How to fix broken device sync using Proactive Remediation Scripts feature in Intune

In the world of Microsoft Endpoint Management (MEM), it is important that devices regularly check in with Intune. If this breaks down, then one practically loses the ability to manage the devices for any MDM based policies. However, not everything is lost at this point and there is a way to get around this and get your devices checking in again.

I recently dealt with an issue where devices stopped checking in soon after they were enrolled. While the investigation is on to find the root cause, a 3rd party remote management application is under suspicion. Now I don’t want to go into too much detail about the application as the investigation has not concluded yet, but I must say that the app was found to be interfering with the Intune services during Autopilot and had to be removed from the standard list of apps. Instead, it was made available to users to install from the Company Portal and almost every device where it was installed, stopped checking in.

On further investigation, it was found that the service responsible for the device checking into Intune i.e. dmwappushservice, went missing from services.msc. I needed to find a quick way to get the devices checking in again until the root cause was identified. Enter proactive remediation scripts feature in Intune.

What are Proactive remediation scripts?

Proactive remediation are script packages that can detect and fix common support issues on a user's device before they even realize there's a problem. Each script package consists of a detection script, a remediation script, and metadata. It is part of Endpoint Analytics and you will need to ensure you have the relevant licensing to use this feature. For licensing needs, you can refer to the link here.

Now the important thing to note here is that this feature relies on Intune Management Extension service to be running on the device. This service allows you to upload any Powershell script in Intune which helps in extending the device management capabilities in MEM. Luckily for me, this service was found to be intact and I could move ahead with my workaround.

What is involved?

The setup consists of 2 parts –

1. Import the registry of dmwappushservice and deploy it using Powershell scripts.
2. Deploy Proactive remediation script.

Importing the registry and deploying it using Powershell

On a healthy machine where the sync is working, import the following registry path –

HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice

Once done, use the following PS script to create a.reg file, store it on the targeted machine and then import it locally on the device.

# define your PS script here

$content = @'

Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice]

"DelayedAutoStart"=dword:00000000

"DependOnService"=hex(7):72,00,70,00,63,00,73,00,73,00,00,00,00,00

"Description"="@%SystemRoot%\\system32\\dmwappushsvc.dll,-201"

"DisplayName"="Device Management Wireless Application Protocol (WAP) Push message Routing Service"

"ErrorControl"=dword:00000001

"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\

  00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\

  00,00,00,00,10,27,00,00

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,20,00,2d,00,70,00,00,\

  00

"ObjectName"="LocalSystem"

"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\

  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\

  67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\

  00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\

  65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\

  00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\

  53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,73,00,65,00,57,00,6f,00,72,\

  00,6b,00,69,00,6e,00,67,00,53,00,65,00,74,00,50,00,72,00,69,00,76,00,69,00,\

  6c,00,65,00,67,00,65,00,00,00,00,00

"ServiceSidType"=dword:00000001

"Start"=dword:00000002

"Type"=dword:00000020

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\Parameters]

"IdleTimeout(sec)"=dword:00000078

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

  64,00,6d,00,77,00,61,00,70,00,70,00,75,00,73,00,68,00,73,00,76,00,63,00,2e,\

  00,64,00,6c,00,6c,00,00,00

"ServiceDllUnloadOnStop"=dword:00000001

"ServiceMain"="ServiceMain"

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\Security]

"Security"=hex:01,00,04,80,b0,00,00,00,bc,00,00,00,00,00,00,00,14,00,00,00,02,\

  00,9c,00,07,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,\

  00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,\

  00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,\

  01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,14,00,00,00,01,\

  02,00,00,00,00,00,0f,02,00,00,00,01,00,00,00,00,00,14,00,14,00,00,00,01,01,\

  00,00,00,00,00,05,04,00,00,00,00,00,14,00,14,00,00,00,01,01,00,00,00,00,00,\

  05,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,\

  12,00,00,00

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo]

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo\0]

