How to Deploy a PowerShell Script using Intune

In this blog post, we will explore the steps to deploy PowerShell scripts on Windows 10/11 devices using Intune admin center. Powershell script file extension is .ps1. Please note that you cannot deploy Powershell scripts on Windows 10 home devices using Intune.

Important Points

• Powershell scripts deployed using Intune are executed only once unless there is a change in the script or deployment setting.
• Powershell script default time-out is 30 minutes.
• After every reboot, Intune management extension (IME) checks for any new scripts assigned to the device or changes to the existing script.
• If the script execution fails, IME will retry the execution of the script three more times during the next device check-ins.

Prerequisites

To create a PowerShell script deployment from Intune admin center, there are a few prerequisites. Please find them below:

• Entra hybrid join, Entra join devices, or Entra registered devices.
• The device must be running Windows 10, 1607, or later.
• Devices are Enrolled and managed by Intune.
• Script deployment may fail if the system clock is outdated for months or years.

1. Prepare a Powershell script

The first step is to prepare a Powershell script file and save it as .ps1 extension. Test the script manually on a test device before deploying it via Intune. For demonstration purposes, I will deploy a simple PowerShell script that creates a folder on target Windows devices. We need to save the script file somewhere on the device. Let’s call it as CreateDirectory.ps1

CreateDirectory.ps1

$path = "C:\temp\Cloudinfra"
If(!(test-path $path))
{
      New-Item -ItemType Directory -Path $path
}

Its a best practice to manually test the powershell script on a test device first before creating the deployment on Intune. If there are any issues in the script, fix it and then create the deployment.

Tip

2. Deploy Powershell Script

Now, once the PowerShell script file is prepared and tested, follow below steps to deploy the script on Windows 10/11 devices.

• Sign in to the Intune admin center > Devices > Scripts and Remediations > Platform Scripts.
• Click on + Add and then Select Windows 10 and later.

• Basics: Provide a Name and Description of the deployment.

• Script settings:
  • Script location – Select the Powershell script that you want to deploy
  • Run this script using the logged on credentials – Change it to No (Selecting No will execute the script in device context).
  • Enforce script signature check – Change it to No
  • Run script in 64 bit PowerShell Host – Change it to Yes

• Assignments: Click on Add Groups and add an Entra security group containing Windows devices.

• Review + add: Review the information and click Add to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

Monitor Script Deployment Progress

To verify the status of Powershell script execution from the Intune admin center, follow the below steps:

• Sign in to the Intune admin center > Devices > Scripts and Remediations > Platform Scripts.
• Click on the Script deployment and go to the Overview page to find the status.

• If you want to review the deployment status of the PowerShell script for specific devices or users, you can click on Device status or User status under the Monitor section to access status information for each device or user.

End User Experience

On the target device, a PowerShell script deployed via Intune will be downloaded on the device at the following location: C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts.

After the download, the script is executed. It’s important to note that the scripts downloaded to the device will be automatically deleted after execution, so you may find this folder empty once the script has been run.

The script will be executed in the Device context since we’ve selected Run this script using the logged-on credentials as No.

To verify whether the PowerShell script we deployed has been executed on the target devices, we can check if a Cloudinfra folder has been created under the C:\temp location.

Verify PowerShell Script Execution Status

There are various ways to confirm the execution status of the PowerShell script deployed via Intune. Let’s take a look:

PowerShell Script Execution Status in Windows Registry

The first way to confirm the PowerShell script execution status is by using the registry editor on Windows devices. Find the policy ID of the Intune deployment and then, using this policy ID, check the status of the script execution in the registry.

1. Copy the Policy ID of PowerShell script deployment

• Sign in to the Intune admin center >Devices > Scripts and Remediations > Platform Scripts.
• Click on the powershell script deployment.
• From browser address bar, you can find the policy ID information. Copy it to a notepad, as we need it in the next step.

2. Check Powershell script deployment Status in Windows Registry

• Go to Start and search for Registry Editor. Click on it to open the registry editor.
• Navigate to the registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies

• Within the Policies registry key, click on the Policy ID corresponding to your deployment. Check the Result registry entry on the right-hand side to determine the deployment status. As the screenshot below demonstrates, the Result shows Success.

3. Powershell Script Execution Status in IME Logs

You can verify the PowerShell script execution status by inspecting the Intune Management Extension (IME) logs. Let’s check the steps:

• Navigate to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
• Find the most recent IntuneManagementExtension.log file and open it. (best way to open .log files is by using the CMTrace tool).
• Search for Policy ID and check the Policy result. As you can see, the Policy result shows Success for this deployment.

About Intune Management Extension (IME) Log Files

FAQs

1. Confirm the Presence of Intune Management Extension on a Windows Device

Intune Management Agent is responsible for executing Powershell scripts on targeted devices. You don’t need to deploy the Intune Management Extension separately; it is automatically installed when you assign a PowerShell script to the target device.

Intune Management Extension is installed at C:\Program Files (x86)\Microsoft Intune Management Extension. You can navigate to this location to confirm if it’s Installed on your device.

A second method to verify and confirm this is by checking a Microsoft Intune Management Extension service. This service also indicates the presence of the Intune Management agent on your device. To check this service and its status, follow the below steps:

• Press the Win + R keys to open a Run dialog box.
• Type services.msc and press Enter.
• Search for Microsoft Intune Management Extension service
• Make sure the status is Running.

2. PowerShell Script Is Not Executed on the Target Devices

Various factors could prevent the PowerShell script from executing on the target device. I’ve compiled a list of options you can investigate to help resolve the issues.

• Test the PowerShell script manually on a test device with administrator rights to ensure it functions as expected.
• Verify that the target device is joined to Entra ID.
• Confirm the presence of the Intune Management Extension (IME) on the target device. Refer to steps above to ensure it is correctly installed.
• Go through Intune Management Extension logs to identify the cause of the deployment failure.

3. Are there More Effective Methods for Deploying PowerShell Scripts with Intune?

Deploying PowerShell scripts with Intune is effective, but it’s mostly suitable for one-time script deployments. Scripts deployed using this method won’t run again unless you make script modifications or re-upload them.

A more efficient method for deploying PowerShell scripts is through Intune device remediations, also known as proactive remediations.

Remediations requires users of the devices to have one of the following licenses:

• Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
• Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
• Windows 10/11 Virtual Desktop Access (VDA) per user

Source: Microsoft

Intune device remediation scripts can run on a schedule and fix any configuration drifts using detection and remediation scripts. I have written many blog posts on Intune device remediations, you can click on any of the link below and understand how this works.

Blog posts on Intune Device remediations
How To Create HKCU Registry Keys Using Intune Remediations Enable/Disable Local Admin Account Using Intune Remediations How To Create Registry Keys Using Intune Remediations

If you don’t meet the licensing requirements for Intune device remediations, you still have the option to schedule the execution of a PowerShell script by creating a scheduled task using Intune. This task can run a script stored either locally or remotely.

Conclusion

We have discussed about powershell script deployment which is good for one-time script execution on the target devices. You can also run PowerShell script by using Intune device remediations which are more robust and can execute the scripts on a schedule. I hope this post was informative and helped you with the different Intune deployment options for executing Powershell scripts.

Read Next

Retrieve Powershell Scripts deployed via Intune

Set Powershell Execution Policy using Intune and GPO