generate_intune_remediation_script
Create PowerShell remediation scripts for Microsoft Intune that follow enterprise best practices, including proper exit codes, event logging, and system restore points for automated device management.
Instructions
Generate a Microsoft Intune remediation script with enterprise-grade features.
Creates a PowerShell remediation script that follows Microsoft Intune best practices:
- Proper exit codes (0=success, 1=failure, 2=error)
- Event log integration for monitoring and troubleshooting
- System restore point creation before making changes
- Comprehensive error handling and logging
- No user interaction (required for Intune deployment)
⚠️ IMPORTANT: For complete Intune compliance, you need BOTH detection and remediation scripts.
Consider using 'generate_intune_script_pair' instead to create both scripts together.
Microsoft References:
- Intune Remediation Scripts: https://docs.microsoft.com/en-us/mem/intune/fundamentals/remediations
- Best Practices: https://docs.microsoft.com/en-us/mem/intune/fundamentals/remediations-script-samples
- PowerShell Script Requirements: https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- Exit Code Standards: https://docs.microsoft.com/en-us/mem/intune/apps/troubleshoot-mam-app-installation#exit-codes
Args:
description: Clear description of what the script should remediate (e.g., 'Install Chrome browser', 'Configure Windows firewall')
remediation_logic: PowerShell code that performs the remediation. Use 'Complete-Remediation -Success $true -Message "description"' to indicate completion
output_path: Optional file path where the script will be saved. If not provided, returns script content
timeout: Command timeout in seconds (1-300, default 60)
Returns:
Generated script content or path where script was saved
Example:
Generate a script to install Chrome:
```
result = await generate_intune_remediation_script(
description="Install Chrome browser to latest version",
remediation_logic='''
$installer = "$env:TEMP\ChromeSetup.exe"
Invoke-WebRequest -Uri "https://dl.google.com/chrome/install/latest/chrome_installer.exe" -OutFile $installer
Start-Process -FilePath $installer -Args "/silent /install" -Wait
Remove-Item $installer -Force
Complete-Remediation -Success $true -Message "Chrome installation completed successfully"
''',
output_path="remediate_chrome.ps1"
)
```
Tips:
- Always use Complete-Remediation function to set proper exit codes
- Test your remediation_logic in a safe environment first
- Consider creating a system restore point for major changes
- Use Write-IntuneLog for detailed logging and troubleshooting
- Ensure no user interaction is required (scripts run silently)Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| description | Yes | ||
| remediation_logic | Yes | ||
| output_path | No | ||
| timeout | No |
Implementation Reference
- src/server.py:389-457 (handler)The core handler function implementing the 'generate_intune_remediation_script' MCP tool. It prepares template parameters based on user inputs (description, remediation_logic, etc.) and delegates to the shared generate_script_from_template helper using the specific 'intune_remediation' template for Intune best practices.
@mcp.tool() async def generate_intune_remediation_script( description: str, remediation_logic: str, output_path: Optional[str] = None, timeout: Optional[int] = 60 ) -> str: """Generate a Microsoft Intune remediation script with enterprise-grade features. Creates a PowerShell remediation script that follows Microsoft Intune best practices: - Proper exit codes (0=success, 1=failure, 2=error) - Event log integration for monitoring and troubleshooting - System restore point creation before making changes - Comprehensive error handling and logging - No user interaction (required for Intune deployment) ⚠️ IMPORTANT: For complete Intune compliance, you need BOTH detection and remediation scripts. Consider using 'generate_intune_script_pair' instead to create both scripts together. Microsoft References: - Intune Remediation Scripts: https://docs.microsoft.com/en-us/mem/intune/fundamentals/remediations - Best Practices: https://docs.microsoft.com/en-us/mem/intune/fundamentals/remediations-script-samples - PowerShell Script Requirements: https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension - Exit Code Standards: https://docs.microsoft.com/en-us/mem/intune/apps/troubleshoot-mam-app-installation#exit-codes Args: description: Clear description of what the script should remediate (e.g., 'Install Chrome browser', 'Configure Windows firewall') remediation_logic: PowerShell code that performs the remediation. Use 'Complete-Remediation -Success $true -Message "description"' to indicate completion output_path: Optional file path where the script will be saved. If not provided, returns script content timeout: Command timeout in seconds (1-300, default 60) Returns: Generated script content or path where script was saved Example: Generate a script to install Chrome: ``` result = await generate_intune_remediation_script( description="Install Chrome browser to latest version", remediation_logic=''' $installer = "$env:TEMP\\ChromeSetup.exe" Invoke-WebRequest -Uri "https://dl.google.com/chrome/install/latest/chrome_installer.exe" -OutFile $installer Start-Process -FilePath $installer -Args "/silent /install" -Wait Remove-Item $installer -Force Complete-Remediation -Success $true -Message "Chrome installation completed successfully" ''', output_path="remediate_chrome.ps1" ) ``` Tips: - Always use Complete-Remediation function to set proper exit codes - Test your remediation_logic in a safe environment first - Consider creating a system restore point for major changes - Use Write-IntuneLog for detailed logging and troubleshooting - Ensure no user interaction is required (scripts run silently) """ params = { "SYNOPSIS": f"Intune Remediation Script - {description}", "DESCRIPTION": description, "DATE": datetime.now().strftime('%Y-%m-%d'), "REMEDIATION_LOGIC": remediation_logic } if output_path: output_path = ensure_directory(output_path) return await generate_script_from_template("intune_remediation", params, output_path, timeout) - src/server.py:148-186 (helper)Shared helper tool used by generate_intune_remediation_script (and others) to load a named PowerShell template from TEMPLATES_DIR, perform parameter substitution, optionally save to output_path, and return the generated script content.
@mcp.tool() async def generate_script_from_template( template_name: str, parameters: Dict[str, Any], output_path: Optional[str] = None, timeout: Optional[int] = 60 ) -> str: """Generate a PowerShell script from a template. Args: template_name: Name of the template to use (without .ps1 extension) parameters: Dictionary of parameters to replace in the template output_path: Where to save the generated script (optional) timeout: Command timeout in seconds (1-300, default 60) Returns: Generated script content or path where script was saved """ template_path = os.path.join(TEMPLATES_DIR, f"{template_name}.ps1") if not os.path.exists(template_path): raise ValueError(f"Template {template_name} not found") with open(template_path, 'r') as f: template_content = f.read() # Replace template variables script_content = template_content parameters['DATE'] = datetime.now().strftime('%Y-%m-%d') for key, value in parameters.items(): script_content = script_content.replace(f"{{{{{key}}}}}", str(value)) if output_path: with open(output_path, 'w') as f: f.write(script_content) return f"Script generated and saved to: {output_path}" return script_content - src/server.py:306-316 (helper)Helper utility called by generate_intune_remediation_script to normalize and ensure the output directory exists before writing the generated script file.
@mcp.tool() def ensure_directory(path: str) -> str: """Ensure directory exists and return absolute path.""" abs_path = normalize_path(path) if os.path.splitext(abs_path)[1]: # If path has an extension dir_path = os.path.dirname(abs_path) else: dir_path = abs_path os.makedirs(dir_path, exist_ok=True) return abs_path - src/server.py:389-389 (registration)The @mcp.tool() decorator registers the generate_intune_remediation_script function as an MCP tool with FastMCP.
@mcp.tool()