PowerShell scripts can perform tasks such as advanced system administration, configuration management, automation of repetitive processes, data manipulation, and more. It can interact with various system components, services, files, and applications to achieve specific goals.
PowerShell scripts are typically saved in files with a .ps1 extension and can be easily executed on Intune managed windows devices using Intune admin center. Please note you cannot deploy powershell scripts to Windows 10 home devices using Intune.
The Intune Management Extension allows administrators to deploy and execute PowerShell scripts and Win32 applications on managed Windows devices. Intune Management Extension is Installed automatically when you assign a Powershell script or Win32 app, Microsoft store App, Custom Compliance policy or Proactive remediation.
For creating powershell script deployment on Intune admin center, you have to upload the script while creating the deployment. There is no option to download your script from Intune, however there is a way to retrieve it from target device. I have written a blog post on How to retrieve Powershell scripts deployed via Intune.
Powershell script
I will take an example powershell script which creates a folder on target devices. It’s a very simple script for the purpose of this demo. The script is called as CreateDirectory.ps1. Below is small piece of code which will create a folder in C:\temp\ drive called Cloudinfra.
Its best practice to test any code locally on a test device first before deploying it on target devices. After you are satisfied that the code is working fine as expected, copy and paste your powershell code in a file and save the file with .ps1.
CreateDirectory.ps1
$path = "C:\temp\Cloudinfra"
If(!(test-path $path))
{
New-Item -ItemType Directory -Path $path
}
Steps to deploy Powershell script using Intune admin center
Once we have a powershell script tested and ready to deploy. We need to create a deployment from Microsoft Intune admin center. Please follow below steps to create the deployment:
- Login on Microsoft Intune admin center
- Go to Devices and then click on Scripts under Policy section.
- Click on + Add and then Select Windows 10 and later.
Basics
On the basics tab, Provide a Name and Description of the Powershell script deployment and the click on Next.
- Name: Cloudinfra directory creation
- Description: Execute Powershell script Createdirectory.ps1 on Windows devices
Script settings
On Script settings tab you will need to select your powershell script and configure how it should execute on the target devices.
- Script location – Select the Powershell script which you want to deploy
- Run this script using the logged on credentials – Change it to No
- Enforce script signature check – Change it to No
- Run script in 64 bit PowerShell Host – Change it to Yes
Assignments
Create an Azure AD Security group which contains users or devices where this powershell script needs to be deployed. If you prefer a more controlled deployment to specific devices only, then make sure to target only devices via Azure AD group. Once your testing is successful and you want to deploy this script on all Organization devices, you can click on + Add all devices.
Review + add
Final step is to review the information and click on Add to start the deployment process.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start script deployment process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the script download and execution process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing this setting on a test device then this can speed up your testing and can save some time.
End user Experience
On target device, powershell script deployed via Intune will be first downloaded on the device at C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts location and then it gets executed. Scripts downloaded on the device will be deleted automatically after execution so you may find this folder empty.
If you want to retrieve this script from local device, then you have to be quick to copy the script file from above location before It gets deleted by Intune Management extension.
Script will be executed in System context as we have selected Run this script using the logged on credentials as No. Let’s check if powershell script we deployed has been executed on the target devices. For this, I will check if there is a folder called Cloudinfra created under c:\temp location.
As per the powershell script, it will create a folder called Cloudinfra under C:\temp which we can confirm easily by navigating to c:\temp directory. However you can also confirm the status of powershell script execution by using following methods:
Check status of Powershell script execution from Windows registry
To confirm if powershell script deployed via Intune has been executed successfully, you can open Windows registry editor and check its status by using below steps. For checking Powershell script status using Windows registry, you will need Policy ID of the powershell script deployment. Let’s check the steps to find Policy Id:
Find Policy Id of Powershell script deployment
To find Policy Id of powershell script deployment using Intune admin center follow below steps:
- Login on Microsoft Intune admin center
- Go to Devices > Scripts under Policy section
- Click on the Script deployment and copy its Policy Identifier value using browser Address bar
- Go to Start and search for Registry Editor. Click on it to open registry editor
- Navigate to registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies - Under it you will find a registry key with powershell script deployment Policy Id. Check the Result registry entry to find deployment status. As you can see from below screenshot, Result shows as Success.
