Proactive Remediations

3 incredible Intune proactive remediation scripts

I was thrilled when I heard that Microsoft worked on proactive remediation (Windows Analytics) feature in Endpoint manager. Our customers with workplaces that are fully managed by the Cloud have been waiting for this feature. Many workplace engineers are familiar with this feature because they used it before via System Center Configuration Manager. If remediation scripts are new for you, I describe this capability as the feature where workplace engineers create detection scripts to validate if a particular setting is configured according to the organization’s requirement. Followed by a remediation script that repairs the setting(s) automatically if it deviates.

My goal is to inspire you to explore the proactive remediation capability with some examples that I created to give you a quick start. Our customers especially appreciate the one where double Edge- and Teams-shortcuts are removed automatically from the desktop.

Remove double Edge and Microsoft Teams shortcuts from the desktop

To avoid data leakage, I always configure the OneDrive for Business client to sync and enable the feature Known Folder Move (KFM). The result is that the desktop folder redirects to OneDrive automatically. A very user-friendly feature to avoid data loss. However, there is a big downside to it: it also redirects shortcuts like Edge and Teams. In the pilot phase of a modern workplace project, each workplace engineer pretty much asked me how to avoid the double shortcuts. I have created a detection script that you can download below. It finds the double shortcuts on a desktop and removes them automatically.

Double screenshots
Screenshot – Double icons

Turn off Flash and Java for Adobe reader DC

Adobe Reader Java
Screenshot disable Java and flash

Applications like Adobe Reader DC are often installed as a required application, or the users can install applications themselves. It can be risky if the default settings of the applications are not secure. Via Endpoint Analytics, you can detect if an application is installed and enforce a secure configuration. By default, Adobe Reader DC enables the feature of Java and Flash. You can download the scripts below to detect if Adobe Reader is installed and how it is configured. If Java or Flash is not disabled, the remediation script disables them immediately.

Hardening the workplace via MDATP – Device security recommendations (Application Guard)

Microsoft Defender Advanced Threat Protection (MDATP) reports security recommendations. For the majority of the recommendations, MDM settings are available to configure it securely. However, you must be careful to adopt the recommendations. If you enable the application guard via an Intune Endpoint, it will result in an unexpected scheduled reboot (10 minutes).

You can avoid this by using Intune proactive remediation scripts package. The detection script checks if the feature is enabled. If not the remediation script enables the feature via the PowerShell command “Enable-WindowsOptionalFeature” and suppresses the restart via the -norestart switch.

Microsoft Defender security recommendations Mitigation
MDATP security recommendations

Tutorial proactive remediation

Microsoft published a tutorial on where you can read more details about the prerequisites for proactive remediation, how to create the script packages, and monitor the results.

What are you going to do with the Endpoint Analytics proactive remediation scripts?

The three examples above are a starting point to explore the capabilities of Intune Windows analytics proactive remediation yourself. There are many more scenarios where this capability can solve technical issues automatically. I want to challenge you to share your thoughts and scenarios with us to increase the community’s examples. See the Github Repos


  1. Hi Tristan, These scripts look awesome. I’ve implemented the shortcut removal however I get the following when executing the shortcut detect script manually on a device. Detect_shortcutsDesktop.ps1 : Method invocation failed because [System.IO.FileInfo] does not contain a method named
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Detect_shortcutsDesktop.ps1

    I also get a with issues alert in the proactive remediation console. Can you advise? Thanks Paul

        1. Hi Paul, I found the bug in the script. I’ve updated both the detection and remediation scripts. You can download them via my github repos

          1. Hi Tristan, just spotted this reply. Sorry for delay in getting back to you. I’ll check this out thanks ever so much. Cheers Paul

          2. Hi Tristan, the scripts have executed and remediated. It does look like it is removing all Teams links however and not retaining the original. Cheers Paul

Leave a Reply

Your email address will not be published. Required fields are marked *