Verify and replace Files with Proactive Remediations in Intune

Today I will show you how you can verify (small) files like configuration files with (Proactive) Remediations in Microsoft Intune. We can use this to replace Group Policy Preferences File rules, as long as the files are smaller then 200KB, if they are bigger i would suggest to wrap it in a Win32 Application, then you can use Delivery Optimization and Co. to optimize the downloads.

You can find a example script on my GitHub: https://github.com/mmeierm/Scripts/tree/main/Remediations

Detection

To check if we need to create / modify the file, we will compare the current file and the expected file by the SHA265 Hash in the Detection Script. In this example we use the Java Deployment Ruleset to be checked / replaced. As described in the script, we first need to read the Filehash of the file:

We will simply copy the Hash from the output to line 33 in the variable “RulesetOriginalHash”. Then we need to modify the Path and Filename in line 28 and 29 to match your needs

Remediation

Next we will prepare the remediation script. We will convert the file to a base64 string to copy it into the remediation script in line 34 to variable “RulesetBase64”.

Make sure, to copy it without pagebreak, it has to be in one single line. Again modify line 28 and 29 to match Filepath and Filename to your needs.

Intune

Once we have our modified scripts, we can create a new (Proactive) Remedation in Intune to check for the file on a schedule

Set “Run script in 64-bit PowerShell” to yes.

And assign the script to a user or device group of your choice and set the schedule that you want to have

Troubeshooting

In case something goes wrong, you can check the created Logfiles, that are automatically created in C:\ProgramData for the detection and remediation script: