Every IT team knows the scenario: a user calls the helpdesk because their VPN won’t connect, Office won’t open, or Windows Update is stuck — and the root cause turns out to be something that could have been detected and fixed automatically hours ago. Intune Remediations (formerly called Proactive Remediations) is Microsoft’s answer to this problem. It lets you deploy paired PowerShell scripts that silently detect and fix configuration issues across your entire device fleet — before users even notice something is wrong.
| Detail | |
|---|---|
| Last Updated | March 2026 |
| Applies To | Windows 10 (20H2+), Windows 11, Microsoft Intune |
| Licence Required | Windows E3/E5, M365 F3, E3, or E5 |
| Location in Intune | Devices > Manage devices > Scripts and remediations |
| Difficulty | Beginner to Intermediate |
What Are Intune Remediations?
A Remediation is a script package consisting of two PowerShell scripts deployed together:
- Detection script — runs on the device and checks whether an issue exists. It exits with
exit 0(no issue found) orexit 1(issue detected). - Remediation script — runs automatically only when the detection script exits with
exit 1. It applies the fix.
Both scripts are executed by the Intune Management Extension (IME) agent on the device, running in the SYSTEM context by default (or user context if configured). The results — whether an issue was detected, whether remediation succeeded, and any script output — are reported back to the Intune portal for monitoring.
You can also deploy a detection-only script package (no remediation script) to use Remediations purely as an auditing and reporting tool — useful for fleet-wide compliance checks where you want visibility before taking automated action.
Licensing Requirements
Remediations require one of the following licences assigned to the user of the device (not the device itself):
- Windows Enterprise E3 or E5
- Windows Education A3 or A5
- Microsoft 365 F3, E3, or E5
- Microsoft 365 A3 or A5
Note: an Intune Service Administrator must confirm licensing requirements the first time Remediations is used in a tenant. You’ll see a confirmation prompt in the portal on first access.
Prerequisites
- Devices must be Microsoft Entra joined or Entra hybrid joined
- Devices must be MDM-enrolled in Intune and running Windows Enterprise, Professional, or Education edition
- Co-managed devices (SCCM + Intune) are also supported
- Scripts must be encoded in UTF-8 (not UTF-8 BOM)
- Maximum script output: 2,048 characters
- Maximum script packages per tenant: 200
Built-in Script Packages
Intune ships with several ready-to-use script packages that cover the most common helpdesk scenarios. You just need to assign them — no scripting required. Navigate to Devices > Manage devices > Scripts and remediations and look for the built-in packages:
| Package Name | What It Fixes |
|---|---|
| Update stale Group Policies | Stale GPOs causing connectivity and resource access issues |
| Restart Office Click-to-run service | Office apps failing to start because the C2R service is stopped |
| Update stale Group Policies (co-management) | Same as above, optimised for co-managed devices |
These are a great starting point and immediately demonstrate value — assign them to all devices and let the reporting show you how often these issues were silently occurring across your fleet.
Creating a Custom Remediation
The real power of Remediations is in custom script packages tailored to your environment. Here is the complete workflow.
Step 1: Write the Detection Script
The detection script must exit with exit 0 (compliant — no remediation needed) or exit 1 (non-compliant — trigger remediation). Here is a practical example that checks whether a specific registry key exists and has the correct value:
# Detection script: Check if a required registry value is set correctly
$regPath = "HKLM:\SOFTWARE\Policies\MyCompany\Settings"
$regName = "RequiredSetting"
$expectedValue = 1
try {
$currentValue = Get-ItemPropertyValue -Path $regPath -Name $regName -ErrorAction Stop
if ($currentValue -eq $expectedValue) {
Write-Host "Compliant: $regName = $currentValue"
exit 0 # No issue — remediation script will NOT run
} else {
Write-Host "Non-compliant: $regName = $currentValue (expected $expectedValue)"
exit 1 # Issue detected — remediation script WILL run
}
} catch {
Write-Host "Non-compliant: Registry key not found"
exit 1 # Key missing — trigger remediation
}Step 2: Write the Remediation Script
The remediation script runs only when the detection script exits with exit 1. It should apply the fix and exit with exit 0 on success or exit 1 on failure (which will be visible in the reporting).
# Remediation script: Create/correct the required registry value
$regPath = "HKLM:\SOFTWARE\Policies\MyCompany\Settings"
$regName = "RequiredSetting"
$expectedValue = 1
try {
# Create the registry path if it does not exist
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
# Set the registry value
Set-ItemProperty -Path $regPath -Name $regName -Value $expectedValue -Type DWord
Write-Host "Remediation successful: $regName set to $expectedValue"
exit 0
} catch {
Write-Host "Remediation failed: $_"
exit 1
}Step 3: Deploy in Intune
- Go to Devices > Manage devices > Scripts and remediations
- Click + Create
- Fill in Name and Description
- Upload your detection script and remediation script
- Configure the run schedule — options are: Once, Hourly, or a specific daily/weekly interval
- Set Run this script using the logged-on credentials if the script needs user context (e.g. accessing HKCU registry hive or user profile paths); leave it off for SYSTEM context
- Assign to a device or user group
Start with a pilot group of 10–20 devices before rolling out broadly. Check the reporting after the first run cycle before expanding assignment.
