search

JayRHa / EndpointAnalyticsRemediationScripts

MIT License
368 stars 78 forks source link

Detection and Remediation issue #61

Open carolceguerra opened 8 months ago

carolceguerra commented 8 months ago

I would like to ask for help with a challenge I am having with an Intune script for detection and remediation. Despite multiple attempts, I have been encountering issues when uploading it to the Intune Admin Portal.

Problem Overview: Detection Status: Shows "With Issues" or sometimes "Without issues" Remediation Status: Shows "Recurred" or "Failed"

Attempts to Resolve: Exit Code Adjustments: I have tried adjusting the exit codes within the script to ensure proper success (exit 0) and failure (exit 1) signaling. Logging: Implemented logging within the script to capture any errors or unexpected behavior, but the root cause remains elusive. Syntax Checks: Checked for syntax errors and verified the compatibility of PowerShell commands with the Intune execution environment. Environment Testing: Tested the script locally on a device to ensure it runs as expected, without encountering errors. Intune Logs Examination: Reviewed the IntuneManagementExtension.log on the endpoint for potential error messages, but no clear resolution emerged.

I would greatly appreciate your insights. Please share any suggestions, best practices, or potential pitfalls to look out for. I am open to feedback on script structure, exit codes, or any other considerations that might impact the script's behavior in the Intune environment.

Here are my full script details. Your expertise and guidance would be immensely valuable in helping me overcome this challenge.

DetectAdminChange.ps1

Define the username of the local admin

$adminUsername = "OfflineAdmin"

Define the default password

$defaultPassword = "MESY@15586!!!"

Define the path to the log file

$logFilePath = "C:\ps_script_logs\ChangeLog.txt"

Check if the admin user exists

if (Get-LocalUser -Name $adminUsername -ErrorAction SilentlyContinue) {

Admin user exists, check if the password has changed

$currentPassword = (Get-LocalUser -Name $adminUsername).Password

if ($currentPassword -ne $defaultPassword) {
    # Password has changed, log the event
    Add-Content -Path $logFilePath -Value "$(Get-Date) - Admin password changed."

    # Set exit code for password change
    Exit 1
} else {
    # Password has not changed, exit with code 0 (no action needed)
    Exit 0
}

} else { Admin user doesn't exist, exit with code 2 (requires remediation) Exit 2 }

===========================================================

RemediateAdmin.ps1

Define the username of the local admin

$adminUsername = "OfflineAdmin"

Define the default password

$defaultPassword = "MESY@15586!!!"

Define the path to the log file

$logFilePath = "C:\ps_script_logs\RemediationLog.txt"

Set the default password for the admin user

$password = ConvertTo-SecureString -String $defaultPassword -AsPlainText -Force Set-LocalUser -Name $adminUsername -Password $password

Set password to not expire and cannot change

Set-LocalUser -Name $adminUsername -PasswordNeverExpires $true -CannotChangePassword $true

Log the remediation event

Add-Content -Path $logFilePath -Value "$(Get-Date) - Admin account remediated with default password."

Exit with code 0 (success)

Exit 0

Thank you in advance for your time and assistance. I am eager to learn from your experiences and insights.

andrew-s-taylor commented 8 months ago

Do you have this deployed in the system context?

carolceguerra commented 8 months ago

Yes, I did. Let me share with you the screenshot that I got in Intune when I uploaded this script, Remediation Error

When I checked on my test machine the script worked perfectly fine and doing what I expected. log1 log2

Please help me as I am new to Intune and need some guidance from an expert like you. :)

andrew-s-taylor commented 8 months ago

It's your remediation which is failing, you might want to add some logging around the commands, one of them will be failing

carolceguerra commented 8 months ago

I am not sure what I am missing. Been trying to change my command a few times but no luck. I've been working on this script for 3 weeks, and until now I don't have answers for myself, that's why I tried to ask for some help and raise a ticket from Microsoft, but I never heard any feedback from them. Do you mind if you could help me with what command I am missing? That would be helpful and I will appreciate your kindness on this one.

andrew-s-taylor commented 8 months ago

It'll be one of your set-localuser commands which is failing, but I would suggest adding logging so you can find out which

SasStu commented 8 months ago

set-localuser is only available in 64-bit PowerShell which you must activate explicitly in the remediation configuration.

carolceguerra commented 8 months ago

set-localuser is only available in 64-bit PowerShell which you must activate explicitly in the remediation configuration.

the 64-bit Powershell is already enabled, however still getting the same issue.