"Action"=dword:00000001

"Data0"=hex:37,00,39,00,35,00,42,00,36,00,42,00,46,00,39,00,2d,00,39,00,37,00,\

  42,00,36,00,2d,00,34,00,46,00,38,00,39,00,2d,00,42,00,44,00,38,00,44,00,2d,\

  00,32,00,46,00,34,00,32,00,42,00,42,00,42,00,45,00,39,00,39,00,36,00,45,00,\

  00,00

"DataType0"=dword:00000002

"GUID"=hex:67,d1,90,bc,70,94,39,41,a9,ba,be,0b,bb,f5,b7,4d

"Type"=dword:00000006

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo\1]

"Action"=dword:00000001

"Data0"=hex:39,00,34,00,35,00,36,00,39,00,33,00,63,00,34,00,2d,00,33,00,36,00,\

  34,00,38,00,2d,00,34,00,39,00,36,00,36,00,2d,00,62,00,32,00,61,00,61,00,2d,\

  00,33,00,37,00,64,00,36,00,36,00,65,00,32,00,34,00,34,00,39,00,35,00,66,00,\

  00,00

"DataType0"=dword:00000002

"GUID"=hex:67,d1,90,bc,70,94,39,41,a9,ba,be,0b,bb,f5,b7,4d

"Type"=dword:00000006

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice\TriggerInfo\2]

"Action"=dword:00000001

"Data0"=hex:75,90,bc,a3,28,00,92,13

"DataType0"=dword:00000001

"GUID"=hex:16,28,7a,2d,5e,0c,fc,45,9c,e7,57,0e,5e,cd,e9,c9

"Type"=dword:00000007

'@

# create custom folder and write script

$path = "C:\AutopilotScripts"

if (!(Test-Path $path))

{

New-Item -Path $path -ItemType Directory -Force -Confirm:$false

}

Out-File -FilePath "C:\AutopilotScripts\dmwappushservice.reg" -Encoding unicode -Force -InputObject $content -Confirm:$false

regedit.exe /S C:\AutopilotScripts\dmwappushservice.reg

Now we import the script in Intune and assign it to device group.

Deploying Proactive remediation script

While I still investigate the root cause, I wanted to ensure that the devices check in regularly. This is where proactive remediation scripts can come handy as the normal Powershell script feature will run only once if the execution was successful and I needed something checking for the presence of the registry and fixing it regularly.

To progress, I created the following detection and remediation scripts.

Detection Script: (We are checking for the Start state of the service whether it is Automatic or not)

if ((Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name "Start") -eq '2') {

        Write-Output 'Value exists'

        exit 0

    } else{

        Write-Output 'Value does not exist'

        exit 1

          }

Remediation Script: (If the detection is non-compliant, then the remediation script will re-import the registry from the path where we imported it in the first step. I also added a step for setting the Start state to Automatic as a precaution, just in case the service got set to any other state between the time of the import and the execution of the if condition)

regedit.exe /S C:\AutopilotScripts\dmwappushservice.reg

if ((Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name "Start") -eq '2') {

        Write-Output 'Value exists'

        exit 0

    } else{

        Write-Output 'Value does not exist'

        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name "Start" -Value '2'

        exit 1

          }

Now we import the scripts in Intune.

1. Sign-in to the https://endpoint.microsoft.com
2. Browse to Reports – Proactive Remediations – Create a Script Package
3. Fill the relevant fields like Name, Description, Publisher etc and hit Next.
4. In the settings section, select the relevant detection and remediation scripts as covered above in the blog. It should then look something like this. 


5. Run the script in 64-bit Powershell and leave the rest of the options to Default.

6. Assign the scope tags if required and then assign to device based group. You can define the frequency of the execution of the Proactive script. I set to run Daily against production devices to suit my requirements. One thing to note here is that the service dmwappushservice will not create unless the device is rebooted. You can script this as well, but since it can cause disruption to user’s work, I decided to leave this out.

                         

The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. The run results can be monitored directly in Intune under Reports->Endpoint Analytics-><Name of your Proactive Script>

Conclusion

Normally a push of the Powershell script may just be enough to import the registry and run it. However, since the execution is not going to be repetitive, Proactive remediation script will come handy for device troubleshooting scenarios like the one covered in this blog. In my case, after the execution of the scripts and once the machines were rebooted, they immediately started to check into Intune. 

Happy days..!

References:




Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Prevent users from running certain programs or applications on Windows endpoints using Intune