Microsoft Intune provides a robust framework for managing and securing devices in an enterprise environment. One of its most powerful features is the ability to deploy remediation scripts and/or on-demand remediation scripts to maintain compliance, fix issues, and enforce configurations dynamically. 

Understanding Remediation Scripts 

Remediation scripts in Intune are part of a feature within Device Management. These scripts allow IT admins to detect and automatically remediate issues on Windows devices. 

How Remediation Scripts Work 

1. Detection Script – This script checks for compliance by determining if an issue exists. 
2. Remediation Script – If the detection script finds a problem, this script executes corrective actions. 
3. Reporting – The results are logged in Intune, allowing admins to track script performance. 
   

Example Use Case: Mitigating the CVE-2013-3900: Windows Authenticode Signature Bypass. 

The CVE-2013-3900 has been around for a while with no mitigation possible through Windows update due to the possibility of legacy applications breaking upon enforcement and therefore must be implemented manually by IT. What better way to do this than through Intune Remediation. 

Detection Script: 

Remediation Script: 

Running On-Demand Scripts in Intune:

Intune also allows administrators to run scripts on demand via the "Run Remediation" feature from the Devices page in Intune. This is useful for ad-hoc management tasks without requiring a full remediation setup. 

Deploying an On-Demand Remediation Script: 

1. Navigate to Intune Admin Center → Devices → Scripts and remediations. 

2. Click Create under the remediations tab.

3. Upload the Detection script file. 

4. Upload the Remediation script file.

5. Make changes to script settings as needed. 

6. Assign it to a target device or group and create. 

Once created, you can view the results when you click on the remediation profile after it has run for a while. 

Now that the remediation profile has been created, we can now use the same profile to deploy on-demand remediations to devices. While the CVE-2013-3900 is not something you would really use an on-demand remediation for, you can if you wanted to. I simply used it as an example for both regular remediation and remediations on-demand. If there is a remediation profile present, then you can run whatever it is on-demand just as we did here.  

Use Cases

As mentioned, using an on-demand remediation for this CVE fix is not entirely useful since we can just deploy the regular remediation and be done with it. The more useful scenarios for remediation on-demand scripts are for those quick fixes for end users that we regularly run into. Some examples would be: 

• Clear Teams Cache
• Clear OneDrive Cache
• Reset OneDrive 
• Recreate an Outlook profile 
• Reset Windows Update 
• Clear the Windows Update Software Distribution folder
• Flush the DNS

Conclusion

Intune's remediation scripts and on-demand remediation scripting capabilities provide IT admins with a powerful way to enforce policies, troubleshoot issues, and maintain compliance. By leveraging these features effectively, organizations can automate IT tasks and enhance security posture across managed devices.