Remediations on demand is an extremely powerful tool for managing our Intune managed devices. One of the biggest differences compared to how we managed Windows Devices on premises was that we could always connect to them using WinRm for example and solve problems.
In the Zero-trust world there is no such possibility, many are working from home and then Remote Control is the way to help them. However, this is both expensive and time-consuming both for IT and for the end-user as it takes up their time.
Remediations on demand is a great tool to try to solve issues without remote controlling the device. This is something that is important to train ServiceDesk and to use Scope tags to control which scripts they can run on the device. Scope tags are not used enough in my opinion.
For a ServiceDesk it could look like this for example when they select run remediation.
The ServiceDesk user can still see all the result from all remediations to be able to troubleshoot.
Remediation script to reset Windows Update
This script is based on the information in this Microsoft Learn article: Additional resources for Windows Update – Windows Client | Microsoft Learn. Instead of doing that manually we can do it using a remediation on demand and as a last resort (before wipe) when troubleshooting Windows Update failures. It should NOT be scheduled to run using remediations. Only used as on demand remediation when needed.
The script will:
- Stop the necessary services (Bits, Cryptsvc, Wuauserv)
- Store which services that depends on the Cryptographic Services (Cryptsvc) service was running when the script started.
- Rename/delete the C:\Windows\SoftwareDistribution
- Rename/delete the C:\Windows\System32\catroot2 folders.
- Start the services again
- Start dependent services again that depend on the Cryptographic Services (Cryptsvc) if they were running.
- Trigger software update installations.
The script can be downloaded here https://github.com/Ccmexec/Remediation-Scripts.
It is based on the template that is available at the awesome remediation repository created by fellow MVP Jannik Reinhard. https://github.com/JayRHa/EndpointAnalyticsRemediationScripts
I will upload the script there as well. To add it in Intune as a remediation script there is a detection script that always will make the remediation run as well.
As I wrote before it should be used as a last resort fixing Windows Updates instead of doing this manually.