Copy content of C:\Windows\Minidump in the DMP_Logs_folder folder

4. Copy file C:\WINDOWS\MEMORY.DMP in the DMP_Logs_folder folder

5. Zip the folder DMP_Logs_folder

6. Upload the ZIP to SharePoint

7. Publish a new message on Teams

 

Logs collected

The remediation script will collect some logs and send them to a SharePoint for support.

By default the script will gather below files:

- All DMP files in C:\Windows\Minidump

- C:\Windows\MEMORY.DMP

It will also gather below event logs (last 30 days):

- System

- Application

- Security

- Microsoft-Windows-Kernel-Power

- Microsoft-Windows-Kernel-PnP

- Microsoft-Windows-Kernel-PnP

- Microsoft-Windows-Kernel-LiveDump

- Microsoft-Windows-Kernel-ShimEngine

- Microsoft-Windows-Kernel-Boot

- Microsoft-Windows-Kernel-IO

You can add other event logs at line 123.

I created a function that helps to export event logs during last 30 days.

Get the script

Click on the below GitHub picture to download the script

SharePoint prerequisites

To upload files on SharePoint you will need to:

- Create a dedicated SharePoint for logs

- Create a SharePoint application to authenticate

 

You can find prerequisites part on my blog post there.

Notifications on Teams

When logs are uploaded on SharePoint you can choose to publish a message on Teams.

For that create a webhoot connector.

I will soon publish a blog post about how to do that, for now you can find indications as comment in the Remediation script.

To use this proceed as below:

- Set variable $Use_Webhook to True

- Add webhook URL in variable: $Webhook

Once ZIP has been uploaded a new message will displayed on your Teams channel, as below:

Create Proactive Remediation script

1. Go to the Microsoft Endpoint Manager admin center

2. Go to Reports

3. Go to Endpoint Analytics

4. Go to Proactive Remediations

5. Click on Create script package

6. Type a name

7. Click on Next

8. Click on Detection script file

9. Browse the script BSOD_Detection.ps1

10. Click on Remediation script file

11. Browse the script BSOD_Remediation.ps1

12. Click on Next

13. Select the group

14. In the Schedule part, choose when the package should be run.

15. Click on Apply

16. Click on Next

17. Click on Create