Intune Remediations > Detect and Fix Issues Automatically

Microsoft Intune Remediations allow you to detect and fix Windows issues automatically using PowerShell. Instead of waiting for users to report problems, Intune can check device health on a schedule and correct issues before they impact productivity.

This article walks through Intune Remediations from start to finish, including permissions, scripts, deployment, scheduling, on-demand execution, and verification. The example used is a practical one > automatically clearing C:\Temp when it grows beyond 500MB.

Beyond disk cleanup, Intune remediations are most useful when they continuously enforce a known-good state on Windows devices. The strongest use cases share three traits:

• The issue happens repeatedly
• The fix is predictable
• Users should never need to get involved

Remediations are most effective when:

• The detection logic is simple
• The remediation action is safe to repeat
• The fix does not require a reboot
• The script can run as SYSTEM

They are not well-suited for:

• Large software deployments
• User-interactive fixes
• One-time migrations

If configuration profiles define how a device should look, remediations ensure it stays that way.

Used correctly, they reduce tickets, stabilise endpoints, and let administrators focus on change rather than repair.

Never miss an article and subscribe, and don’t forget to subscribe to my YouTube channel, Control Alt Delete Tech Bits

What Intune Remediations Are

Intune Remediations (previously known as proactive remediations) are script packages made up of:

• A detection script
• An optional remediation script

The detection script checks whether a problem exists.
The remediation script runs only if the detection script reports a failure.

The logic is simple and strict:

• Detection exits with code 0 > device is healthy
• Detection exits with code 1 > issue found
• If remediation exists and detection exits 1 > remediation runs

Remediations run on a schedule you define (hourly or daily), and results are reported back to Intune. This makes them suitable for ongoing device hygiene, not one-time fixes.

Common use cases include:

• Disk cleanup
• Restarting stopped services
• Registry drift correction
• Removing unwanted software
• Ensuring security settings remain enabled

This site and my YouTube channel are supported by Tech-Source.

Tech-Source is a UK-based technology supplier that works closely with IT teams across education, public sector, and commercial environments. They provide hardware, licensing, and infrastructure solutions, with a strong focus on practical advice rather than upselling.

Their support helps keep this site running and allows me to continue publishing in-depth, admin-focused content and walkthroughs without paywalls.

You can find out more about what they do at https://tech-source.co.uk/

Licensing Requirements

Intune Remediations are an enterprise feature.

They require:

• Microsoft 365 E3 or E5
• Education A3 or A5
• Equivalent Windows Enterprise or Education entitlement

Having Intune alone is not sufficient. For example, Microsoft 365 Business Premium includes Intune Plan 1, but often does not meet the Windows licensing requirement for remediations.

For this article I will be using the Intune Administrator role.

Assigning Intune Administrator

1. Go to https://intune.microsoft.com/
2. Users
3. Assigned roles
4. Add assignments
5. Select Intune Administrator
6. Add the user
7. Assign

Allow a few minutes for permissions to apply, then sign in as that user.

Intune Management Extension Prerequisite

Remediations rely on the Intune Management Extension (IME).
If IME is not installed, remediations will not run.

IME installs automatically only when required. A device can be fully enrolled in Intune and still not have IME.

IME installs when at least one of the following is assigned:

• A Win32 app
• A PowerShell script
• A remediation

How to Check IME Is Installed

On the device, run PowerShell as Administrator:

Get-Service IntuneManagementExtension

Expected result:

• Status > Running

You can also check:

• Services.msc > Intune Management Extension
• C:\Program Files (x86)\Microsoft Intune Management Extension
• Installed programs

Creating the Target Device Group

For predictable behaviour, use a Microsoft Entra security group with assigned membership.

Group settings:

• Group type > Security
• Membership type > Assigned

Add your machine/machines

Device groups are recommended for system-level remediations, especially when scripts run as SYSTEM.

Demo Scenario > C:\Temp Exceeds 500MB

This remediation checks the size of C:\Temp.
If it exceeds 500MB, the folder contents are deleted.

Detection Script

Filename:
Detect-TempOver500MB.ps1

$Path = 'C:\Temp'
$ThresholdBytes = 500MB

try {
    if (-not (Test-Path $Path)) {
        Write-Output "C:\Temp does not exist"
        exit 0
    }

    $Size = (Get-ChildItem $Path -Recurse -Force -ErrorAction Stop |
        Measure-Object Length -Sum).Sum

    if ($null -eq $Size) { $Size = 0 }

    Write-Output ("C:\Temp size: {0:N2} MB" -f ($Size / 1MB))

    if ($Size -gt $ThresholdBytes) {
        Write-Output "Issue detected: C:\Temp exceeds 500MB"
        exit 1
    }

    exit 0
}
catch {
    Write-Output "Detection error: $($_.Exception.Message)"
    exit 1
}

Key points:

• Exit 1 indicates a problem
• Output is logged and visible in Intune reporting

Remediation Script

Filename:
Remediate-ClearTemp.ps1

$Path = 'C:\Temp'

try {
    if (-not (Test-Path $Path)) {
        Write-Output "C:\Temp does not exist"
        exit 0
    }

    Write-Output "Clearing C:\Temp"
    Get-ChildItem $Path -Recurse -Force -ErrorAction Stop |
        Remove-Item -Recurse -Force -ErrorAction Stop

    Write-Output "C:\Temp cleared successfully"
    exit 0
}
catch {
    Write-Output "Remediation error: $($_.Exception.Message)"
    exit 1
}

This script runs only if detection exits 1.

Creating the Remediation in Intune

1. Open the Microsoft Intune admin centre
2. Devices
3. Scripts and remediations
4. Remediations
5. Create

Basics

• Name > Disk Health – Temp over 500MB
• Description > Clears C:\Temp when it exceeds 500MB

Settings

• Upload detection script
• Upload remediation script

Options:

• Run this script using the logged-on credentials > No
• Run script in 64-bit PowerShell > Yes
• Enforce script signature check > No

Assignments

• Include > your test device group

Schedule

• Frequency > Hourly (I did this for the YouTube Video)

Create the remediation.

Running the Remediation (Scheduled)

On the device:

• Settings
• Accounts
• Access work or school
• Select work account
• Info
• Sync

After the remediation runs:

• C:\Temp should be empty
• bigfile.bin should be gone

Running the Remediation On-Demand

This allows immediate execution without waiting for the schedule.

1. Intune admin centre
2. Devices
3. Windows
4. Select the device
5. Three dots menu
6. Run remediation (preview)
7. Select the remediation
8. Run

Refresh File Explorer on the device to confirm cleanup.

Verifying Results

Device-side

Check folder size:

(Get-ChildItem C:\Temp -Recurse | Measure-Object Length -Sum).Sum / 1MB

Expected result:

• Near zero or zero

Intune-side

• Open the remediation
• Monitor
• Device status

You should see:

• Detection result
• Remediation status
• Script output

Logs and Troubleshooting

IME logs are stored at:

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

Useful files:

• IntuneManagementExtension.log
• AgentExecutor.log

Common issues:

• Device not in assignment group
• IME not installed
• Detection script never exits 1
• Script output too long or errors swallowed

If troubleshooting becomes messy, deleting and recreating the remediation is often faster than editing repeatedly.

Why Do Remediations Matter?

Remediations shift device management from reactive to preventative.

Instead of responding to tickets, devices correct themselves.
Instead of manual fixes, PowerShell enforces consistency.

Used well, remediations reduce noise, improve reliability, and keep Windows devices in a known-good state without user involvement.

Don’t forget to check out this article about secure boot certificates