Proactive Remediations

Example of how to use Intune Proactive Remediation to set Security Recommendations

Description

If you’ve used Microsoft’s Secure Score dashboard, you may have come across recommended actions to improve your security. Some of these actions involve implementing registry settings. While using Intune’s Script option to implement them is possible, it only runs once, and you won’t know if someone changes the setting back.

Fortunately, you can use Procative Remediations to periodically check and set the recommended settings using a PowerShell script. Proactive Remediation works by running two PowerShell scripts that you write: the Detection script and the Remediation script.

How it works

The Detection script runs checks, and if it finds a setting that needs remediation, it exits with a status of 1, marking the device as requiring remediation and triggering the Remediation script. The Remediation script fixes the settings, and if successful, marks the machine as “Issues fixed”. If the incorrect settings remain, the machine is marked as failed.

This second, the Remediation script be launched and should fix the settings. If this works, your machine will be marked as “Issues fixed”. if the incorrect settings remain, the machine will be marked as failed.

Detection Script

Here’s an example Detection script that checks for a few Secure Score Recommendations (disabling Javascript on Adobe and enabling LSA).

<#
.SYNOPSIS
Checks if required Security Recommendations are Set.

.DESCRIPTION
This script checks whether all the required security recommendations are set. It verifies whether the registry settings are in place and set to the required value. If any of the registry settings are not properly set, the script will abort and have Intune call the remediation script.


.EXAMPLE
.\Get-SecurityRecommendations

.NOTES
1.0.0: Initial release with several javascript recommendations by Microsoft Security Center.
1.0.1: Added scid-25 - Enable "Local Security Authority (LSA) protection"
#>

$securityRecommendations = @(
    @{name = 'Disable JavaScript on Adobe DC'                       ; key = 'bDisableJavaScript'; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown' }
    @{name = 'Disable JavaScript on Adobe Reader DC'                ; key = 'bDisableJavaScript'; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown' }
    @{name = 'Enable "Local Security Authority (LSA) protection"'   ; key = 'RunAsPPL'          ; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' }
    @{name = 'Enable "Local Security Authority (LSA) protection"'   ; key = 'RunAsPPLBoot'      ; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' }
)

foreach ($recommendation in $securityRecommendations) {
    $currentValue = Get-ItemProperty -Path $recommendation.path -Name $recommendation.key -ErrorAction SilentlyContinue

    If (!$currentValue) {
        "'$($recommendation.name)' is not yet implemented."
        exit 1
    }
    Else {
        if ($currentValue -ne $recommendation.requiredValue) {
            Write-Output ("'$($recommendation.name)' is remediated.")
        }
        else {
            Write-Output ("'$($recommendation.name)' is not remediated.")
            Exit 1
        }
    }
}

Remediation Script

Here is the remediation script to set the recommendations

<#
.SYNOPSIS
Sets all recommended security settings.

.DESCRIPTION
This script checks whether all the required security recommendations are set. It verifies whether the registry settings are in place and set to the required value. If any of the registry settings are not properly set, the script will abort and have Intune call the remediation script.

This can be run locally as well.

.EXAMPLE
.\Set-SecurityRecommendations

.NOTES
1.0.0: Initial release with several javascript recommendations by Microsoft Security Center.
1.0.1: Added scid-25 - Enable "Local Security Authority (LSA) protection"
#>

$securityRecommendations = @(
    @{name = 'Disable JavaScript on Adobe DC'                       ; key = 'bDisableJavaScript'; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown' }
    @{name = 'Disable JavaScript on Adobe Reader DC'                ; key = 'bDisableJavaScript'; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown' }
    @{name = 'Enable "Local Security Authority (LSA) protection"'   ; key = 'RunAsPPL'          ; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' }
    @{name = 'Enable "Local Security Authority (LSA) protection"'   ; key = 'RunAsPPLBoot'      ; requiredValue = '1'; type = 'DWord'; path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' }
)

foreach ($recommendation in $securityRecommendations) {
    Write-Output ("Processing '$($recommendation.name)'")

    if (-not (Test-Path -Path $recommendation.path)) {
        Write-Output ("Creating registry path '$($recommendation.path)'")
        New-Item $recommendation.path -Force
    }

    $parameters = @{
        path         = $recommendation.path
        name         = $recommendation.key
        Value        = $recommendation.requiredValue
        PropertyType = $recommendation.type
        Force        = $null
    }

    New-ItemProperty @parameters
}

Setup in Intune

To put the scripts into action, go to the Intune Portal

Click on Devices
Click Remediations
Choose Proactive Remediations

click + Create Script Package on the top of the page
Enter the required details

In the Detection Script file dropdown, select your detection script
In the Remediation Script file dropdown, select your detection script

Under Assignments, select the target(s) you would like just like you would with other Intune policies. Either all users, all devices or specific groups
for each assignment, you can select a schedule like once, X Hourly or Daily at a specific time.

Go to Review and Create, And create your policy

Wait for the scripts to be made available to your client. This happens:

After a restart of the device or Intune management extension service
After a user signs into the client
Once every 8 hours
- The 8-hour script retrieval schedule is fixed based on when the Intune management extension service starts. The schedule isn’t altered by user sign-ins.

Again, Wait for the client to report back the status and check the status.

Troubleshooting

Using the Export button in the Device Status tab of your Proactive Remediation, you can create a .CSV-file which has the last output of the script. This can be helpful to check what is happening on the client.

Only the last write-output will be shown. so In my example scripts, this will show the first non-compliant setting it finds, or end up with the LSA once since that is the last setting checked.

Change your scripts to give relevant outputs