How to deploy a Powershell script using Intune

PowerShell scripts are commonly saved in files with a .ps1 extension and can be executed on Intune-managed Windows devices via the Intune admin center. It’s important to note that you cannot deploy PowerShell scripts to Windows 10 Home devices using Intune.

Retrieve Powershell scripts deployed via Intune

Step-by-Step guide

STEP 1 – Prepare a Powershell script

The first step is to prepare a Powershell script file and save it as .ps1 extension. Make sure to test the Powershell script manually on a test device first before deploying it via Intune.

Example:

For demonstration purposes, I have used the below code and saved it in CreateDirectory.ps1 directory. It creates a folder called Cloudinfra under C:\temp.

CreateDirectory.ps1

$path = "C:\temp\Cloudinfra"
If(!(test-path $path))
{
      New-Item -ItemType Directory -Path $path
}

STEP 2 – Deploy Powershell Script

To deploy a Powershell script using Intune, follow below steps:

  • Login on Microsoft Intune admin center
  • Go to Devices and then click on Scripts under the Policy section.
  • Click on + Add and then Select Windows 10 and later.

Basics

Provide a Name and Description of the deployment.

Script settings

  • Script location – Select the Powershell script that you want to deploy
  • Run this script using the logged on credentials – Change it to No
  • Enforce script signature check – Change it to No
  • Run script in 64 bit PowerShell Host – Change it to Yes
Deploy Powershell Script
Deploy Powershell Script

Assignments

  • Click on Add groups and add an Azure AD group containing windows devices.
Deploy Powershell Script
Deploy Powershell Script

Review + add

The final step is to review the information and click on Add to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

STEP 3 – Monitor Deployment Progress

To verify the status of Powershell script Execution from the Intune admin center, follow below steps:

  • Login on Microsoft Intune admin center
  • Go to Devices > Scripts under Policy section
  • Click on the Script deployment and go to the Overview page to find the status.
Monitor Deployment Progress
Monitor Deployment Progress
  • If you want to review the deployment status of the PowerShell script for specific devices or users, you can click on “Device status” or “User status” under the “Monitor” section to access status information for each device or user.

End-user Experience

On the target device, a PowerShell script deployed via Intune will initially be downloaded to the device at the following location: C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts before execution.

After the download, the script is executed. It’s important to note that the scripts downloaded to the device will be automatically deleted after execution, so you may find this folder empty once the script has been run.

The script will be executed in the system context since we’ve selected “Run this script using the logged-on credentials” as “No.” while creating the deployment.

To verify whether the PowerShell script we deployed has been executed on the target devices, we can check if a folder called “Cloudinfra” has been created under the C:\temp location.

End-user Experience
End-user Experience

More Information

Verify PowerShell Script Execution Status via Windows Registry

To confirm the successful execution of a PowerShell script deployment from a target device, you can access the Windows registry editor and verify its status by following these steps.

1. Locate the Policy ID for the PowerShell script deployment

To find the Policy ID of the PowerShell script deployment using the Intune admin center, follow these steps:

  • Login on Microsoft Intune admin center
  • Go to Devices > Scripts under Policy section
  • Click on the script deployment, and you can copy its Policy Identifier value from the browser’s address bar.
Locate the Policy ID for the PowerShell script deployment
Locate the Policy ID for the PowerShell script deployment

2. Check Powershell script deployment Status in the Registry

  • Go to Start and search for Registry Editor. Click on it to open the registry editor.
  • Navigate to the registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies
  • Within the “Policies” registry key, click on the Policy ID corresponding to your deployment. Examine the “Result” registry entry on the right-hand side to determine the deployment status. As demonstrated in the screenshot below, the “Result” shows “Success“.
Check Powershell script deployment Status in the Registry
Check Powershell script deployment Status in the Registry

Verify PowerShell Script Execution Status via Intune Management Extension logs

You can also verify the PowerShell script execution status by inspecting the Intune Management Extension logs. Let’s check the steps:

