In this blog post, we will explore the steps on how to deploy a PowerShell script using Intune. Intune platform scripts are a simple way to run a one-time PowerShell task on Windows devices, such as creating a folder, setting a registry value, or performing a quick remediation. This method relies on the Intune Management Extension (IME), which downloads and runs the script and reports execution status back to Intune. Platform scripts are best for “do it once” actions. If you need recurring checks or drift remediation, use Remediations instead.
A PowerShell script file uses the .ps1 extension. Note that you cannot deploy PowerShell scripts to Windows 10 Home devices using Intune. If you need to create a scheduled task on Windows devices that runs a PowerShell script, refer to the blog post Schedule PowerShell Scripts with Intune for more details.
Note
Contents
Important Points
- Run-once behavior: A platform script runs once after assignment and does not run again unless the script or policy changes. If it fails, IME retries it three times on the next three consecutive IME check-ins.
- Timeout: Scripts time out after 30 minutes.
- Execution order: Platform scripts are executed before Win32 apps.
- Device targeting nuance: Scripts can be targeted to user groups or device groups, but for workplace-joined (WPJ) devices, user targeting is ignored, and you must use device groups.
- Privacy and data handling: Avoid secrets and personal data in scripts (passwords, token strings, personal data collection).
Prerequisites
- Entra hybrid join or Entra join devices. Devices that are only registered with your workplace or organization in Microsoft Entra ID don’t receive the scripts.
- The device must be running Windows 10, 1607, or later.
- Devices are enrolled and managed by Intune.
- Script deployment may fail if the system clock is outdated for months or years.
Step 1: Prepare and test a PowerShell script
The first step is to prepare and test a PowerShell script file. Manual testing of the script is important to ensure successful Intune deployment and execution. For demonstration purposes, I will deploy a simple PowerShell script (CreateDirectory.ps1) that creates a folder on target Windows devices. Save the script file somewhere on your device.
CreateDirectory.ps1
$path = "C:\temp\Cloudinfra"
If(!(test-path $path))
{
New-Item -ItemType Directory -Path $path
}
Step 2: Create PowerShell Script Intune Deployment
Now, once the PowerShell script file is prepared and tested, follow the steps below to deploy the script on Windows 10/11 devices via Intune.
- Sign in to the Intune admin center > Devices > Scripts and Remediations > Platform Scripts.
- Click on + Add and then select Windows 10 and later.
- Basics: Provide a name and description of the deployment.
- Script settings:
- Script location: Select the PowerShell script that you want to deploy.
- Run this script using the logged on credentials: Change it to No (selecting No will execute the script in system context).
- Enforce script signature check: Change it to No.
- Run script in 64 bit PowerShell Host: Change it to Yes.
- Scope tags (optional): A scope tag in Intune is an RBAC label that you assign to resources such as policies, apps, and devices to control which administrators can view and manage them. For more information, see How to use scope tags in Intune.
- Assignments: Assign the script to Microsoft Entra security groups that include the target users or devices. As a best practice, start with a small pilot group, and once validated, expand the assignment more broadly. For guidance on assignment strategy, see Intune assignments: User groups vs. device groups.
- Review + create: Review the deployment summary and click Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitor PowerShell Script Deployment Status
To verify the status of PowerShell script execution from the Intune admin center, follow the below steps:
- Sign in to the Intune admin center > Devices > Scripts and Remediations > Platform Scripts.
- Click on the script deployment and go to the Overview page to find the status.
- If you want to review the deployment status of the PowerShell script for specific devices or users, click on Device status or User status under the Monitor section to access status information for each device or user.
End User Experience
On the target device, a PowerShell script deployed via Intune will be downloaded on the device at the following location: C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts. After the download, the script is executed. It’s important to note that the scripts downloaded to the device will be automatically deleted after execution, so you may find this folder empty once the script has been run.
Refer to this step-by-step guide, Get Back or Retrieve Intune PowerShell Scripts, which shows the process to download your PowerShell scripts from Intune.
The script runs in the device context because Run this script using the logged-on credentials is set to No. To verify that our PowerShell script has executed on the target devices, you can check whether a Cloudinfra folder has been created under C:\Temp. Additional methods to verify and confirm script execution are covered in the following sections.
