Proactive Remediation: detect devices with recent BSOD and automatically upload log files to SharePoint

In this post I will show you a quick Intune Proactive Remediation script allowing you to detect devices that have a recent BSOD and automatically send dump files to a SharePoint.

 

Context

- Some of you devices have BSOD

- You want to collect minidump file to investigate

- You want an easy way to upload those files

- You want an automated way

- You want to upload files on a SharePoint for help desk

- You want to be informed on Teams

 

The solution

I created two script:

- BSOD_Detection.ps1

- BSOD_Remediation.ps1

 

Detection script

The script works as below:

1. Check in C:\Windows\Minidump if there is a .DMP file.

2. If yes, check if the date is < than a specific period. (here I defined it to 15 days)

3. If there are multiple files, the script check for the latest

4. Check in system event log for last BugCheck mention and compare it with DMP file

5. Set script as alert is file date if < 30 days

 

You can set the delay by changing variable: $Delay_alert

 

Remediation script

The remediation script works as below:

1. Create a log folder C:\Windows\Temp\DMP_Logs_folder

2. Copy content of C:\Windows\Minidump in the logs folder

3. Copy C:\WINDOWS\MEMORY.DMP in the log folder

4. Zip the folder DMP_Logs_folder

5. Authenticate to SharePoint through the Azure app

6. Upload the ZIP to SharePoint

7. Publish a new message on Teams

 

Logs collected

The remediation script will collect some logs and send them to a SharePoint for support.

By default the script will gather below files:

- All DMP files in C:\Windows\Minidump

- C:\Windows\MEMORY.DMP

It will also gather below event logs (last 30 days):

- System

- Application

- Security

- Microsoft-Windows-Kernel-Power

- Microsoft-Windows-Kernel-PnP

- Microsoft-Windows-Kernel-PnP

- Microsoft-Windows-Kernel-LiveDump

- Microsoft-Windows-Kernel-ShimEngine

- Microsoft-Windows-Kernel-Boot

- Microsoft-Windows-Kernel-IO

You can add other event logs at line 123.

I created a function that helps to export event logs during last 30 days.

Get the script

Click on the below GitHub picture to download the script

Prerequisites

To send file to SharePoint you will need to create an Azure app registration and set a specific permission.

You can see in my post here how to proceed.

Teams notification

When logs are uploaded on SharePoint you can choose to publish a message on Teams.

For that create a webhook connector.

To use this in the script  proceed as below:

- Set variable $Use_Webhook to True

- Add webhook URL in variable: $Webhook

Once ZIP has been uploaded a new message will displayed on your Teams channel, as below:

Create Proactive Remediation script

1. Go to the Microsoft Endpoint Manager admin center

2. Go to Devices

3. Go to Remediations

4. Click on Create script package

5. Type a name

6. Click on Next

7. Click on Detection script file

8. Browse the script BSOD_Detection.ps1

9. Click on Remediation script file

10. Browse the script BSOD_Remediation.ps1

11. Click on Next

12. Select a group

13. In the Schedule part, choose when the package should be run.

14. Click on Apply

15. Click on Next

16. Click on Create