Remediations on demand in bulk

by

During the excellent Modern Endpoint Management summit in Paris, I was sitting in the equally excellent session from Florian Salzmann and one of the questions was if the Device bulk commands could send an on-demand remediation to multiple devices and the answer was no.

This gave me an idea so I built this script on the fly.

It will prompt to select a remediation and then select any devices, click OK and it will run that remediation against any and all devices selected.

Of course, it supports parameters and app registrations too.

You can grab it from GitHub here

https://github.com/andrew-s-taylor/public/blob/main/Powershell%20Scripts/Intune/bulk-run-remediation-ondemand.ps1

Or PS Gallery Here:

Install-Script -Name bulk-run-remediation-ondemand

4 thoughts on “Remediations on demand in bulk”

  1. Hi Andrew,

    Thank you for providing this excellent tool! Would you be able to assist me with this error message?

    Invoke-MgGraphRequest : POST
    https://graph.microsoft.com/beta/deviceManagement/managedDevices(‘)/initiateOnDemandProactiveRemediation
    HTTP/1.1 403 Forbidden
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id: 559ee630-3368-4de7-9104-681ba62fe7b3
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US
    2″,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”005″,”RoleInstance”:”BN2PEPF0000367D”}}
    Date: Thu, 21 Dec 2023 16:44:26 GMT
    Content-Encoding: gzip
    Content-Type: application/json
    {“error”:{“code”:”Forbidden”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”Application is not authorized to
    perform this operation. Application must have one of the following scopes:
    DeviceManagementManagedDevices.PrivilegedOperations.All – Operation ID (for customer support):
    00000000-0000-0000-0000-000000000000 – Activity ID: 559ee630-3368-4de7-9104-681ba62fe7b3 – Url:
    https://fef.msua01.mana
    ge.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices(‘863e048b-7f04-4acc-8fdf-4ea9b791064
    b’)/microsoft.management.services.api.initiateOnDemandProactiveRemediation?api-version=5023-09-09\”,\r\n
    \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{
    }\”\r\n}”,”innerError”:{“date”:”2023-12-21T16:44:26″,”request-id”:”559ee630-3368-4de7-9104-681ba62fe7b3″,”client-reques
    t-id”:”559ee630-3368-4de7-9104-681ba62fe7b3″}}}
    At C:\bulk-run-remediation-ondemand.ps1:252 char:5
    + Invoke-MgGraphRequest -uri $url -Method Post -Body $json -Content …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.Invok
    eMgGraphRequest

    Reply

  2. Hi Andrew,

    I got it working by adding “DeviceManagementManagedDevices.PrivilegedOperations.All” to the scope section of the script.

    Thanks!

    Reply

Leave a Comment