A diagnostic and repair tool for the Windows 11 Task Scheduler. Built for IT teams dealing with broken Intune sync, failed Windows Updates, and stalled system maintenance on corporate machines.
On managed Windows 11 machines, the Task Scheduler is the engine behind almost everything that runs automatically:
- Intune sync (device compliance, app installs, policy updates)
- Windows Update (scanning, downloading, installing patches)
- System maintenance (disk cleanup, defrag, optimization)
- Security (Defender scans, certificate checks)
When Task Scheduler breaks, all of these fail silently. The machine looks fine on the surface, but Intune shows it as non-compliant, updates stop installing, and maintenance never runs. This often shows up as a single ticket ("Intune won't sync") but the root cause is buried in corrupted registry keys, missing DLLs, broken permissions, or orphaned task files.
This tool finds and fixes all of that.
| Requirement | Details |
|---|---|
| Operating System | Windows 11 (builds 22000 through 26100+) |
| Architecture | x64 (AMD64) and ARM64 both supported |
| PowerShell | PowerShell 7.0 or newer (pwsh) |
| Privileges | Must run as Administrator |
| Dependencies | None. The tool uses only built-in Windows APIs. |
Copy the entire TaskSchedulerRepair folder to the target machine. You can use a USB drive, network share, or any file transfer method.
Right-click PowerShell 7 and select Run as Administrator, then navigate to the tool:
cd C:\path\to\TaskSchedulerRepairThis step does NOT change anything on the machine. It only looks at the current state and creates a report.
Import-Module ./TaskSchedulerRepair.psd1 -Force
Invoke-SchedulerRepairPipeline -OutputPath ./outputWhen it finishes, open the HTML report in the ./output/ folder to see what it found.
This shows you exactly what the tool WOULD change, without actually changing anything:
Invoke-SchedulerRepairPipeline -OutputPath ./output -Repair -WhatIfThis makes the actual fixes. The tool will ask for confirmation before each change:
Invoke-SchedulerRepairPipeline -OutputPath ./output -RepairOr to skip the confirmation prompts (useful for automation):
Invoke-SchedulerRepairPipeline -OutputPath ./output -Repair -ForceAfter repairs, the tool automatically runs a health check and generates an updated report. Open the HTML report in the ./output/ folder to see the before/after comparison.
Performs 11 checks without modifying anything:
| Check | What It Looks For |
|---|---|
| Service health | Are the 8 key services running with correct settings? (Schedule, RpcSs, BITS, UsoSvc, WaaSMedic, etc.) |
| Registry integrity | Are the TaskCache registry keys intact? Are service DLL paths correct? |
| Task store consistency | Do registry entries match XML files on disk? Are there orphans in either direction? |
| COM components | Can Windows create a Task Scheduler COM object? Are the 4 key DLLs present? |
| WMI repository | Is the WMI database consistent? |
| Permissions | Does SYSTEM own the TaskCache registry? Does TrustedInstaller own the task folder? |
| Component store | Is the Windows component store (CBS/DISM) healthy? |
| Group Policy | Are there GPO restrictions blocking Task Scheduler or Windows Update? |
| Event logs | Are there recent error events for Task Scheduler, DCOM, or service failures? |
| AV/EDR | Has antivirus quarantined any Task Scheduler files? Are EDR agents present that might interfere? |
| Critical tasks | Are essential tasks present and enabled? (Windows Update, WaaSMedic, Intune, maintenance) |
Creates a timestamped backup of everything before any changes are made:
- Registry keys (
.regfiles you can import back) - All task XML files from
C:\Windows\System32\Tasks - WMI repository
- Service configuration snapshot
- Generates a
rollback.ps1script you can run to undo everything
- Fixes service Start types that don't match baselines
- Fixes missing or incorrect ServiceDll registry entries
- Stops all services in correct dependency order (with verification)
- Starts them back up in correct order (with verification)
- Verifies the Schedule service responds to COM calls after restart
- Removes orphaned
TaskCache\Tasks\{GUID}entries with no matching XML file - Removes orphaned entries from
Plain,Boot,Logon,Maintenancesubkeys - Repairs service registry values from known-good baselines
- Verifies every registry write actually took effect
- Removes orphaned XML files with no registry counterpart
- Restores missing critical tasks from a reference source (WIM, reference export, or WinSxS)
- Validates task XML before registration (schema, principal SIDs, executable paths)
- Re-registers COM DLLs (
taskcomp.dll,taskschd.dll,ubpm.dll) - Repairs WMI repository if inconsistent
- Takes ownership of TaskCache registry key using Win32 API
- Applies baseline ACLs to registry (SYSTEM = owner, admin/SYSTEM access)
- Sets TrustedInstaller as owner of task store folder
- Grants correct permissions to SYSTEM, Administrators, TrustedInstaller, Users
- Logs every individual permission change with exit codes
Re-runs all diagnostic checks from Phase 1 and compares before vs. after:
- Which findings were resolved?
