Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection and Remediation issue #61

Open
carolceguerra opened this issue Jan 31, 2024 · 7 comments
Open

Detection and Remediation issue #61

carolceguerra opened this issue Jan 31, 2024 · 7 comments

Comments

@carolceguerra
Copy link

I would like to ask for help with a challenge I am having with an Intune script for detection and remediation. Despite multiple attempts, I have been encountering issues when uploading it to the Intune Admin Portal.

Problem Overview:
Detection Status: Shows "With Issues" or sometimes "Without issues"
Remediation Status: Shows "Recurred" or "Failed"

Attempts to Resolve:
Exit Code Adjustments: I have tried adjusting the exit codes within the script to ensure proper success (exit 0) and failure (exit 1) signaling.
Logging: Implemented logging within the script to capture any errors or unexpected behavior, but the root cause remains elusive.
Syntax Checks: Checked for syntax errors and verified the compatibility of PowerShell commands with the Intune execution environment.
Environment Testing: Tested the script locally on a device to ensure it runs as expected, without encountering errors.
Intune Logs Examination: Reviewed the IntuneManagementExtension.log on the endpoint for potential error messages, but no clear resolution emerged.

I would greatly appreciate your insights. Please share any suggestions, best practices, or potential pitfalls to look out for. I am open to feedback on script structure, exit codes, or any other considerations that might impact the script's behavior in the Intune environment.

Here are my full script details. Your expertise and guidance would be immensely valuable in helping me overcome this challenge.

DetectAdminChange.ps1

Define the username of the local admin

$adminUsername = "OfflineAdmin"

Define the default password

$defaultPassword = "MESY@15586!!!"

Define the path to the log file

$logFilePath = "C:\ps_script_logs\ChangeLog.txt"

Check if the admin user exists

if (Get-LocalUser -Name $adminUsername -ErrorAction SilentlyContinue) {
# Admin user exists, check if the password has changed
$currentPassword = (Get-LocalUser -Name $adminUsername).Password

if ($currentPassword -ne $defaultPassword) {
    # Password has changed, log the event
    Add-Content -Path $logFilePath -Value "$(Get-Date) - Admin password changed."
    
    # Set exit code for password change
    Exit 1
} else {
    # Password has not changed, exit with code 0 (no action needed)
    Exit 0
}

}
else {
Admin user doesn't exist, exit with code 2 (requires remediation)
Exit 2
}

===========================================================

RemediateAdmin.ps1

Define the username of the local admin

$adminUsername = "OfflineAdmin"

Define the default password

$defaultPassword = "MESY@15586!!!"

Define the path to the log file

$logFilePath = "C:\ps_script_logs\RemediationLog.txt"

Set the default password for the admin user

$password = ConvertTo-SecureString -String $defaultPassword -AsPlainText -Force
Set-LocalUser -Name $adminUsername -Password $password

Set password to not expire and cannot change

Set-LocalUser -Name $adminUsername -PasswordNeverExpires $true -CannotChangePassword $true

Log the remediation event

Add-Content -Path $logFilePath -Value "$(Get-Date) - Admin account remediated with default password."

Exit with code 0 (success)

Exit 0

Thank you in advance for your time and assistance. I am eager to learn from your experiences and insights.
@andrew-s-taylor
Copy link
Collaborator

Do you have this deployed in the system context?

@carolceguerra
Copy link
Author

Yes, I did. Let me share with you the screenshot that I got in Intune when I uploaded this script,
Remediation Error

When I checked on my test machine the script worked perfectly fine and doing what I expected.
log1
log2

Please help me as I am new to Intune and need some guidance from an expert like you. :)

@andrew-s-taylor
Copy link
Collaborator

It's your remediation which is failing, you might want to add some logging around the commands, one of them will be failing

@carolceguerra
Copy link
Author

I am not sure what I am missing. Been trying to change my command a few times but no luck. I've been working on this script for 3 weeks, and until now I don't have answers for myself, that's why I tried to ask for some help and raise a ticket from Microsoft, but I never heard any feedback from them. Do you mind if you could help me with what command I am missing? That would be helpful and I will appreciate your kindness on this one.

@andrew-s-taylor
Copy link
Collaborator

It'll be one of your set-localuser commands which is failing, but I would suggest adding logging so you can find out which

@SasStu
Copy link

SasStu commented Feb 1, 2024

set-localuser is only available in 64-bit PowerShell which you must activate explicitly in the remediation configuration.

@carolceguerra
Copy link
Author

set-localuser is only available in 64-bit PowerShell which you must activate explicitly in the remediation configuration.

the 64-bit Powershell is already enabled, however still getting the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SasStu @andrew-s-taylor @carolceguerra