How to deploy a Powershell script using Intune

PowerShell scripts are commonly saved in files with a .ps1 extension and can be executed on Intune-managed Windows devices via the Intune admin center. However, using Intune, you cannot deploy PowerShell scripts to Windows 10 Home devices.

I recently discussed configuring a PowerShell execution policy via Intune. This method is helpful for centrally controlling the execution policy of running PowerShell scripts from one place. For more details, refer to the article Set PowerShell Execution Policy using Intune and GPO.

Retrieve Powershell scripts deployed via Intune

Step-by-Step guide

STEP 1 – Prepare a Powershell script

The first step is to prepare a Powershell script file and save it with a .ps1 extension. Test the script manually on a test device before deploying it via Intune.

Example:

I have used the code below for demonstration purposes and saved it in the CreateDirectory.ps1 directory. It creates a folder called Cloudinfra under C:\temp.

CreateDirectory.ps1

$path = "C:\temp\Cloudinfra"
If(!(test-path $path))
{
      New-Item -ItemType Directory -Path $path
}

STEP 2 – Deploy Powershell Script

To deploy a Powershell script using Intune, follow the below steps:

  • Sign in to the Intune admin center.
  • Go to Devices and then click on Scripts and Remediations > Platform Scripts.
  • Click on + Add and then Select Windows 10 and later.

Basics

Provide a Name and Description of the deployment.

Script settings

  • Script location – Select the Powershell script that you want to deploy
  • Run this script using the logged on credentials – Change it to No
  • Enforce script signature check – Change it to No
  • Run script in 64 bit PowerShell Host – Change it to Yes
Deploy Powershell Script
Deploy Powershell Script

Assignments

  • Click on Add Groups and add an Entra security group containing Windows devices.
Deploy Powershell Script
Deploy Powershell Script

Review + add

The final step is to review the information and click Add to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

STEP 3 – Monitor Deployment Progress

To verify the status of Powershell script Execution from the Intune admin center, follow the below steps:

  • Sign in to the Intune admin center.
  • Go to Devices and then click on Scripts and Remediations > Platform Scripts.
  • Click on the Script deployment and go to the Overview page to find the status.
Monitor Deployment Progress
Monitor Deployment Progress
  • If you want to review the deployment status of the PowerShell script for specific devices or users, you can click on Device status or User status under the Monitor section to access status information for each device or user.

End-user Experience

On the target device, a PowerShell script deployed via Intune will initially be downloaded to the device at the following location: C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts before execution.

After the download, the script is executed. It’s important to note that the scripts downloaded to the device will be automatically deleted after execution, so you may find this folder empty once the script has been run.

The script will be executed in the system context since we’ve selected Run this script using the logged-on credentials as No. while creating the deployment.

To verify whether the PowerShell script we deployed has been executed on the target devices, we can check if a Cloudinfra folder has been created under the C:\temp location.

End-user Experience
End-user Experience

More Information

Verify PowerShell Script Execution Status via Windows Registry

To confirm the successful execution of a PowerShell script deployment from a target device, you can access the Windows registry editor and verify its status by following these steps.

1. Locate the Policy ID for the PowerShell script deployment

To find the Policy ID of the PowerShell script deployment using the Intune admin center, follow these steps:

  • Sign in to the Intune admin center.
  • Go to Devices and then click on Scripts and Remediations > Platform Scripts.
  • Click on the script deployment to copy its Policy Identifier value from the browser’s address bar.
Locate the Policy ID for the PowerShell script deployment
Locate the Policy ID for the PowerShell script deployment

2. Check Powershell script deployment Status in the Registry

  • Go to Start and search for Registry Editor. Click on it to open the registry editor.
  • Navigate to the registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies
  • Within the Policies registry key, click on the Policy ID corresponding to your deployment. Examine the Result registry entry on the right-hand side to determine the deployment status. As the screenshot below demonstrates, the Result shows Success.
Check Powershell script deployment Status in the Registry
Check Powershell script deployment Status in the Registry

