Docs
Powered by

# Intune setup & deployment

This section describes recommended steps and settings for deploying the detection and remediation scripts through Microsoft Intune (Endpoint Manager) using Proactive Remediations or the Device Management Scripts workflow.

  • How to deploy
    • Recommended deployment method
    • Proactive Remediations configuration (suggested)
    • If you do not use Proactive Remediations
    • Script parameterisation and configuration
  • Things to consider
    • Recommended runtime safety and behaviour settings
    • Prerequisites and environment considerations
    • Recommended rollout plan
    • Logging, troubleshooting and support
    • Common issues and mitigations
    • Security and information governance
  • Helpful Intune documentation links

# How to deploy

# Recommended deployment method

Use Intune > Devices > Manage Devices > Scripts and remediations > Create script package to deploy these scripts as a detection/remediation pair.

# Proactive Remediations configuration (suggested)

  • Run detection script: Daily (or more/less often depending on your tolerance for disk-space issues).
  • Run remediation: Allow remediation when detection fails. Proactive Remediations will run the remediation script automatically when the detection script reports non-compliance.
  • Detection script file: Win-Storage-Detect.ps1 (returns exit code 0 = compliant, 1 = non-compliant)
  • Remediation script file : Win-Storage-Remediate.ps1
  • Run as: System (do not run as user). The remediation requires administrative privileges for CleanMgr, DISM, event-log export, and deleting system-level files.
  • Enforce script signature check: No
  • Architecture: 64-bit (do not select "Run script in 32-bit PowerShell" for 64-bit clients).

# If you do not use Proactive Remediations

You may upload the remediation script as a normal Device Management script. In that case schedule the detection script as a separate compliance check and only run the remediation script on devices that have been flagged by the detection run.

# Script parameterisation and configuration

Intune's script upload UI does not provide a built-in way to pass named PowerShell parameters at execution time. To change behaviour, either:

  • Edit the configuration variables near the top of Win-Storage-Remediate.ps1 (for $oneDriveCleanupThreshold, $userProfileRetentionDays, $cleanupTypeSelection, $logsToClear, $MaxCleanupDurationMinutes, etc.) before upload; or
  • Wrap the uploaded script in a tiny launcher that sets variables and then dot-sources the main script (advanced).

# Things to consider

# Recommended runtime safety and behaviour settings

  • Always test with -DryRun locally to view the actions the script would take without applying destructive changes.
  • Use -SKIP_SLOW_IO in test environments where long I/O should be avoided (e.g., VMs with slow storage). In production, leave it off unless you have reason to avoid disk-bound operations.
  • The script attempts to be conservative about OneDrive and database files by matching configured $skipPathPatterns. Review and tune that list for your tenant if custom paths need to be excluded or included.

# Prerequisites and environment considerations

  • The remediation script must run elevated (System or Administrator). Intune Proactive Remediations running as System is recommended.
  • The script uses Windows-native tooling such as wevtutil, DISM and cleanmgr.exe. These tools are available on supported Windows client OSes (Windows 10/11). If you target older or custom Windows builds, validate tool availability.
  • Storage Sense cmdlets are used when present; they are available only on Windows client builds that include the corresponding module/commands. The script checks for cmdlet availability and skips those steps if not present.

# Recommended rollout plan

  1. Local validation: run Win-Storage-Remediate.ps1 -DryRun -Verbosity Verbose on a test VM and confirm logs and reported actions.
  2. Small pilot: deploy detection+remediation to a limited set of machines (1–5 devices). Monitor logs and disk outcomes.
  3. Phased rollout: expand to progressively larger rings, monitoring disk impact, archive usage, and support tickets.

# Logging, troubleshooting and support

  • Primary logs: the script writes a consolidated log to %TEMP%\<scriptName>.log (typically %TEMP%\Win-Storage-Remediate.log) and a temp log %TEMP%\<scriptName>_temp.log during execution. On failure the script writes archive diagnostics into the %TEMP%\ArchivedLogs folder.
  • If a remediation run appears to do nothing, check the detection script output first (detection returns exit codes). Then inspect the device logs under the user's TEMP and System TEMP (C:\Windows\Temp) and the archive folder for diagnostic files.
  • For troubleshooting, run the remediation script manually with -DryRun -Verbosity Verbose and review the transcript/log file. Also check event viewer for related errors.

# Common issues and mitigations

  • Problem: Intune script times out or is terminated mid-run Mitigation: shorten the work the script does (use -CleanMgrOnly) or adjust your Intune script timeout settings if available; perform large cleanups during maintenance windows; ensure $MaxCleanupDurationMinutes is set reasonably.

  • Problem: DISM skipped due to pending reboot Explanation: script detects pending reboot and will not run DISM unless -ForceDISMWhenPending is provided. This prevents partial cleanup operations that may be unsafe across reboots.

  • Problem: Event log exports fail on some logs (permission or file-lock) Mitigation: script logs individual export failures and continues; verify permissions and consider excluding problematic logs from $logsToClear.

# Security and information governance

  • This script archives and clears selected event logs. Ensure you coordinate with security and monitoring teams before broad deployment to avoid unintended loss of telemetry.
  • Ensure any archived log retention meets your organisation's compliance and retention policy. The script writes archives into %TEMP% by default — you may wish to redirect archive storage to a centralised location via a wrapper or post-processing step if required.

# Helpful Intune documentation links

© Copyright 2025, Michael Harris. All rights reserved.