Create a Proactive remediations script package
In this simple example, we'll create a script package in Proactive remediations in the MEM portal which will report on whether a device is pending a restart from software updates.
Create the script package
In the MEM portal, navigate to Reports > Endpoint Analytics > Proactive remediations
Click Create script package and give it a name and description
Download the following script, then on the Settings page in the script package upload it as the Detection script file. There is no need to add a remediation script. Run the script in 64-bit PowerShell.
Have a read of the script so you understand how it works. You can use it as a starting point for your own scripts. The key things are that the inventoried data is outputted as key-value pairs in JSON format and that the output is not longer than the permitted length.
###################################################
## INVENTORY: SOFTWARE UPDATES SCHEDULED RESTART ##
###################################################
# Reboot required
If (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired')
{
$RebootRequired = "True"
}
else
{
$RebootRequired = "False"
}
# Other locations to check for restart pending
# HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\RebootRequired
# HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables | RebootRequired | 1
# ScheduledRebootTime
$RegScheduledReboot = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables -Name ScheduledRebootTime -ErrorAction SilentlyContinue | Select -ExpandProperty ScheduledRebootTime
If ($RegScheduledReboot)
{
$ScheduledRebootTime = [DateTime]::FromFileTimeUtc($RegScheduledReboot) | Get-Date -format "yyyy-MM-ddTHH:mm:ssZ"
}
else
{
$ScheduledRebootTime = $null
}
# EngageReminderLastShownTime
$RegEngagedReminder = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings -Name EngageReminderLastShownTime -ErrorAction SilentlyContinue | Select -ExpandProperty EngageReminderLastShownTime
If ($RegEngagedReminder)
{
$EngagedReminder = $RegEngagedReminder
}
else
{
$EngagedReminder = $null
}
# PendingRebootStartTime
$RegPendingRebootTime = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings -Name PendingRebootStartTime -ErrorAction SilentlyContinue | Select -ExpandProperty PendingRebootStartTime
If ($RegPendingRebootTime)
{
$PendingRebootTime = $RegPendingRebootTime
}
else
{
$PendingRebootTime = $null
}
# Prepare the hash
$SoftwareUpdatesHash = @{
SU_RebootRequired = $RebootRequired
SU_ScheduledRebootTime = $ScheduledRebootTime
SU_EngageReminderLastShownTime = $EngagedReminder
SU_PendingRebootStartTime = $PendingRebootTime
}
# Convert to JSON and output
$SoftwareUpdatesJson = $SoftwareUpdatesHash | ConvertTo-Json -Compress
If ($SoftwareUpdatesJson.Length -gt 2048)
{
Write-Output "Output is longer than the permitted length of 2048 characters."
Exit 1
}
Else
{
Write-Output $SoftwareUpdatesJson
Exit 0
}
Add a scope tag if you need to.
On the Assignments page add an assignment and set the schedule.
Click Create.
View the output
Once some of your targeted devices have run the script, you can view the output in the MEM portal and verify that it's good.
In Proactive remediations, click on the script package you created and view the Device status report.
To view the output, click Columns and select at least the Pre-remediation detection output column.
In that column, click Review to see the output.
Note that the output is in JSON format - this makes it easy for the automation runbook to use the data.
Last updated
Was this helpful?