- Which findings persist?
- Are there any new issues?
- Overall health rating: Healthy, Degraded, or Critical
- If Intune is installed and repairs were performed, triggers an Intune re-sync
Generates deliverables in the output folder:
- HTML report with color-coded findings, service health table, task store summary
- CSV files with all findings and repair actions
- JSON pipeline state with complete machine-readable results
This tool was designed to be safe to run on production machines:
| Feature | How It Works |
|---|---|
| Read-only by default | Without the -Repair switch, nothing is modified. Ever. |
| Mandatory backup | Phase 2 must complete before any repair phase can run. |
| Rollback script | Phase 2 generates rollback.ps1 in the backup folder. Run it to undo everything. |
| WhatIf preview | Add -WhatIf to see exactly what would change without changing it. |
| Per-action confirmation | Without -Force, you approve each change individually. |
| Verify-after-write | Registry changes are re-read after writing to confirm they actually took effect. |
| Service verification | Services are polled (not just sleep-waited) to confirm they actually stopped/started. |
| Resume support | If interrupted mid-repair, add -Resume to pick up where you left off. |
| No external dependencies | Uses only built-in Windows APIs. Nothing to download or install. |
The backup folder (e.g., ./output/backup_20260329_143000/) contains a rollback.ps1 script:
cd ./output/backup_20260329_143000
pwsh -File rollback.ps1 -ForceThis restores all registry keys, task XML files, and the WMI repository from the backup.
If the tool was interrupted (Ctrl+C, crash, reboot), run it again with -Resume:
Invoke-SchedulerRepairPipeline -OutputPath ./output -Repair -Force -ResumeThis skips phases that already completed successfully.
If critical tasks are missing and need to be restored, you need a "reference" — a copy of the task files from a healthy machine with the same Windows version.
Import-Module ./TaskSchedulerRepair.psd1 -Force
Export-SchedulerReference -OutputPath 'D:\SchedulerReference'Copy the D:\SchedulerReference folder to the broken machine.
Import-Module ./TaskSchedulerRepair.psd1 -Force
Invoke-SchedulerRepairPipeline -OutputPath ./output -Repair -Force -ReferenceExport 'D:\SchedulerReference'The tool will warn you if the Windows build numbers don't match and block the restore unless you add -Force.
When Task Scheduler and Intune are both broken, you can't use Intune to push this tool. Here are your options, from easiest to most involved:
Copy the folder to a USB drive or network share, plug it in, and run:
pwsh -ExecutionPolicy Bypass -File C:\TaskSchedulerRepair\deploy\run.ps1 -Repair -ForceFrom your admin workstation, target a specific machine:
PsExec \\TARGETPC -s pwsh -ExecutionPolicy Bypass -File \\server\share\TaskSchedulerRepair\deploy\run.ps1 -Repair -Force -Quiet-s runs as SYSTEM. -Quiet suppresses output and returns an exit code.