  • Navigate to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
  • Find the most recent IntuneManagementExtension.log file and open it
  • The best way to open .log files is by using a tool called CMTrace.
  • Search for Policy ID and check Policy result. As you can see Policy result is showing as Success for this deployment.
Verify PowerShell Script Execution Status via Intune Management Extension logs
Verify PowerShell Script Execution Status via Intune Management Extension logs

FAQs

1. How to Verify the Presence of Intune Management Extension on a Windows Device

Intune Management Agent is responsible for executing Powershell scripts on targeted devices. The good thing is, that you don’t need to deploy the Intune Management Extension separately, as it is automatically installed when you assign a PowerShell script to the target device.

The Intune Management Extension is typically installed at the location: C:\Program Files (x86)\Microsoft Intune Management Extension. You can navigate to this location to confirm if its Installed on your device.

A second method to verify and confirm this is by checking a service called “Microsoft Intune Management Extension” This service also indicates the presence of the Intune Management agent on your device. To check this service and its status, follow below steps:

  • Press the Win + R to open a Run dialog box
  • Type services.msc and press Enter.
  • Search for Microsoft Intune Management Extension service
  • Make sure the status is Running.
Intune management extension service status
Intune management extension service status

2. Why isn’t the assigned PowerShell script executed on the device?

There could be various factors causing the PowerShell script not to execute on the target device. I’ve compiled a list of things you can investigate that may help resolve the issues.

  • Test the PowerShell script manually on a test device with administrator rights to ensure it functions as expected.
  • Confirm the presence of the Intune Management Extension on the target device. You can refer to the steps provided above to check and ensure it is properly installed.

3. Are there more effective methods for deploying PowerShell scripts with Intune?

Deploying PowerShell scripts with Intune is effective, but it’s most suitable for one-time script deployments. Scripts deployed using this method won’t run again unless you make script modifications or re-upload them.

A more efficient method for deploying PowerShell scripts to target devices is through Intune device remediations, also known as proactive remediations.

Remediations requires users of the devices to have one of the following licenses:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user
Source: Microsoft

You can also set Intune device remediations to run on a schedule, ensuring that it regularly checks for configuration discrepancies and addresses them with remediation scripts. I’ve written several blog posts on Intune device remediations where you can gain a comprehensive understanding of how this process operates.

Blog posts on Intune Device remediations
How To Create HKCU Registry Keys Using Intune Remediations
Enable/Disable Local Admin Account Using Intune Remediations
How To Create Registry Keys Using Intune Remediations

If you don’t meet the licensing requirements for Intune device remediations, you still have the option to schedule the execution of a PowerShell script by creating a scheduled task using Intune. This task can run a script stored either locally or remotely.

Conclusion

In this blog post, we have explored the deployment of PowerShell scripts using the Intune admin center. We’ve delved into monitoring the deployment process in detail, highlighting various locations where you can track the status of PowerShell script deployments. Additionally, we’ve discussed an alternative and more robust approach to script deployment through Intune device remediations.

2 thoughts on “How to deploy a Powershell script using Intune”

  1. Hey Mate,

    Just a query about using the (Run this script using the logged-on credentials – Yes) option.
    If the user does not have regedit permissions, have you had this work?

    I currently have a work around that I may not need to continue using if this is the case.
    I have shared this below incase it is useful to you 🙂

    # Open Registry session in current user’s drive
    New-PSDrive HKU Registry HKEY_USERS -ErrorAction SilentlyContinue | out-null

    # Set Variables required to access the current users registry as system
    $user = get-wmiobject -Class Win32_Computersystem | select Username;
    $sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;

    # Set Target Users Key
    $keylocation = “HKU:\$sid\Software\Microsoft\Windows\%KEY%”

    Reply
    • Sorry for a bit delay in response, I believe the user must have permission to edit the registry to be able to make changes when you have “Run this script using the logged-on credentials” set to “Yes”.

      Thanks for sharing the code, It’s very helpful.

      Reply

Leave a Comment