Perform Bulk On-demand Remediation with Microsoft Intune

Remediations in Microsoft Intune and script packages (containing 2 PowerShell scripts) which can detect issues and remediate them on a defined schedule. Intune then provides a report on the remediation for all devices, advising whether issues were detected and whether the issues have been remediated.

Any issue with remediations is that they run on a schedule, and they do not react to issues dynamically, only at the time they have been configured to run. Because of this, there is a chance that the end-user could identify issues before they are automatically remediated. In this scenario, it may be inconvenient to ask the user to wait for the remediation task to run. Instead, it would be preferable to run the remediation task on demand. 

On-demand remediation tasks can currently only be run on a single machine at a time. In this tutorial, I am going to show you how you can use Microsoft Graph PowerShell to bulk-run a remediation task on multiple or all devices managed with Intune.


To run the on-demand remediation task with PowerShell we are going to make use of the Microsoft Graph PowerShell SDK, specifically the following modules:

  • Microsoft.Graph.Authentication
  • Microsoft.Graph.Beta.DeviceManagement

A Global Administrator user will also need to be available to consent to the following permissions:

  • DeviceManagementConfiguration.Read.All (To read the remediation packages)
  • DeviceManagementManagedDevices.Read.All (To read device information)
  • DeviceManagementManagedDevices.PrivilegedOperations.All (To initiate the remediation task)

For more information on installing the Microsoft Graph PowerShell module and finding available permissions, see my posts:

The bulk Intune on-demand remediation script

The script is fairly simple. In a nutshell, it will gather all of the target devices based on a filter that you define and then initiate the Remediation package on each device in a loop, again which you need to define.

    Script by Daniel Bradley

$ScriptPackageName = "" #Define the exact remediation package name here
$DeviceFilter = "" #Define the exact device filter here, for example: OwnerType eq 'Company'

#Connect to Microsoft Graph
Connect-MgGraph -scopes DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All

#Get Script package
$RemediationPackage = Get-MgBetaDeviceManagementDeviceHealthScript -Filter "DisplayName eq '$ScriptPackageName'"

#Create request body
$body = @{
    "ScriptPolicyId" = "$($"
} | ConvertTo-Json

#Store target devices
$TargetDevices = Get-MgBetaDeviceManagementManagedDevice -filter "$DeviceFilter"

#Loop through each device
Foreach ($device in $TargetDevices){
    Write-Host "Initiating remediation package $ScriptPackageName for $($Device.DeviceName)" -ForegroundColor Cyan
    $uri = "'$($')/initiateOnDemandProactiveRemediation"
    Invoke-MgGraphRequest -Uri $uri -Method POST -Body $body -ContentType  "application/json"

Wrapping up

This script has been created to help speed up the initial deployment of remediation packages. In most cases, a remediation package will not be designed to resolve an immediate problem, but instead help maintain configuration and compliance of devices where a supported setting is not directly available within Intune. Unfortunately and due to tight timeframes, deployments may need to be sped up, especially if the nature of an existing remediation package has been modified, this script helps to achieve that requirement.

By no way am I saying this script is production-ready, but instead it is a proof of concept that you should test and modify before implementing.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply