Learn how to deploy PowerShell script using Intune through this post. PowerShell scripts are useful in many scenarios to deliver advance deployment scenarios in modern management scenarios. SCCM also has a powerful PowerShell script deployment method.
Introduction
Intune PowerShell script deployment mechanism is based on Intune Management Extension (IME) client. Intune Management extension helps to cover advanced deployment scenarios like 3rd party application patching.
When Intune Management Extension(IME) prerequisites are met, the IME installs automatically when a PowerShell script or Win32 app is assigned to the user or device.
Prerequisites
All the prerequisites for PowerShell script deployment are similar to that of Intune Management Extension.
The first thing I learned from the Windows Virtual Desktop (WVD) project is Intune Management Extension client can’t be installed on Windows 10 Multi-user SKU.
- Windows 10 version 1703 or later
- Azure AD Joined Devices
- Hybrid Azure AD joined Devices
- Devices Enrolled to Intune
- GPO Enrollment
- Manual Enrollment
- MDM Auto Enrollment
- Co-Management Enrollment
Create PowerShell Script Using Intune
Let’s test the PowerShell script deployment with Microsoft Intune using the following guide.
- Sign in to the MEM Intune Portal
Add Script
- Select Devices > Windows -> PowerShell scripts > + Add.
Name & Description
- Name – Enter the Name of the PowerShell Script
- Description – Enter the description of the PowerShell Script
- Click on NEXT button to continue
PowerShell Script Settings
Let’s configure the PS script settings for PowerShell Script Using Intune.
- Specify the PowerShell script file location to upload. The file must be less than 200 KB.
- Click on the Folder icon and browse through the PowerShell script.
- Select Run this script using the logged on credentials – The default value is NO. If the value is set to NO, the script runs on System Context.
- If the value is set to YES, The script runs with the user’s credentials on the Windows 10 computer.
NOTE! – In this post, I’m trying to run a PowerShell script which should run from users’ context. I selected the value YES for Run this script using the logged on credentials.
- Select Enforce script signature check – Default value is NO. So if you select NO, it won’t check for signature.
- If you select, YES, then the script must be signed by a trusted publisher. If the script is NOT signed, the deployment won’t happen
- Select Run the script in 64-bit PowerShell host: Default value is NO. And if you select NO, the script runs in a 32-bit PowerShell host.
- Select Yes to run the script in a 64-bit PowerShell (PS) host on a 64-bit client architecture
- Click on NEXT to continue
Scope Settings
My recommendation is to use Intune Scope tags to better admin experience. If you have not implemented scope, feel free to skip this section.
- Click on +Select Scope Tags hyperlink option
- Search for the scope tag to add
- Click on SELECT button
- Click on NEXT button to continue
Assignments
Assignments are the main topic which you need to have some planning before deploying PowerShell Script Using Intune.
I shall keep all the PowerShell script deployment options as Required in most of the scenarios. I can’t see any reason for having an available for enrolled devices option available for this type of deployment.
- Click on + Select groups to include (Required) – Select the Azure AD group for which you want to make this PowerShell script deployment as mandatory. The PS script installs automatically on enrolled devices.
- Search for Azure AD groups
- Confirm the selected members
- Click on Select button to continue with the Win32 application assignment
Complete PowerShell Script Deployment Using Intune
This is the last step of the PowerShell Script deployment Using Intune management extension client.
- Review and Confirm whether all the settings are OK or not.
- If ok, click on the Add button to start the deployment on targeted devices/users.
IntuneManagementExtension.log Review
Let’s review the IME log files to understand the client-side process of IME PowerShell script deployment scenarios. I have tried to remove some details related to the authentication token from the below log snippet.
NOTE! – Are you looking for Intune Management Extension Troubleshooting tips? Here is the post which might help – Level Three (3) IME troubleshooting guide.
- _IntuneManagementExtension.log (previous)
- IntuneManagementExtension.log (current)
[PowerShell] Get 1 policies for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 in session 3
[PowerShell] Policy id 614bd82b-2a4c-4dd9-8e37-329e5d424e72 for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 has different hash, reset download count. hash in registry is MftX6V79C1A8zxXnRoilDZ2X7E9/mRp7M=, hash in policy is U1i6tNQ0HPZz3sYDRyIrfzo30gciiFaZBm44=
[PowerShell] Policy 614bd82b-2a4c-4dd9-8e37-329e5d424e72 for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 has download count = 0
[PowerShell] increasing the download count to 1
[PowerShell] After filter, get 1 policies for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 in session 3
[PowerShell] Processing policy with id = 614bd82b-2a4c-4dd9-8e37-329e5d424e72 for user
[PowerShell] Policy body = ***********
.
.
[PowerShell] The policy needs be run as User
[GetElevatedToken] user elevationType is 3
[GetLinkedToken] Creating token handle based on tokenInformation
[GetElevatedToken] Close Handle of UserToken from Session.
[PowerShell] After impersonation: AzureAD\Anoop
[PowerShell] configuring ACL for current user
PowerShell: Enforce signature check = False
PowerShell: Running mode = 0
C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe -powershell "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.ps1" "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.output" "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.error" "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.timeout" 600000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0 0 0]
User profile successfully loaded, the user name is AzureAD\Anoop
environment block is created successfuly.
Launch powershell executor in user session
Create proxy process successfully.
process id = 3100
[Win32App] Got result with session id 23ac10e4-8a23-44e3-8fe4-d988726b7633. Result: { "odata.metadata":"https://fef.msuc02.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/$metadata#SideCarGatewaySessions/@Element","odata.id":"urn:StatelessSideCarGatewayService/SideCarGatewaySessions(guid'23ac10e4-8a23-44e3-8fe4-d988726b7633')","Key":"23ac10e4-8a23-44e3-8fe4-d988726b7633","SessionId":"23ac10e4-8a23-44e3-8fe4-d988726b7633","RequestContentType":"RequestApplication","RequestPayload":"","ResponseContentType":"PolicyResponse","ResponsePayload":"gD0AAB
Results
Let’s see some results of PowerShell Script Deployment Using Intune below.
Resources
- Use PowerShell scripts on Windows 10 devices in Intune
- Intune Enrollment For Windows 10 Azure VM|Azure AD
Hi,
i tried to deploy some scripts. According to the intune log the scripts are running and the tasks in the scripts are successfully done on the client but Intune itself shows always a failure. What can i do that intune recognizes that the script runs successful?
greetings
Can you try to ask questions in our forum https://forum.howtomanagedevices.com