|

Why Your Hourly Intune Remediation Doesn’t Run Within the First Hour

ByTechieGeek

You assign an hourly Intune remediation, wait an hour, and nothing happens. The device shows no execution history. You force a sync — still nothing. So you assume the policy is broken.

It’s not. The problem is how “hourly” is misunderstood.

What “Hourly” Actually Means

The word hourly creates a reasonable expectation: assign the remediation, and it runs within 60 minutes. But the Intune Management Extension (IME) doesn’t schedule the first run that way at all.

The hourly interval only controls how often the remediation runs after its first execution. Before that first run happens, the interval is irrelevant. The IME is not sitting on a countdown timer waiting to fire.

What Actually Triggers the First Run

The IME doesn’t receive push notifications when a remediation is assigned. It retrieves workloads from Intune at specific moments. That means the remediation policy doesn’t even appear on the device until one of these events occurs:

  • User signs in
  • Device restarts (or the IME service restarts)
  • Periodic workload retrieval cycle — runs every 8 hours

Once the device retrieves the policy, the IME checks one thing: has this remediation been executed before? If the answer is no, it runs immediately — no waiting.

The logic looks like this:

textRemediation policy retrieved
        ↓
Scheduler evaluates remediation
        ↓
No previous execution found
        ↓
Run remediation immediately

What Happens During Enrollment

New devices behave slightly differently. The IME installs during enrollment, retrieves workloads right away, and runs the remediation almost immediately — typically within a few minutes.

This is why you might see an “hourly” remediation fire just minutes after enrolling a fresh device. It’s not the hourly timer. It’s the immediate workload retrieval that happens as part of the IME startup.

That Mysterious 5-Minute Log Entry

After the first run, the scheduler writes a LastExecution timestamp to the registry and schedules a follow-up check 5 minutes later.

This trips up a lot of admins reading IME logs. Here’s what’s actually happening:

Time Event
12:39 Remediation executes for the first time
12:39 LastExecution timestamp written to registry
12:44 Scheduler reevaluates — blocked, interval not elapsed
13:39 Hourly interval elapsed — remediation runs again

The 5-minute entry is just a reevaluation, not a second execution. By the time it fires, the timestamp already exists and the hourly interval blocks another run.

Where the Hourly Schedule Is Anchored

The IME stores the execution timestamp in the registry at:

textHKLM\SOFTWARE\Microsoft\IntuneManagementExtension\SideCarPolicies\Scripts\Execution\

The hourly interval counts from that LastExecution timestamp — not from when the remediation was assigned. This is why remediations run at irregular times like 12:39, 13:39, rather than cleanly on the hour.

New Device vs. Existing Device

Device State First Run Behavior
Already enrolled Waits for next policy retrieval — sign-in, restart, or 8-hour cycle
Freshly enrolling IME installs, retrieves workloads immediately, runs within minutes

How to Force the First Run Without Waiting

If you’ve assigned a remediation to an existing device and don’t want to wait up to 8 hours for the periodic cycle, you have a few options:

  1. Sign the user out and back in — triggers a policy retrieval event
  2. Restart the device — restarts the IME service, which retrieves workloads
  3. Restart the IME service manually — open Services, restart Microsoft Intune Management Extension
  4. Run remediation on demand — in the Intune console, locate the device, click the three dots, and select Run remediation

The Key Takeaway

“Hourly” describes the recurring interval after the first run — not the time you have to wait for that first run to happen. On already-enrolled devices, the first execution depends entirely on when the device next retrieves its workloads from Intune.

If a remediation seems stuck, don’t tweak the policy. Just trigger a policy retrieval event and watch it fire immediately.

Testing Intune remediations? Always verify behavior on a freshly enrolled device first — it gives you the cleanest baseline for what the policy is actually doing.

Q1. What controls when an hourly Intune remediation runs for the first time on an existing device?

  • A) The one-hour schedule timer
  • B) A policy retrieval event ✅
  • C) A daily compliance check
  • D) The next Windows Update scan

Q2. The Intune Management Extension does NOT receive push notifications when a remediation is assigned. True or False?

  • A) False — Intune pushes the policy immediately
  • B) True — the IME retrieves workloads only at specific events ✅
  • C) True — but only for BYOD devices
  • D) False — push notifications are enabled by default

Q3. Which three events trigger the IME to retrieve remediation policy from Intune?

  • A) Device restart, user sign-in, every 8 hours ✅
  • B) Device restart, compliance check, every 30 minutes
  • C) User sign-in, app install, every 4 hours
  • D) Sync request, Autopilot enrollment, every 24 hours

Q4. If a remediation has no previous execution history, what does the IME do when it retrieves the policy?

  • A) Waits one full hour before running
  • B) Queues the task for the next reboot
  • C) Runs immediately ✅
  • D) Waits for user confirmation

Q5. Why might an “hourly” remediation fire within minutes of device enrollment?

  • A) Enrollment bypasses all scheduling
  • B) The IME installs, starts, retrieves workloads, and runs immediately with no execution history ✅
  • C) Autopilot forces all remediations to run first
  • D) Hourly means “as soon as possible” during enrollment

Q6. What does the 5-minute log entry after the first remediation run represent?

  • A) A second remediation execution
  • B) A compliance policy check
  • C) A scheduler reevaluation that is blocked because the interval hasn’t elapsed ✅
  • D) A failed detection script retry

Q7. Where does the IME store the execution timestamp used to anchor the hourly schedule?

  • A) HKCU\Software\Microsoft\Intune
  • B) HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\SideCarPolicies\Scripts\Execution\
  • C) C:\Windows\System32\IME\Logs\
  • D) HKLM\SYSTEM\CurrentControlSet\Services\IME

Q8. An admin assigns a remediation to an existing enrolled device at 9:00 AM. The device has not restarted and no user has signed in. When is the earliest the remediation is guaranteed to run?

  • A) 10:00 AM (one hour after assignment)
  • B) 9:05 AM (after a forced sync)
  • C) Up to 8 hours later when the periodic retrieval cycle fires ✅
  • D) 9:30 AM (half-hour check-in)

Q9. Which of the following is the fastest supported way to trigger the first remediation run on an existing device without restarting it?

  • A) Wait for the next scheduled sync
  • B) Restart the Intune Management Extension service ✅
  • C) Re-assign the remediation in Intune
  • D) Delete and recreate the remediation policy

Q10. After the first run completes at 2:39 PM, when will the hourly remediation next execute?

  • A) 3:00 PM — on the next clean hour
  • B) 2:44 PM — the 5-minute follow-up run
  • C) 3:39 PM — one hour from the LastExecution timestamp ✅
  • D) The next time the user signs in

 

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *