Proactive Remediation with Endpoint Analytics

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In this series on Endpoint Analytics we explore the different reports and possibilities that Endpoint Analytics currently offers. In Part 1 we discussed the advantages of XLA over SLA, how to enable Endpoint Analytics and onboard Intune clients using a data collection policy. In Part 2 we had have a closer looks at Startup Performance, the first of three areas that Endpoint Analytics provides insight into. In this post (Part 3) we will demonstrate how Proactive Recommendations can be used to check and remediate settings whether the need comes from a security vulnerability, audit or other concern. For those familiar with Configuration Manager, Proactive Remediation is a similar concept to Configuration Baselines.

Contents

Related Posts:

Prerequisites

Unlike the other reports in Endpoint Analytics, Proactive Remediation’s requires that you confirm that one of the following licenses is present in your tenant. The Intune Service Administrator role is required to confirm the license requirement.

  • Windows 10 Enterprise E3 / E5
  • Windows 10 Education A3 / A5
  • Microsoft 365 F3 / E3 / E5 / A3 / A5
  • Windows Virtual Desktop Access E3 / E5

Once the license confirmation is completed, allow 1-2 minutes for the setup to complete.

Default Packages

There should be two Microsoft packages that are available to deploy. The first makes sure that the Click To Run (C2R) service used in Microsoft 365 Apps for Enterprise/Business is set to Automatic, and will try to start it if stopped. The second attempts to update Group Policy if the last Group Policy refresh was more than 7 days ago. Deploy these packages if you like, we will make our custom package in the next section.

Detection Script

As an example we will use Proactive Remediation’s to check if Windows 10 Fast Startup is enabled on our clients and disable it if needed. Fast Startup is something that many organizations tend to disable as the computer does not do a complete shutdown when enabled.

Our first task is to construct a PowerShell script that will detect if the desired setting is correctly configured or not. Adjust the script below to match your needs, but make sure that Exit 0 is used on success and Exit 1 is used on failures.

$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power"
$Name = "HiberbootEnabled"
$value = "0"
 
Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value) {
        Write-Output "Compliant"
        Exit 0
    } else {
        Write-Warning "Not Compliant"
        Exit 1
    }
} 
Catch {
    Write-Warning "Not Compliant"
    Exit 1
}

Remediation Script

Our next task is to create a script that will remediate the setting if needed.

$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power"
$Name = "HiberbootEnabled"
$Type = "DWORD"
$Value = "0"

If (!(Test-Path $Path)) {
    New-Item -Path $Path -Force | Out-Null
    New-ItemProperty -Path $Path -Name $Name -Value $value -PropertyType $Type -Force | Out-Null
} else {
    Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value 
}

Creating a Script Package

Now that our scripts have been created we can put it all together in a Script Package. Select Create Script Package on the Proactive Remediation page. On the Basics pages provide a name then upload the Detection Script and Remediation Script on the Settings page.

On the Assignments page assign the package to All Devices or a group consisting of devices then set a schedule for the Script Package. Notice that the scripts can run once or at intervals.

Once the Script Package has been run on our devices and we can see if clients where compliant or not, and if Proactive Remediation was able to remediate the issue successfully. If Windows 10 Fast Boot was enabled again by the user, Proactive Remediation would attempt to disable it if the Script Package was set to run at an interval.

In the next post we will have a look at Recommended Software, which are Microsoft’s recommendations for increasing user experience.

Want To See More?

AutoPilot

Windows Autopilot Diagnostics

Microsoft has announced a new Autopilot Diagnostics screen that makes it much easier to troubleshoot and retrieve logs during deployment. The scenario only work with

Linux

Installing pfSense on Hyper-V

Having a lab environment on your laptop/desktop machine can be practical to test new functionality and learn new products and services. However it can be