During the excellent Modern Endpoint Management summit in Paris, I was sitting in the equally excellent session from Florian Salzmann and one of the questions was if the Device bulk commands could send an on-demand remediation to multiple devices and the answer was no.
This gave me an idea so I built this script on the fly.
It will prompt to select a remediation and then select any devices, click OK and it will run that remediation against any and all devices selected.
Of course, it supports parameters and app registrations too.
You can grab it from GitHub here
Or PS Gallery Here:
Install-Script -Name bulk-run-remediation-ondemand
Hi Andrew,
Thank you for providing this excellent tool! Would you be able to assist me with this error message?
Invoke-MgGraphRequest : POST
https://graph.microsoft.com/beta/deviceManagement/managedDevices(‘)/initiateOnDemandProactiveRemediation
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 559ee630-3368-4de7-9104-681ba62fe7b3
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US
2″,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”005″,”RoleInstance”:”BN2PEPF0000367D”}}
Date: Thu, 21 Dec 2023 16:44:26 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”Forbidden”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”Application is not authorized to
perform this operation. Application must have one of the following scopes:
DeviceManagementManagedDevices.PrivilegedOperations.All – Operation ID (for customer support):
00000000-0000-0000-0000-000000000000 – Activity ID: 559ee630-3368-4de7-9104-681ba62fe7b3 – Url:
https://fef.msua01.mana
ge.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices(‘863e048b-7f04-4acc-8fdf-4ea9b791064
b’)/microsoft.management.services.api.initiateOnDemandProactiveRemediation?api-version=5023-09-09\”,\r\n
\”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{
}\”\r\n}”,”innerError”:{“date”:”2023-12-21T16:44:26″,”request-id”:”559ee630-3368-4de7-9104-681ba62fe7b3″,”client-reques
t-id”:”559ee630-3368-4de7-9104-681ba62fe7b3″}}}
At C:\bulk-run-remediation-ondemand.ps1:252 char:5
+ Invoke-MgGraphRequest -uri $url -Method Post -Body $json -Content …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.Invok
eMgGraphRequest
Hi Andrew,
I got it working by adding “DeviceManagementManagedDevices.PrivilegedOperations.All” to the scope section of the script.
Thanks!
Thank you, added the scope in 1.0.2
Very handy tool indeed!