Remotely run on-demand Intune remediation script from any device
.png)
In this post I will show you a way to run on-demand Intune remediation script directly from any devices.
Context
You have a device with an issue.
To solve the issue you need to run a script with admin rights.
Let's imagine for instance script to run the following actions:
- sfc /scannow
- Reset OneDrive
- Reinstall an app (see here)
You can add those scripts as Intune remediation scripts in order to execute them on-demand.
This way, when a user has an issue he can run on-demand the remediation script from his device.
Another way could be to make it available through the company portal but let's see when it can be useful to run it as on-demand remediation script.
What's next ?
Ok, you may say, ok but how to use it in real life ?
I recently posted an update of my SelfX tool, see here.
This tool allows users to solve issues themselves.
See below an overview:
This tool allows user to solve issues by running PowerShell scripts in background.
Those scripts are executed in user context meaning without admin rights.
Now to solve issues requiring admin rights you can imagine an admin part that will list some remediation scripts that you can directly executed.
In the XML you need to add ID of the remediation script, then the tool will call the runbook and add the remediation script ID as parameter.
The solution
1. Azure Automation runbook is created
2. It uses a managed identity
3. A webhook is added on the runbook
4. The runbook can run a remediation script on-demand
5. A script is executed on a device
6. The script calls the runbook
7. Remediation script is added as parameter
Get the scripts
Click on the below GitHub picture to get the scripts.
You will find:
- Runbook.ps1: Azure Automations script
- Call_runbook.ps1: PowerShell that calls the runbook
- Permissions.ps1: adding permissions
Creating the automation account
1. Go to Azure
2. In the search bar type: Automation accounts
3. Go to Automation accounts
4. Click on Create
5. Type a name
6. Choose subscription, resource group, region
7. Click on Create
Setting managed identity
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
Adding permissions
To allow the runbook to run on-demand remediation script we need a specific permission.
This permission should be added on the managed identity itself.
For that you need the following permissions:
To add this permission you will need to use PowerShell, it can't be done through the portal.
For that use the script: Assign_permissions.ps1
You just need to fill below variables:
$TenantID: your tenant ID
$DisplayNameOfMSI: name of your automation account
Adding runbook
In the below example we will just add a script that will sync a specific device.
We will proceed as below:
1. Go to Runbook
2. Copy content of Runbook.ps1
3. Click on Publish
Adding webhook
1. Go to your Runbook
2. Click on Add webhook
3. Click on Create new webhook
4. Type a name
5. Set it to Enabled
6. Copy the webhook URL
7. Click on OK
Run it on demand
We already created the runbook previously in the post.
You can find the runbook in the downloaded sources: Runbook.ps1
Let's check what it does:
1. Get parameters sent by the script
2. Get the device serial number
3. Get the remediation script ID
4. Get the password sent as parameter
5. Check if password the good one
6. Check if the device is managed in Intune
7. Run the remediation script on-demand on the remote device
You can find the script used to call the runbook on-demand from the device in the downloaded sources.
File name is: Call_runbook.ps1
In the script you need to set the following variables:
- $ScriptID : id of the remediation script to run
- $webhookURI: URL of the webhook on the runbook
Let's check what it does:
1. Gets the device serial number
2. Add device serial number as parameter
3. Add remediation script id as parameter
4. Call the runbook through the webhook
Enregistrer un commentaire