Deployment Guide

Overview

This comprehensive guide provides step-by-step instructions for deploying Intune remediation scripts to managed devices, including creating remediations, configuring assignments, testing, monitoring, and rollback procedures.

Prerequisites

Microsoft Intune admin access with appropriate permissions
Script testing completed in development environment
Device groups configured for pilot and production deployments
Azure AD Premium P1 or P2 license for advanced features
PowerShell scripts validated with -WhatIf parameter
Remediation scripts follow exit code conventions (0=success, 1=failure)

Creating an Intune Remediation

Step 1: Access Intune Admin Center

Navigate to Microsoft Intune admin center
Sign in with your administrator credentials
Go to Reports > Endpoint analytics > Remediations

[Screenshot placeholder: Intune admin center navigation to Remediations]

Step 2: Create New Remediation

Click + Create script package
Configure basic information:
- Name: Descriptive name (e.g., "Fix Chrome Update Issue")
- Description: Detailed description of the remediation purpose
- Publisher: Your organization name

[Screenshot placeholder: Create script package basic information]

Step 3: Upload Detection Script

Click Next to go to Settings
Upload your detection script (.ps1 file)
Configure detection script settings:
- Run this script using the logged-on credentials: No (recommended)
- Enforce script signature check: Yes (for production)
- Run script in 64-bit PowerShell: Yes (if required)

[Screenshot placeholder: Detection script upload and configuration]

Step 4: Upload Remediation Script

Upload your remediation script (.ps1 file)
Configure remediation script settings:
- Run this script using the logged-on credentials: No (recommended)
- Enforce script signature check: Yes (for production)
- Run script in 64-bit PowerShell: Yes (if required)

[Screenshot placeholder: Remediation script upload and configuration]

Step 5: Configure Assignments

Device Group Assignment

Click Next to go to Assignments
Click + Add group
Select assignment type:
- Include: Assign to specific groups
- Exclude: Exclude specific groups from assignment

[Screenshot placeholder: Assignment configuration screen]

Assignment Options

Assign to:
- All devices
- Selected groups
- All users
- Selected user groups

Scope Tags Configuration

Navigate to Scope tags tab
Add appropriate scope tags for:
- Department-specific: IT, HR, Finance
- Location-specific: US, EU, APAC
- Environment-specific: Production, Staging

[Screenshot placeholder: Scope tags configuration]

Step 6: Configure Schedule

Detection Schedule

Set Run frequency:
- Every 4 hours (aggressive)
- Daily (recommended)
- Weekly (maintenance scenarios)

Remediation Schedule

Configure Remediation settings:
- Reboot device if required by script: Yes/No
- Re-run remediation if initial remediation fails: Yes (recommended)
- Number of retries if remediation fails: 3 (recommended)

[Screenshot placeholder: Schedule configuration options]

Step 7: Review and Create

Review all configurations on Review + Create tab
Verify:
- Script names and descriptions
- Assignment groups
- Schedule settings
- Scope tags
Click Create to deploy

[Screenshot placeholder: Review and create summary]

Testing with -WhatIf Parameter

Pre-Deployment Testing

Before deploying to production, always test scripts with the -WhatIf parameter:

# Test detection script
.\detect-script.ps1 -WhatIf

# Test remediation script with ShouldProcess support
.\remediate-script.ps1 -WhatIf

Pilot Group Testing

Create pilot device group (5-10 devices)
Deploy to pilot group first
Monitor results for 24-48 hours
Validate remediation effectiveness
Check for any adverse effects

[Screenshot placeholder: Pilot group creation and assignment]

Validation Steps

Manual verification: Check remediation results on pilot devices
Log analysis: Review PowerShell execution logs
Performance impact: Monitor device performance metrics
User impact: Gather feedback from pilot users

Monitoring and Reporting

Built-in Monitoring

Navigate to Reports > Endpoint analytics > Remediations
Select your remediation package
Review key metrics:
- Device compliance status
- Detection results
- Remediation success rate
- Error rates and trends

[Screenshot placeholder: Remediation monitoring dashboard]

Device Status Monitoring

Individual Device Status

Click on specific remediation
Go to Device status tab
Review per-device results:
- Compliant: No issues detected
- Not compliant: Issues detected, remediation needed
- Remediated: Issues fixed successfully
- Error: Detection or remediation failed

[Screenshot placeholder: Device status detailed view]

