Skip to content

Detection and Remediation issue #61

New issue
New issue
Open
Open
Detection and Remediation issue#61
@carolceguerra

Description

@carolceguerra
carolceguerra
opened on Jan 31, 2024

I would like to ask for help with a challenge I am having with an Intune script for detection and remediation. Despite multiple attempts, I have been encountering issues when uploading it to the Intune Admin Portal.

Problem Overview:
Detection Status: Shows "With Issues" or sometimes "Without issues"
Remediation Status: Shows "Recurred" or "Failed"

Attempts to Resolve:
Exit Code Adjustments: I have tried adjusting the exit codes within the script to ensure proper success (exit 0) and failure (exit 1) signaling.
Logging: Implemented logging within the script to capture any errors or unexpected behavior, but the root cause remains elusive.
Syntax Checks: Checked for syntax errors and verified the compatibility of PowerShell commands with the Intune execution environment.
Environment Testing: Tested the script locally on a device to ensure it runs as expected, without encountering errors.
Intune Logs Examination: Reviewed the IntuneManagementExtension.log on the endpoint for potential error messages, but no clear resolution emerged.

I would greatly appreciate your insights. Please share any suggestions, best practices, or potential pitfalls to look out for. I am open to feedback on script structure, exit codes, or any other considerations that might impact the script's behavior in the Intune environment.

Here are my full script details. Your expertise and guidance would be immensely valuable in helping me overcome this challenge.

DetectAdminChange.ps1

Define the username of the local admin

$adminUsername = "OfflineAdmin"

Define the default password

$defaultPassword = "MESY@15586!!!"

Define the path to the log file

$logFilePath = "C:\ps_script_logs\ChangeLog.txt"

Check if the admin user exists

if (Get-LocalUser -Name $adminUsername -ErrorAction SilentlyContinue) {
# Admin user exists, check if the password has changed
$currentPassword = (Get-LocalUser -Name $adminUsername).Password

if ($currentPassword -ne $defaultPassword) {
    # Password has changed, log the event
    Add-Content -Path $logFilePath -Value "$(Get-Date) - Admin password changed."
    
    # Set exit code for password change
    Exit 1
} else {
    # Password has not changed, exit with code 0 (no action needed)
    Exit 0
}

}
else {
Admin user doesn't exist, exit with code 2 (requires remediation)
Exit 2
}

===========================================================

RemediateAdmin.ps1

Define the username of the local admin

$adminUsername = "OfflineAdmin"

Define the default password

$defaultPassword = "MESY@15586!!!"

Define the path to the log file

$logFilePath = "C:\ps_script_logs\RemediationLog.txt"

Set the default password for the admin user

$password = ConvertTo-SecureString -String $defaultPassword -AsPlainText -Force
Set-LocalUser -Name $adminUsername -Password $password

Set password to not expire and cannot change

Set-LocalUser -Name $adminUsername -PasswordNeverExpires $true -CannotChangePassword $true

Log the remediation event

Add-Content -Path $logFilePath -Value "$(Get-Date) - Admin account remediated with default password."

Exit with code 0 (success)

Exit 0

Thank you in advance for your time and assistance. I am eager to learn from your experiences and insights.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions