Vulnerability hunting in Intune

To hunt vulnerabilities in apps, you want to update the apps.
First, you must know what apps/software you got (inventory), and we start by that, exporting all software to a CSV file we open in Excel.
From there we pick a few applications (Mozilla Firefox, Git, GIMP) that the Excel spreadsheet shows are outdated software and need to update to reduce vulnerabilities.
We create Proactive Remediation scripts (Detection and Remediation) and update our clients and verify it is successful.
We created a template (that you find further down in this description) so you can update the software you need, as long as it got a Winget ID you can use this script.

As a Bonus, we also looked into the log files of Proactive Remediation scripts and their location when deployed to devices.
This video goes through a lot of useful real-world cases, so be sure to watch it all.

Links:
M365 Inventory: https://config.office.com/officeSetti...

Scripts:
Git Proactive Remediation DETECTION Script
Software Detection Script to see if Git needs an update
Author: John Bryntze
Date: 2nd March 2023

Variables
$JBNAppID = "Git.Git"
$JBNAppFriendlyName = "Git"

Help System to find winget.exe
Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")

Check locally installed software version
$JBNLocalInstalledSoftware = .\winget.exe list -e --id $JBNAppID --accept-source-agreements

#If not installed exit here...
if($JBNLocalInstalledSoftware[-1] -eq 'No installed package found matching input criteria.')
{
exit 0
#The app is NOT installed...
}

$JBNAvailable = (-split $JBNLocalInstalledSoftware[-3])[-2]

Check if needs update
if ($JBNAvailable -eq 'Available')
{
write-host $JBNAppFriendlyName "is installed but not the latest version, needs an update"
exit 1
}

if ($JBNAvailable -eq 'Version')
{
write-host $JBNAppFriendlyName "is installed and is the latest version"
exit 0
}

if (!$JBNAvailable)
{
write-host $JBNAppFriendlyName "is not installed"
exit 0
}

Git Proactive Remediation REMEDIATION Script
Software Remediation Script to update the software
Author: John Bryntze
Date: 2nd March 2023

Variables
$JBNAppID = "Git.Git"

Help System to find winget.exe
Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")

Run an upgrade of the software
.\winget.exe upgrade -e --id $JBNAppID --silent --accept-package-agreements --accept-source-agreements


For GIMP and Mozilla Firefox use the script above but change the AppID variable to:
Mozilla Firefox: "Mozilla.Firefox"
GIMP: "GIMP.GIMP"

Log file for these scripts can be found here:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log

Proactive Remediation Scripts are executed locally on the devices from this location:
C:\Windows\IMECache\HealthScripts
and under here it is a unique id per script and you find them under each folder.

If you master this, you will give a lot of value to your organization or customers