Verify PowerShell Script Execution Status
There are various ways to confirm the execution status of the PowerShell script deployed via Intune. Let’s take a look:
Verify PowerShell Script Execution Status from Windows Registry
The first way to confirm the PowerShell script execution status is by using the registry editor on Windows devices. Find the policy ID of the Intune deployment, and then, using this policy ID, check the status of the script execution in the registry.
1. Copy the Policy ID of PowerShell script deployment
- Sign in to the Intune admin center > Devices > Scripts and Remediations > Platform Scripts.
- Click on your PowerShell script deployment.
- From browser address bar, you can find the policy ID. Copy it to a notepad, as we need it in the next step.
2. Check PowerShell script deployment status in Windows Registry
- Go to Start and search for Registry Editor. Click on it to open the registry editor.
- Navigate to the registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies.
- Within the Policies registry key, look for the Policy ID corresponding to your deployment. Check the Result registry entry on the right-hand side to determine the deployment status. As the screenshot below demonstrates, the Result shows Success.
Verify PowerShell Script Execution Status in IME Logs
Verify the PowerShell script execution status by inspecting the Intune Management Extension (IME) logs. Let’s check the steps:
- Navigate to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
- Find the most recent IntuneManagementExtension.log file and open it. (The best way to open log files is by using the CMTrace tool).
- Search for Policy ID and check the policy result. As you can see, the policy result shows Success for this deployment.
FAQs
1. Confirm the Presence of Intune Management Extension on a Windows Device
Intune Management Agent is responsible for executing PowerShell scripts on targeted devices. You don’t need to deploy the Intune Management Extension separately; it is automatically installed when you assign a PowerShell script to the target device.
Intune Management Extension is installed at C:\Program Files (x86)\Microsoft Intune Management Extension. You can navigate to this location to confirm if it’s installed on your device.
A second method to verify and confirm this is by checking a Microsoft Intune Management Extension service. This service also indicates the presence of the Intune Management agent on your device. To check this service and its status, follow the below steps:
- Press the Win + R keys to open a Run dialog box.
- Type services.msc and press Enter.
- Search for Microsoft Intune Management Extension service
- Make sure the status is Running.
2. PowerShell Script Is Not Executed on the Target Devices
Various factors could prevent the PowerShell script from executing on the target device. I’ve compiled a list of options you can investigate to help resolve the issues.
- Test the PowerShell script manually on a test device with administrator rights to ensure it functions as expected.
- Verify that the target device is joined to Entra ID.
- Confirm the presence of the Intune Management Extension (IME) on the target device. Refer to the steps above to ensure it is correctly installed.
- Go through Intune Management Extension logs to identify the cause of the deployment failure.
3. Are there more effective methods for deploying PowerShell scripts with Intune?
Deploying PowerShell scripts with Intune is effective, but it’s mostly suitable for one-time script deployments. Scripts deployed using this method won’t run again unless you make script modifications or re-upload them. A more efficient method for deploying PowerShell scripts is through Intune device remediations, also known as device remediations.
Intune Remediations requires users of the devices to have one of the following licenses:
Source: Microsoft
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10/11 Virtual Desktop Access (VDA) per user
Intune device remediation scripts can run on a schedule and fix any configuration drifts using detection and remediation scripts. I have written many blog posts on Intune device remediations; you can click on any of the links below and understand how this works.
If you don’t meet the licensing requirements for Intune device remediations, you still have the option to schedule the execution of a PowerShell script by creating a scheduled task using Intune. This task can run a script stored either locally or remotely.
Conclusion
We have discussed PowerShell script deployment, which is good for one-time script execution on the target devices. You can also run PowerShell scripts by using Intune device remediations, which are more robust and can execute the scripts on a schedule. I hope this post was informative and helped you with the different Intune deployment options for executing PowerShell scripts.
Hey Mate,
Just a query about using the (Run this script using the logged-on credentials – Yes) option.
If the user does not have regedit permissions, have you had this work?
I currently have a work around that I may not need to continue using if this is the case.
I have shared this below incase it is useful to you 🙂
# Open Registry session in current user’s drive
New-PSDrive HKU Registry HKEY_USERS -ErrorAction SilentlyContinue | out-null
# Set Variables required to access the current users registry as system
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
# Set Target Users Key
$keylocation = “HKU:\$sid\Software\Microsoft\Windows\%KEY%”
Sorry for a bit delay in response, I believe the user must have permission to edit the registry to be able to make changes when you have “Run this script using the logged-on credentials” set to “Yes”.
Thanks for sharing the code, It’s very helpful.