Practical Use Cases
Here are real-world scenarios where Remediations deliver immediate value in enterprise environments:
| Scenario | Detection checks… | Remediation does… |
|---|---|---|
| Windows Time service broken | w32tm /query /status returns error | Restart W32Time service, re-sync time |
| OneDrive not running | OneDrive.exe not in running processes | Start OneDrive process for logged-on user |
| Stale DNS cache | DNS resolution fails for internal hosts | Run ipconfig /flushdns |
| Missing required software | Check if app is installed via registry or Get-Package | Silent install from local cache or UNC path |
| Certificate expired in local store | Check cert expiry in Cert:\LocalMachine\My | Remove expired cert, trigger re-enrollment |
| Incorrect proxy settings | Check WinHTTP proxy configuration | Reset proxy via netsh winhttp reset proxy |
Monitoring and Reporting
After deploying a script package, the reporting view in Intune shows per-device status across four states:
- Without issues — detection script ran, exit 0, no remediation needed
- With issues, remediated — detection found an issue (exit 1), remediation ran successfully (exit 0)
- With issues, not remediated — detection found an issue, remediation script failed (exit 1)
- Errors — script failed to run at all (syntax error, timeout, permission issue)
The Device status tab lets you drill down per device and see the raw script output — invaluable for debugging failed remediations. You can also export results to CSV for further analysis.
From the February 2026 Intune update, Remediations is also surfaced directly in the new single-device view under Tools + reports, making it easier to trigger a remediation remotely on a specific device without navigating to the script package separately.
Run Remediation as a Remote Action
Beyond scheduled runs, you can trigger a remediation on-demand on a specific device — useful for helpdesk scenarios where you want to apply a fix immediately without waiting for the next scheduled cycle.
- Go to Devices > All Devices and open the target device
- Under Tools + reports, find Remediations
- Select the script package and click Run remediation
This is particularly useful when a user is on the phone with the helpdesk — you can trigger the fix remotely in real time without any user interaction on their end.
Tips, Limits, and Common Gotchas
- Script output is capped at 2,048 characters — if your detection script writes a lot of diagnostic output, truncate it or be selective about what you write to stdout
- UTF-8 BOM will break scripts — always save scripts as UTF-8 without BOM. In VS Code, check the encoding in the bottom-right status bar
- Remediation only runs on exit 1 — if your detection script has an unhandled exception and exits with a non-zero code unexpectedly, the remediation will fire. Always use try/catch
- SYSTEM vs User context matters — scripts running as SYSTEM cannot access HKCU or user profile paths. Enable “Run using logged-on credentials” for those scenarios
- Scheduling granularity — the minimum interval is hourly. For near-real-time detection, use the remote action instead
- 200 package limit per tenant — plan your package library and consider combining related checks into a single package where it makes sense
- Co-managed devices — Remediations work on co-managed devices but the Intune workload must be active. Check your co-management workload settings if scripts are not running
Detection-Only: Fleet Audit Example
You do not always need a remediation script. Use detection-only packages to audit the state of your fleet and export the results. Here is a practical example that checks whether BitLocker is enabled on the OS drive:
# Detection-only: Check BitLocker status on OS drive
try {
$blStatus = Get-BitLockerVolume -MountPoint "C:" -ErrorAction Stop
if ($blStatus.ProtectionStatus -eq "On") {
Write-Host "Compliant: BitLocker Protection Status = On"
exit 0
} else {
Write-Host "Non-compliant: BitLocker Protection Status = $($blStatus.ProtectionStatus)"
exit 1
}
} catch {
Write-Host "Error checking BitLocker: $_"
exit 1
}Summary
Intune Remediations is one of those features that quietly transforms how you manage endpoints. Instead of reacting to helpdesk tickets, you are detecting and fixing issues before users even notice them. The investment in writing good detection and remediation scripts pays off quickly — especially in large fleets where the same issues repeat across hundreds of devices.
- Each package has a detection script (exit 0 / exit 1) and an optional remediation script
- Start with the built-in packages, then build custom ones for your environment’s specific pain points
- Use detection-only packages for fleet auditing before automating fixes
- Monitor per-device results in the Intune portal and export to CSV for deeper analysis
- Use the Run Remediation remote action for on-demand helpdesk scenarios