Error Analysis

Filter by Error status
Export error logs for analysis
Common error patterns:
- Permission issues
- Network connectivity
- Script execution policy
- Resource availability

Advanced Monitoring

Log Analytics Integration

Configure Log Analytics workspace
Enable Intune data collection
Create custom KQL queries for advanced analysis
Set up automated alerts for failure thresholds

[Screenshot placeholder: Log Analytics configuration]

Custom Reporting

# Example: Export remediation results to CSV
$Results = Get-IntuneRemediationResults -RemediationId "your-id"
$Results | Export-Csv -Path "C:\Reports\RemediationResults.csv" -NoTypeInformation

Rollback Procedures

Emergency Rollback

Immediate Actions

Stop remediation deployment:
- Navigate to remediation package
- Click Assignments > Edit
- Remove all assignments
- Click Save

[Screenshot placeholder: Emergency assignment removal]

Notify affected users if user impact is expected
Document rollback reasons for post-incident review

Planned Rollback

Rollback Script Development

Create rollback detection script:
- Detect if remediation was applied
- Check for adverse effects
Create rollback remediation script:
- Undo changes made by original remediation
- Restore previous configuration
- Log rollback actions

# Example rollback remediation script structure
[CmdletBinding(SupportsShouldProcess=$true)]
param()

try {
    if ($PSCmdlet.ShouldProcess("System", "Rollback Previous Remediation")) {
        # Rollback logic here
        Write-Information "Rollback completed successfully" -InformationAction Continue
        exit 0
    }
} catch {
    Write-Error "Rollback failed: $_"
    exit 1
}

Rollback Testing

Test rollback scripts in isolated environment
Verify complete restoration of previous state
Document rollback procedures for operations team

Rollback Deployment

Create new remediation package with rollback scripts
Assign to affected devices only
Monitor rollback progress closely
Validate successful rollback on sample devices

[Screenshot placeholder: Rollback remediation deployment]

Post-Deployment Activities

Success Metrics

Compliance improvement: % of devices moved to compliant state
Error rate: < 5% failure rate target
Performance impact: No significant device slowdown
User satisfaction: Minimal user disruption

Documentation Updates

Update deployment records with actual results
Document lessons learned for future deployments
Update runbooks with new procedures discovered
Share knowledge with team members

Continuous Improvement

Review error patterns for script improvements
Optimize detection frequency based on business needs
Update assignment groups as organization evolves
Refine monitoring thresholds based on operational experience

Troubleshooting Common Issues

Script Execution Failures

Error Type	Cause	Solution
Access Denied	Insufficient permissions	Review script context and permissions
Execution Policy	PowerShell policy restriction	Configure via Intune policy, not Set-ExecutionPolicy
Script Timeout	Long-running operations	Optimize script performance, add progress indicators
Network Issues	Connectivity problems	Add network checks, implement retries

Assignment Issues

Devices not receiving remediation: Check group membership and assignment filters
Scope tag conflicts: Verify scope tag assignments match user permissions
Timing issues: Allow 8+ hours for initial deployment propagation

Monitoring Gaps

Missing device status: Check device enrollment and compliance
Delayed reporting: Allow up to 24 hours for full reporting sync
Incomplete data: Verify Log Analytics workspace configuration

Advanced Deployment Scenarios

Multi-Tenant Deployments

Configure tenant-specific scope tags
Customize scripts per tenant requirements
Implement centralized monitoring across tenants
Coordinate deployment timing across organizations

Conditional Deployments

Use assignment filters for advanced targeting:
- Device properties (OS version, manufacturer)
- User properties (department, location)
- Custom device attributes
Dynamic group assignments for automatic targeting

[Screenshot placeholder: Advanced assignment filter configuration]

Integration with Other Systems

ServiceNow integration for change management
Teams notifications for deployment status
PowerBI dashboards for executive reporting
Azure Automation for complex orchestration

Security Considerations

Script Security

Code signing: Always sign production scripts
Access control: Limit script modification permissions
Sensitive data: Never hardcode credentials or secrets
Audit trail: Maintain deployment and modification logs

Compliance Requirements

Change approval: Follow organizational change management
Documentation: Maintain comprehensive deployment records
Testing evidence: Document all testing phases and results
Rollback readiness: Always have tested rollback procedures

References

Last Updated: August 2025 | Version 2.0

FilesExpand file tree

deployment-guide.md

Latest commit

History