Verify PowerShell Script Execution Status via Intune Management Extension logs

You can verify the PowerShell script execution status by inspecting the Intune Management Extension logs. Let’s check the steps:

  • Navigate to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
  • Please find the most recent IntuneManagementExtension.log file and open it
  • The best way to open .log files is by using the CMTrace tool.
  • Search for Policy ID and check the Policy result. As you can see, the Policy result shows Success for this deployment.
Verify PowerShell Script Execution Status via Intune Management Extension logs
Verify PowerShell Script Execution Status via Intune Management Extension logs

FAQs

1. How to Verify the Presence of Intune Management Extension on a Windows Device

Intune Management Agent is responsible for executing Powershell scripts on targeted devices. You don’t need to deploy the Intune Management Extension separately; it is automatically installed when you assign a PowerShell script to the target device.

The Intune Management Extension is typically installed at C:\Program Files (x86)\Microsoft Intune Management Extension. You can navigate to this location to confirm if it’s Installed on your device.

A second method to verify and confirm this is by checking a Microsoft Intune Management Extension service. This service also indicates the presence of the Intune Management agent on your device. To check this service and its status, follow the below steps:

  • Press the Win + R keys to open a Run dialog box.
  • Type services.msc and press Enter.
  • Search for Microsoft Intune Management Extension service
  • Make sure the status is Running.
Intune management extension service status
Intune management extension service status

2. Why isn’t the assigned PowerShell script executed on the device?

Various factors could prevent the PowerShell script from executing on the target device. I’ve compiled a list of things you can investigate that may help resolve the issues.

  • Test the PowerShell script manually on a test device with administrator rights to ensure it functions as expected.
  • Confirm the presence of the Intune Management Extension on the target device. Refer to the steps above to ensure it is correctly installed.

3. Are there more effective methods for deploying PowerShell scripts with Intune?

Deploying PowerShell scripts with Intune is effective, but it’s most suitable for one-time script deployments. Scripts deployed using this method won’t run again unless you make script modifications or re-upload them.

A more efficient method for deploying PowerShell scripts to target devices is through Intune device remediations, also known as proactive remediations.

Remediations requires users of the devices to have one of the following licenses:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user
Source: Microsoft

You can also set Intune device remediations to run on a schedule, ensuring that it regularly checks for configuration discrepancies and addresses them with remediation scripts. I’ve written several blog posts on Intune device remediations where you can comprehensively understand how this process operates.

Blog posts on Intune Device remediations
How To Create HKCU Registry Keys Using Intune Remediations
Enable/Disable Local Admin Account Using Intune Remediations
How To Create Registry Keys Using Intune Remediations

If you don’t meet the licensing requirements for Intune device remediations, you still have the option to schedule the execution of a PowerShell script by creating a scheduled task using Intune. This task can run a script stored either locally or remotely.

Conclusion

This blog post explored the PowerShell script deployment using the Intune admin center. We’ve delved into monitoring the deployment process in detail, highlighting various locations where you can track the status of PowerShell script deployments. Additionally, we’ve discussed an alternative and more robust approach to script deployment through Intune device remediations.

2 thoughts on “How to deploy a Powershell script using Intune”

  1. Hey Mate,

    Just a query about using the (Run this script using the logged-on credentials – Yes) option.
    If the user does not have regedit permissions, have you had this work?

    I currently have a work around that I may not need to continue using if this is the case.
    I have shared this below incase it is useful to you 🙂

    # Open Registry session in current user’s drive
    New-PSDrive HKU Registry HKEY_USERS -ErrorAction SilentlyContinue | out-null

    # Set Variables required to access the current users registry as system
    $user = get-wmiobject -Class Win32_Computersystem | select Username;
    $sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;

    # Set Target Users Key
    $keylocation = “HKU:\$sid\Software\Microsoft\Windows\%KEY%”

    Reply
    • Sorry for a bit delay in response, I believe the user must have permission to edit the registry to be able to make changes when you have “Run this script using the logged-on credentials” set to “Yes”.

      Thanks for sharing the code, It’s very helpful.

      Reply

Leave a Comment