Remediations on demand is one of the coolest thing when it comes to troubleshooting a zero-trust modern managed device. We can run them instantly on demand to clients. It triggers fast and you get the status in the Intune Portal in minutes, the output from the script can take some time though.
We also need to make sure we have RBAC in place to be able to use pro-active remediations, without scope-tags admin that are allowed to run remediations on demand can run all remediations on demand that is in the tenant and that is not the scenario we want. We want it to look like below with only the suitable remediations visible.
This script will make it possible to reinstall the Required Win32App remotely using Remediation on demand, which makes it possible for ServiceDesk/Technician to solve app issues without remote controlling the machine. A great example is to fix the remote-control software if it doesn’t work, in this sample Remote Help, fixing VPN software issues is another.
The script will do the following:
- Uninstall the application, in this sample a Windows Installer App
- Remove the necessary IME registry values for the AppID in question
- Remove the GRS entry for the app so it will try to reinstall when the IME agent is restarted.
- Start a new PowerShell process that will wait 160 seconds before restarting the IME Agent.
Both the detection and remediation script can be downloaded here: Intune-MEM/ReinstallWin32App at master · Ccmexec/Intune-MEM · GitHub
Why start a new PowerShell process?
As we need to restart the IME Agent for the installation of the application to start, the result in the Intune Portal would never change from Pending.
What also is interesting is that the Intune Management agent has a delay before reporting in the result that and remediation on demand is run. It doesn’t have a message queue either so if we stop the IME Agent immediately the result will never be sent to the Intune Portal. In the sample below the delay is 158 seconds.
That is why I started a new PowerShell process with the following command.
Start-Process -FilePath powershell -ArgumentList '-Executionpolicy bypass -command "& {Start-Sleep 160 ; Restart-Service -Name IntuneManagementExtension -Force}"'
Starting a second PowerShell process solves the problem with “Run remediation Pending” as the IME Agent will detect that the Powershell process started by the IME Agent is run successfully and then it will start sending the result back to Intune.
After creating a new child process for PowerShell we start with a sleep for 160 seconds as that is the longest delay I have seen when testing it out. Then we will get the correct output in the Intune portal.
To implement the script
Change the first two lines with AppID and MSI Productcode to match the Win32app you want to reinstall.
To get the AppID open the application in the Intune Portal and the AppID is visible in the URL.
That is it, test it out, could be that the pause before restarting the IME Agent needs to be longer, but that is the longest delay I have seen when using it and testing it out.