initiateOnDemandProactiveRemediation versus script package filter

[andyrobbins]

Hello,

The initiateOnDemandProactiveRemediation action seems to not be subject to script package filters. Is this intended?

In a lab I have created this scenario:

• The script package is configured to include an empty Entra group. There are no principals added to that group.
• The script package is configured to exclude one Entra group - that one group has one Entra device as its member.
• The Entra device that has been added to that group is represented in the Intune service as a distinct object, but they are the same device/host.

The script package is set to run every 24 hours. After waiting several days, I can see that the script does not run on the device - this is expected.

I have created an Entra service principal and granted it (and provided admin consent for) the MS Graph app role called DeviceManagementManagedDevices.PrivilegedOperations.All.

Next, I acquired a token for the service principal. With that token, I submitted a request to the device's initiateOnDemandProactiveRemediation endpoint:

$Token = (Get-MSGraphTokenWithClientCredentials `
    -ClientID     '0763de68-0b39-4237-9c45-6da4494d3a93' `
    -ClientSecret '<...>' `
    -TenantName   'specterdev.onmicrosoft.com').access_token

$URI = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/e537180b-6d04-427e-bf93-dbde818400eb/initiateOnDemandProactiveRemediation"
$Body = @{
  scriptPolicyId = 'c761676b-b4ba-4ae8-b2e8-ef311f5bac28'
}
$InitiateOnDemandRemediationScriptExecutionRequest = Invoke-RestMethod `
    -Method "POST" `
    -UseBasicParsing `
    -URI $URI `
    -Body $($Body | ConvertTo-JSON) `
    -Headers @{
        "Authorization"="Bearer $($Token)"
    } `
    -ContentType "application/json"

I expected this to fail, as the script package excludes the Entra group that this device belongs to; however, the script successfully ran on the endpoint.

Is this intended behavior?

Thank you.