Verify and replace Files with Proactive Remediations in Intune

Today I will show you how you can verify (small) files like configuration files with (Proactive) Remediations in Microsoft Intune. We can use this to replace Group Policy Preferences File rules, as long as the files are smaller then 200KB, if they are bigger i would suggest to wrap it in a Win32 Application, then you can use Delivery Optimization and Co. to optimize the downloads.

You can find a example script on my GitHub:


To check if we need to create / modify the file, we will compare the current file and the expected file by the SHA265 Hash in the Detection Script. In this example we use the Java Deployment Ruleset to be checked / replaced. As described in the script, we first need to read the Filehash of the file:

We will simply copy the Hash from the output to line 33 in the variable “RulesetOriginalHash”. Then we need to modify the Path and Filename in line 28 and 29 to match your needs


Next we will prepare the remediation script. We will convert the file to a base64 string to copy it into the remediation script in line 34 to variable “RulesetBase64”.

Make sure, to copy it without pagebreak, it has to be in one single line. Again modify line 28 and 29 to match Filepath and Filename to your needs.


Once we have our modified scripts, we can create a new (Proactive) Remedation in Intune to check for the file on a schedule

Set “Run script in 64-bit PowerShell” to yes.

And assign the script to a user or device group of your choice and set the schedule that you want to have


In case something goes wrong, you can check the created Logfiles, that are automatically created in C:\ProgramData for the detection and remediation script:





3 responses to “Verify and replace Files with Proactive Remediations in Intune”

  1. Simran Thukral


  2. David Adams

    These are very handy scripts, thank you, one question though – what do you do if the file needs to be created in the user profile? How can I leverage an environment variable like %userprofile%


    1. If you run the script with user rights, you can use “$env:username” to get the current username to create files in the user profile, as long as the user is allowed to access the needed folder.
      If you have to run it with system rights, you can check the currently logged on user by for example, looking in which account explorer.exe is currently running. I can write a short article about this, if you are interested.

      Best Regards

Leave a Reply

Your email address will not be published. Required fields are marked *