Detect and Remediate Lenovo Vantage vulnerabilities using Proactive Remediations and Microsoft Endpoint Manager


Just a quick blog post, on how to detect and remediate the Lenovo Vantage Vulnerabilities disclosed this week.

This surely has been an eventful week for most IT professionals, beginning with the #Log4j nightmare, and now ending with some Lenovo Vantage fun. Joking aside, this fix is pretty easy, but making sure and proving the vulnerability has been mitigated throughout your environment, might be something else. This post explains how I did.


This solution consists of 2 PowerShell scripts, intended to be used with Endpoint Analytics Proactive Remediations in Microsoft Endpoint Manager.


Find the Detect-LenovoVantageVulnerabilities.ps1 script on my GitHub page: PowerShell/Detect-LenovoVantageVulnerabilities.ps1 at master · imabdk/PowerShell (

This script does following in headlines:

  • Detect if the Lenovo Vantage service is present
    • If the service is present, the script looks for a certain .exe file
      • The script then checks the fileversion, and if less than a specified value, the script will return and exit with 0


Find the Remediate-LenovoVantageVulnerabilities.ps1 on my GitHub page: PowerShell/Remediate-LenovoVantageVulnerabilities.ps1 at master · imabdk/PowerShell (

This script does following in headlines:

  • Detects if the Lenovo Vantage service is present
    • If present, it will restart the service and Write-Output

Microsoft Endpoint Manager

Head into the Microsoft Endpoint Manager admin center and locate the Proactive Remediations feature within the Reports -> Endpoint Analytics blade:


Use the 2 scripts explained above as illustrated below:


Assign the scripts to run on a group consisting of devices or users. In this scenario, I’m running the scripts Hourly on a group containing my own devices:

In Action

Taking a closer look on IntuneManagementExtension.log (C:\ProgramData\Microsoft\IntuneManagementExtension\Logs) you will see if the detection script finds the device to be vulnerable or not:

  • [NOT GOOD]. IMController file version is less than Device is vulnerable

And when the remediation script kicks off, the same log will tell you if the service was restarted or not:

  • [ALL GOOD]. Service: ImControllerService restarted. Vulnerability expected to be mitigated

If the vulnerabilities never existed or is not mitigated, the script will return following to the log file:

  • [ALL GOOD]. IMController file version is NOT less than Device is NOT vulnerable

Before and After


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.