In the
world of Microsoft Endpoint Management (MEM), it is important that devices
regularly check in with Intune. If this breaks down, then one practically loses
the ability to manage the devices for any MDM based policies. However, not
everything is lost at this point and there is a way to get around this and get
your devices checking in again.
I recently
dealt with an issue where devices stopped checking in soon after they were
enrolled. While the investigation is on to find the root cause, a 3rd
party remote management application is under suspicion. Now I don’t want to go
into too much detail about the application as the investigation has not
concluded yet, but I must say that the app was found to be interfering with the Intune
services during Autopilot and had to be removed from the standard list of apps.
Instead, it was made available to users to install from the Company Portal and almost every device where
it was installed, stopped checking in.
On further
investigation, it was found that the service responsible for the device checking into Intune i.e. dmwappushservice, went missing from services.msc. I needed
to find a quick way to get the devices checking in again until the root cause
was identified. Enter proactive remediation scripts feature in Intune.
What are
Proactive remediation scripts?
Proactive
remediation are script packages that can detect and fix common support issues
on a user's device before they even realize there's a problem. Each script
package consists of a detection script, a remediation script, and metadata. It
is part of Endpoint Analytics and you will need to ensure you have the relevant
licensing to use this feature. For licensing needs, you can refer to the link
here.
Now the
important thing to note here is that this feature relies on Intune Management
Extension service to be running on the device. This service allows you to
upload any Powershell script in Intune which helps in extending the device
management capabilities in MEM. Luckily for me, this service was found to be
intact and I could move ahead with my workaround.
What is
involved?
The setup consists
of 2 parts –
1. Import the
registry of dmwappushservice and deploy it using Powershell scripts.
2. Deploy
Proactive remediation script.
Importing
the registry and deploying it using Powershell
On a healthy
machine where the sync is working, import the following registry path –
HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice
Once done,
use the following PS script to create a.reg file, store it on the targeted machine
and then import it locally on the device.
# define
your PS script here
$content =
@'
Windows
Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice]
"DelayedAutoStart"=dword:00000000
"DependOnService"=hex(7):72,00,70,00,63,00,73,00,73,00,00,00,00,00
"Description"="@%SystemRoot%\\system32\\dmwappushsvc.dll,-201"
"DisplayName"="Device
Management Wireless Application Protocol (WAP) Push message Routing
Service"
"ErrorControl"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\
00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\
00,00,00,00,10,27,00,00
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,20,00,2d,00,70,00,00,\
00
"ObjectName"="LocalSystem"
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,73,00,65,00,57,00,6f,00,72,\
00,6b,00,69,00,6e,00,67,00,53,00,65,00,74,00,50,00,72,00,69,00,76,00,69,00,\
6c,00,65,00,67,00,65,00,00,00,00,00
"ServiceSidType"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\Parameters]
"IdleTimeout(sec)"=dword:00000078
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,6d,00,77,00,61,00,70,00,70,00,75,00,73,00,68,00,73,00,76,00,63,00,2e,\
00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceMain"="ServiceMain"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\Security]
"Security"=hex:01,00,04,80,b0,00,00,00,bc,00,00,00,00,00,00,00,14,00,00,00,02,\
00,9c,00,07,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,\
00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,\
00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\
01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,14,00,00,00,01,\
02,00,00,00,00,00,0f,02,00,00,00,01,00,00,00,00,00,14,00,14,00,00,00,01,01,\
00,00,00,00,00,05,04,00,00,00,00,00,14,00,14,00,00,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,\
12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo\0]
"Action"=dword:00000001
