Create a Proactive remediations script package

In this simple example, we'll create a script package in Proactive remediations in the MEM portal which will report on whether a device is pending a restart from software updates.

Create the script package

In the MEM portal, navigate to Reports > Endpoint Analytics > Proactive remediations

Click Create script package and give it a name and description

Download the following script, then on the Settings page in the script package upload it as the Detection script file. There is no need to add a remediation script. Run the script in 64-bit PowerShell.

Have a read of the script so you understand how it works. You can use it as a starting point for your own scripts. The key things are that the inventoried data is outputted as key-value pairs in JSON format and that the output is not longer than the permitted length.

Add a scope tag if you need to.

On the Assignments page add an assignment and set the schedule.

Don't run the script more frequently than necessary. If the data you are inventorying doesn't change often, don't inventory it often. Also consider how often you will be exporting the data - if that's once per day, for example, a daily schedule on the PR should suffice.

Click Create.

View the output

Once some of your targeted devices have run the script, you can view the output in the MEM portal and verify that it's good.

In Proactive remediations, click on the script package you created and view the Device status report.

To view the output, click Columns and select at least the Pre-remediation detection output column.

In that column, click Review to see the output.

Note that the output is in JSON format - this makes it easy for the automation runbook to use the data.

PreviousSet up the Azure Resources NextCreate a runbook

Last updated 3 years ago

Was this helpful?

################################################### ## INVENTORY: SOFTWARE UPDATES SCHEDULED RESTART ## ################################################### # Reboot required If (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired') { $RebootRequired = "True" } else { $RebootRequired = "False" } # Other locations to check for restart pending # HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\RebootRequired # HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables | RebootRequired | 1 # ScheduledRebootTime $RegScheduledReboot = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables -Name ScheduledRebootTime -ErrorAction SilentlyContinue | Select -ExpandProperty ScheduledRebootTime If ($RegScheduledReboot) { $ScheduledRebootTime = [DateTime]::FromFileTimeUtc($RegScheduledReboot) | Get-Date -format "yyyy-MM-ddTHH:mm:ssZ" } else { $ScheduledRebootTime = $null } # EngageReminderLastShownTime $RegEngagedReminder = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings -Name EngageReminderLastShownTime -ErrorAction SilentlyContinue | Select -ExpandProperty EngageReminderLastShownTime If ($RegEngagedReminder) { $EngagedReminder = $RegEngagedReminder } else { $EngagedReminder = $null } # PendingRebootStartTime $RegPendingRebootTime = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings -Name PendingRebootStartTime -ErrorAction SilentlyContinue | Select -ExpandProperty PendingRebootStartTime If ($RegPendingRebootTime) { $PendingRebootTime = $RegPendingRebootTime } else { $PendingRebootTime = $null } # Prepare the hash $SoftwareUpdatesHash = @{ SU_RebootRequired = $RebootRequired SU_ScheduledRebootTime = $ScheduledRebootTime SU_EngageReminderLastShownTime = $EngagedReminder SU_PendingRebootStartTime = $PendingRebootTime } # Convert to JSON and output $SoftwareUpdatesJson = $SoftwareUpdatesHash | ConvertTo-Json -Compress If ($SoftwareUpdatesJson.Length -gt 2048) { Write-Output "Output is longer than the permitted length of 2048 characters." Exit 1 } Else { Write-Output $SoftwareUpdatesJson Exit 0 }