Managing Windows services across a fleet of devices can be a daunting task—especially when you need to ensure that critical services are always running and set to start automatically. Whether it’s the Windows Update service, a custom in-house service, or something like the Print Spooler, ensuring these services are correctly configured is essential for system stability and compliance.
With Microsoft Intune and Proactive Remediations, we can automate the detection and correction of service misconfigurations. Let’s walk through how to create a remediation script that checks if a service is running and set to start automatically—and fixes it if it’s not.
🔍 The Scenario
Let’s say you want to ensure the Windows Update service (wuauserv) is:
- ✅ Running
- ⚙️ Set to Automatic startup type
If it’s not, Intune should fix it.
🧪 Detection Script
The detection script checks the current status and startup type of the service. If it’s not running or not set to automatic, it returns a non-zero exit code to trigger remediation.
<#
Script: Detect Windows Update Service Status
Author: Daniel Fraubaum
Version: 1.0.0
Date: 2025-11-12
Description: Intune Remediation Detection Script.
Checks if the 'wuauserv' (Windows Update) service is set to 'Automatic' and is currently running.
Returns exit code 0 if compliant, otherwise returns exit code 1.
#>
################################################################################
# Parameters
################################################################################
$ServiceName = "wuauserv"
################################################################################
# Helper Functions
################################################################################
function Get-ServiceSafe {
param([string]$Name)
try {
return Get-Service -Name $Name -ErrorAction Stop
} catch {
return $null
}
}
function Is-ServiceCompliant {
param([System.ServiceProcess.ServiceController]$Service)
if (-not $Service) { return $false }
return ($Service.StartType -eq 'Automatic' -and $Service.Status -eq 'Running')
}
################################################################################
# Detection Logic
################################################################################
$service = Get-ServiceSafe -Name $ServiceName
if (-not $service) {
Write-Output "[Error] Service '$ServiceName' not found."
Exit 1
}
if (Is-ServiceCompliant -Service $service) {
Write-Output "[Success] '$ServiceName' is running and set to 'Automatic'."
Exit 0
} else {
Write-Output "[Non-Compliant] '$ServiceName' is not set to 'Automatic' or not running."
Exit 1
}🛠️ Remediation Script
If the detection script finds an issue, this remediation script will fix it by setting the startup type to automatic and starting the service.
<#
Script: Remediate Windows Update Service
Author: Daniel Fraubaum
Version: 1.0.0
Date: 2025-11-12
Description: Intune Remediation Script.
Ensures that the 'wuauserv' (Windows Update) service is set to 'Automatic' and is running.
If not, sets the startup type and starts the service.
#>
################################################################################
# Parameters
################################################################################
$ServiceName = "wuauserv"
################################################################################
# Helper Functions
################################################################################
function Get-ServiceSafe {
param([string]$Name)
try {
return Get-Service -Name $Name -ErrorAction Stop
} catch {
return $null
}
}
function Set-ServiceCompliant {
param([System.ServiceProcess.ServiceController]$Service)
try {
# Set startup type to Automatic
Set-Service -Name $ServiceName -StartupType Automatic -ErrorAction Stop
Write-Output "[Info] '$ServiceName' set to 'Automatic' startup."
# Start service if not running
if ($Service.Status -ne 'Running') {
Start-Service -Name $ServiceName -ErrorAction Stop
Write-Output "[Info] '$ServiceName' started successfully."
} else {
Write-Output "[Info] '$ServiceName' is already running."
}
} catch {
Write-Output "[Error] Failed to configure '$ServiceName': $_"
}
}
################################################################################
# Remediation Logic
################################################################################
$service = Get-ServiceSafe -Name $ServiceName
if (-not $service) {
Write-Output "[Warning] Service '$ServiceName' not found."
Exit 1
}
Set-ServiceCompliant -Service $service
Exit 0📦 Deploying in Intune
Here’s how to deploy:
- Go to Endpoint Analytics in Intune.
- Select Proactive Remediations.
- Click + Create script package.
- Name your package (e.g., “Ensure Windows Update Service is Running”).
- Upload the detection and remediation scripts as
.ps1files. - Assign the package to your target device group.
- Set a schedule (daily, weekly, etc.).
Intune will run the detection script on each device. If the service isn’t running or set to automatic, the remediation script will fix it.
📊 Monitoring Results
Once deployed, Intune will run the detection script on the assigned devices. If the service is not running or not set to automatic, the remediation script will kick in. You can monitor the results in the Reports section of Proactive Remediations.
✅ Final Thoughts
Using Intune Proactive Remediations to manage Windows services is a powerful way to ensure compliance and system health without manual intervention. Whether you’re managing a few dozen devices or thousands, this approach scales beautifully and keeps your environment in check.
Happy automating! 💻✨
Leave a Reply