Platform scripts vs. Remediation scripts.

Introduction

Have you ever wondered in which use-cases in Intune it would be handy to use remediation scripts vs platform scripts? is there any diffrences of how they work and how they are deployed?

similar for the platform scripts the remediation scripts date some years back in Intune. It was kind of hidden under the Endpoint Analytics blade and was called "proactive remediation" until the feature was renamed to "remediations" mid 2023 and was moved to the "Devices" blade.

Understanding Platform and Remediation scripts

Platform scripts: platform scripts is a great method to run single scripts on devices to initially set or change settings or fix minor issues that cannot be done using Intune built in settings. On Windows it allowes you to upload Powershell scripts, run them on devices and gives you some options on the the context that the script will be run in.

Platform scripts are also available for macOS devices and Linux devices where you can run Shell scripts. But today we will be focusing on Windows.

Remediation scripts: remediation scripts is a feature that allows you to run Powershell scripts on Windows devices with some further adjustable options. Remediations consist of two scripts. one to detect (a setting or a state or an issue on devices) and the other to remediate it (change setting, state or fix issues). this allows much more control and structure into the scripts.

The deployment of the scripts

Platform scripts: platform scripts only allows you to assign the script to a group of devices or users or the generic "All Devices" or "All Users" however it doesn't allow you to set any schedule or run the script on regular bases. it's more for one time fixes that are run on the devices through the Intune management extension.

Remediation scripts: unlike the platform scripts those offer some more options for the deployment as you can set a schedule and define times and interval which the scripts will be run at. This comes handy for reporting or fixes that needs to run regularly.

Reporting

Platform scripts: platform scripts don't offer much reporting. of course you can build some reporting options in your scripts that write the output into an external location like Azure storage. But usually it's more complicated. Intune However will report the status of the script runs per device or user.

on the device itself you can troubleshoot script runs using the Intune Management extension logs C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

which you can view by running CMTrace.exe

Remediation scripts: those offer a much better reporting experience as they can show the output of the detection and remediation scripts directly in the intune console. And also they are called remediation scripts you can also use them only for reporting. as you can only provide a detection script and use it without a remediation script only to report an issue or a state on devices.

the following can be reported using remediation scripts:

• Username

• Detection status

• Remediation status

• OS version

• Last run

• Pre-remediation detection error

• Pre-remediation detection output

• Remediation error

• Post-remediation detection error

• Post-remediation detection output

• Filters

Limitations

Platform scripts:

• No proper reporting

• No time schedule

• No frequency schedule

Remediation scripts:

• 200 scripts limitation

• needs enterprise license as Business Premium License doesn't cover this feature

Overall

For me the platform scripts are more for the initial one-time changing settings. it also offers support for other platforms like Linux and macOS. For later changes and more granular deployment remediations is the way to go.

Happy testing!