Home About Contact
Home About Contact Latest Articles Close

Intune Remediations Scripts Alerts

Author: Ofir Gavish

Do you have important Intune remediations scripts running daily or weekly? What if you could get a detailed report on devices that failed to run or have a “With Issues” status automatically without having to go to the Intune Management portal and checking the remediations manually?

This is what brought me to build a solution that will do just that, and even more.

Prerequisites:

So in order to assign permissions to the managed-identity of our Automation Account we can run the PowerShell script below, but first a few emphasizes regarding executing the script:

        $tenantID = "123456-1234-5678-1234-12345678"
$graphAppId = "00000003-0000-0000-c000-000000000000"
$permissions = @("Device.Read.All", "DeviceManagementManagedDevices.Read.All", "DeviceManagementConfiguration.Read.All")
$managedIdentities = @("EnterpriseApplicationName")
Connect-MgGraph -TenantId $tenantID -Scopes "AppRoleAssignment.ReadWrite.All", "Directory.Read.All"
$sp = Get-MgServicePrincipal -Filter "appId eq '$graphAppId'"
$managedIdentities | ForEach-Object {
    $msi = Get-MgServicePrincipal -Filter "displayName eq '$_'"
    $appRoles = $sp.AppRoles | Where-Object {($_.Value -in $permissions) -and ($_.AllowedMemberTypes -contains "Application")}
    $appRoles | ForEach-Object {
        $appRoleAssignment = @{
            "PrincipalId" = $msi.Id
            "ResourceId" = $sp.Id
            "AppRoleId" = $_.Id
        }
        New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appRoleAssignment.PrincipalId -BodyParameter $appRoleAssignment -Verbose
    }
}
Disconnect-MgGraph

Now that we have the permissions assigned we can go ahead and get the details we need for our Runbook.

There are 2 ways to get the remediation script ID from Intune, one is by using Graph Explorer, the other and easier way is by navigating to the Remediation script policy page on Intune portal, press F12 to open the browsers Developer Tools, switch to the Network tab, refresh the page, scroll down to find the “runSummary” call, and we will see the URL our browser goes to, in that URL there is the remediation ID:

Intune Remediation Script ID

Click on the runSummary call so you can see the request URL and copy the ID of your remediation script.

Intune Remediation Script ID

Remediation Script Policy ID

Now we can create a Runbook on our Automation Account, and paste the code from my script hosted on GitHub here.

To configure the Teams webhook needed, read the documentation here.

After setting the webhook you can now start working on the script from GitHub by filling the variables section:

Teams Webhook

Variables section

Line 121 is where the notification is sent to a Teams channel, you can comment that line if you don’t want to get a Teams notification.

If you wish to send the email using Exchange Online you can grant permissions for your Managed-Identity with this:

        Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All

$AppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440"

$ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id

$managedIdentities = @("EnterpriseApplicationName")

$msi = Get-MgServicePrincipal -Filter "displayName eq $managedIdentities"

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $msi.Id -PrincipalId $msi.Id -AppRoleId $AppRoleID -ResourceId $ResourceID

I recommend using a SMTP service (Azure Email Communication Service) to send the email as it requires less permissions.

I will update here or in another post about the configuration needed for uploading the data to a Log Analytics Workspace.

This is where this manual ends, and you can run your Runbook on a schedule so you can receive daily or weekly updates on your Intune Remediations scripts policies.