Create a package pointing to the TaskSchedulerRepair folder:
- Program command:
pwsh -ExecutionPolicy Bypass -File deploy\run.ps1 -Repair -Force -Quiet - Run as: System account
- Detection rule: Check exit code (0 = already healthy, 1 = repaired successfully)
This is the best option when Task Scheduler is completely broken, because GPO startup scripts do NOT use Task Scheduler — they run through the Group Policy Client service.
- Copy the tool to your SYSVOL:
\\domain\SYSVOL\domain\scripts\TaskSchedulerRepair\ - Create a GPO linked to the target OU
- Go to: Computer Configuration > Policies > Windows Settings > Scripts > Startup
- Add script:
pwsh -ExecutionPolicy Bypass -File \\domain\SYSVOL\domain\scripts\TaskSchedulerRepair\deploy\run.ps1 -Repair -Force -Quiet
The fix will run at next reboot.
Even when Task Scheduler tasks are broken, the Intune Management Extension service often still works because it has its own internal polling loop. If the IME service is running, you can push this as a Proactive Remediation:
- Deploy the module to
C:\Program Files\TaskSchedulerRepairvia a Win32 app package - Create a Proactive Remediation in Intune:
- Detection script: Upload
deploy/intune-detect.ps1 - Remediation script: Upload
deploy/intune-remediate.ps1 - Run as: System
- Schedule: Daily
- Detection script: Upload
The detection script checks Task Scheduler health (exit 0 = healthy, exit 1 = needs repair). The remediation script runs the full repair pipeline in quiet mode.
When running with -Quiet, the tool outputs JSON and sets a process exit code:
| Code | Meaning | Action |
|---|---|---|
| 0 | Healthy | No issues found, or all issues already resolved |
| 1 | Repaired | Issues were found and successfully fixed |
| 2 | Degraded | Some issues persist after repair (manual investigation needed) |
| 3 | Critical | Core Task Scheduler functionality is broken (escalate) |
| 4 | Error | The tool itself failed to run (check prerequisites) |
Example for scripting:
Import-Module ./TaskSchedulerRepair.psd1 -Force
$result = Invoke-SchedulerRepairPipeline -OutputPath $env:TEMP\TSRepair -Repair -Force -Quiet
# $result is JSON; $LASTEXITCODE is the exit codeYes. By default, the tool only reads and reports. Repairs require the explicit -Repair switch, and a backup is always created first. You can preview all changes with -WhatIf before committing.
The tool detects GPO restrictions during Phase 1. If it finds policies that block Task Scheduler or disable key services, it will warn you after repair that the fixes may be reverted within ~90 minutes (the default GPO refresh interval). You'll need to work with your domain admin to create a GPO exemption or modify the conflicting policy.
Yes. The tool detects the processor architecture and adjusts its WinSxS component search accordingly.
Yes. The tool is safe to re-run. It only acts on issues it detects, and skips phases with no work to do.
PowerShell 7.0 or newer (pwsh). The built-in Windows PowerShell 5.1 (powershell.exe) is NOT supported. You can install PowerShell 7 from the Microsoft Store or download it from GitHub.
No. The tool runs entirely offline using local system APIs and files. The only scenario where network access helps is if DISM needs to download repair files from Windows Update (and only if the component store is corrupted).
TaskSchedulerRepair/
TaskSchedulerRepair.psd1 # Module manifest
TaskSchedulerRepair.psm1 # Module loader
Public/ # Exported pipeline functions (8 phases + orchestrator + reference export)
Private/ # Internal helpers (services, registry, orphans, state, WIM, DISM)
data/ # Reference baselines (services, tasks, registry, COM, permissions)
report/ # HTML report template and CSS
deploy/ # Deployment scripts (run.ps1, Intune detect/remediate)
tests/ # Pester test suites (72 tests)
MIT License -- Copyright (c) 2026 Galvnyz