"Data0"=hex:37,00,39,00,35,00,42,00,36,00,42,00,46,00,39,00,2d,00,39,00,37,00,\
42,00,36,00,2d,00,34,00,46,00,38,00,39,00,2d,00,42,00,44,00,38,00,44,00,2d,\
00,32,00,46,00,34,00,32,00,42,00,42,00,42,00,45,00,39,00,39,00,36,00,45,00,\
00,00
"DataType0"=dword:00000002
"GUID"=hex:67,d1,90,bc,70,94,39,41,a9,ba,be,0b,bb,f5,b7,4d
"Type"=dword:00000006
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo\1]
"Action"=dword:00000001
"Data0"=hex:39,00,34,00,35,00,36,00,39,00,33,00,63,00,34,00,2d,00,33,00,36,00,\
34,00,38,00,2d,00,34,00,39,00,36,00,36,00,2d,00,62,00,32,00,61,00,61,00,2d,\
00,33,00,37,00,64,00,36,00,36,00,65,00,32,00,34,00,34,00,39,00,35,00,66,00,\
00,00
"DataType0"=dword:00000002
"GUID"=hex:67,d1,90,bc,70,94,39,41,a9,ba,be,0b,bb,f5,b7,4d
"Type"=dword:00000006
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo\2]
"Action"=dword:00000001
"Data0"=hex:75,90,bc,a3,28,00,92,13
"DataType0"=dword:00000001
"GUID"=hex:16,28,7a,2d,5e,0c,fc,45,9c,e7,57,0e,5e,cd,e9,c9
"Type"=dword:00000007
'@
# create
custom folder and write script
$path =
"C:\AutopilotScripts"
if
(!(Test-Path $path))
{
New-Item
-Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File
-FilePath "C:\AutopilotScripts\dmwappushservice.reg" -Encoding
unicode -Force -InputObject $content -Confirm:$false
regedit.exe
/S C:\AutopilotScripts\dmwappushservice.reg
Now we
import the script in Intune and assign it to device group.
Deploying
Proactive remediation script
While I still
investigate the root cause, I wanted to ensure that the devices check in regularly. This is where proactive
remediation scripts can come handy as the normal Powershell script feature will
run only once if the execution was successful and I needed something checking
for the presence of the registry and fixing it regularly.
To
progress, I created the following detection and remediation scripts.
Detection
Script: (We are checking for the Start state of the service whether it is Automatic or not)
if
((Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice"
-Name "Start") -eq '2') {
Write-Output 'Value exists'
exit 0
} else{
Write-Output 'Value does not exist'
exit 1
}
Remediation
Script: (If the detection is non-compliant, then the remediation script will
re-import the registry from the path where we imported it in the first step. I also
added a step for setting the Start state to Automatic as a precaution,
just in case the service got set to any other state between the time of the
import and the execution of the if condition)
regedit.exe
/S C:\AutopilotScripts\dmwappushservice.reg
if
((Get-ItemPropertyValue -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name
"Start") -eq '2') {
Write-Output 'Value exists'
exit 0
} else{
Write-Output 'Value does not exist'
Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name
"Start" -Value '2'
exit 1
}
Now we
import the scripts in Intune.
1. Sign-in to the https://endpoint.microsoft.com
2. Browse to Reports – Proactive Remediations – Create
a Script Package
3. Fill the relevant fields like Name, Description, Publisher etc and hit
Next.
4. In the settings section, select the relevant detection and remediation
scripts as covered above in the blog. It should then look something like this.
5. Run the script in 64-bit Powershell and leave the rest of the options to Default.
6. Assign the scope tags if required and then assign to device based group.
You can define the frequency of the execution of the Proactive script. I set to
run Daily against production devices to suit my requirements. One
thing to note here is that the service dmwappushservice will not create unless the device is rebooted.
You can script this as well, but since it can cause disruption to user’s work, I
decided to leave this out.
The Intune management extension agent checks with Intune once every hour and after every reboot for
any new scripts or changes. The run results can be monitored directly in Intune under Reports->Endpoint Analytics-><Name of your Proactive Script>
Conclusion
Normally a push of the Powershell script may just be enough to import
the registry and run it. However, since the execution is not going to be repetitive,
Proactive remediation script will come handy for device troubleshooting scenarios
like the one covered in this blog. In my case, after the execution of the
scripts and once the machines were rebooted, they immediately started to check into Intune.
Happy
days..!
References:
Comments
Post a Comment