Check status of Powershell script execution using Intune admin center
You can also check the status of powershell script execution from Intune admin center as well. Please follow below steps to confirm powershell script deployment status:
- Login on Microsoft Intune admin center
- Go to Devices > Scripts under Policy section
- Click on the Script deployment and go to Overview page to find the status
- To check device or user specific deployment status of the Powershell script, then you can click on Device status or User status under Monitor to find status per device/user.
Check status of Powershell script execution using Intune Management Extension logs
You can also check Powershell script execution status by using Intune Management Extension logs. Follow below steps to find out if your powershell script deployment via Intune is succeeded.
- Navigate to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
- Find most recent IntuneManagementExtension.log file and open it
- Best way to open .log files is by using a tool called CMTrace.
- Search for Policy Id and check Policy result. As you can see Policy result is showing as Success for this deployment.
FAQs
How to confirm if Intune Management Extension is Installed on a Windows device
We don’t need to deploy Intune Management Extension as its Installed automatically when you assign a powershell script to the target device. Intune Management Extension is typically Installed at C:\Program files(x86)\Microsoft Intune Management Extension location.
You can navigate to this location and check if the agent is installed successfully. Intune Management Extension on a Windows device is installed as a service. You can also check the status of the service and make sure its in running state.
- Press Windows button + R to open a Run box
- Type services.msc and press Enter. This will open Services Management mmc
- Search for Microsoft Intune Management Extension service
- Make sure the status is Running
Powershell script assigned to the device is not running
There could be several reasons for powershell script not getting executed on the target device. I have list some of the things you can check which might resolve the issues.
- Test the Powershell script manually on a test device using administrator rights to make sure its working as expected.
- Make sure the target device is joined to Azure AD.
- Make sure Intune Management Extension is Installed on target device. I have provided the steps above to check and confirm Intune management extension status. Please check and see if its in place.
- Check Intune Management Extension logs to find out the reason for failed deployment.
Is there a better way to deploy Powershell scripts using Intune ?
Deploying powershell scripts using Intune works great, however it’s good for one off script deployments. Powershell scripts deployed using this method will not be executed again unless you modify the script or re-upload it.
A better approach to deploy powershell scripts on target devices is by using Intune device remediations which is also called as proactive remediations. By using Intune device remediations, you can detect an issue using a powershell script and remediate the issue using another powershell script.
Remediations requires users of the devices to have one of the following licenses:
Source: Microsoft
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10/11 Virtual Desktop Access (VDA) per user
You can also run Intune device remediations on a schedule to check if there is any configuration drift and fix it using remediation script. I have written few blog posts on Intune device remediations. You can check the posts to understand how it works.
If you are not meeting the license criteria to use Intune device remediations then you could also run a powershell script on a schedule by creating a schedule task using Intune which could run a script stored locally or remotely.
Conclusion
In this blog post we have seen how to deploy powershell scripts using Intune admin center. We also discussed about how to monitor the deployment in great details and different places where you can find the status of powershell script deployment. If you want to use a better approach for deployment of powershell script then you can use Intune device remediations.
Hey Mate,
Just a query about using the (Run this script using the logged-on credentials – Yes) option.
If the user does not have regedit permissions, have you had this work?
I currently have a work around that I may not need to continue using if this is the case.
I have shared this below incase it is useful to you 🙂
# Open Registry session in current user’s drive
New-PSDrive HKU Registry HKEY_USERS -ErrorAction SilentlyContinue | out-null
# Set Variables required to access the current users registry as system
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
# Set Target Users Key
$keylocation = “HKU:\$sid\Software\Microsoft\Windows\%KEY%”