How to Deploy PowerShell Script Using Intune |MEM

Learn how to deploy PowerShell script using Intune through this post. PowerShell scripts are useful in many scenarios to deliver advance deployment scenarios in modern management scenarios. SCCM also has a powerful PowerShell script deployment method.

Introduction

Intune PowerShell script deployment mechanism is based on Intune Management Extension (IME) client. Intune Management extension helps to cover advanced deployment scenarios like 3rd party application patching.

When Intune Management Extension(IME) prerequisites are met, the IME installs automatically when a PowerShell script or Win32 app is assigned to the user or device.

Prerequisites

All the prerequisites for PowerShell script deployment are similar to that of Intune Management Extension.

The first thing I learned from the Windows Virtual Desktop (WVD) project is Intune Management Extension client can’t be installed on Windows 10 Multi-user SKU.

  • Windows 10 version 1703 or later
  • Azure AD Joined Devices
  • Hybrid Azure AD joined Devices
  • Devices Enrolled to Intune
    • GPO Enrollment
    • Manual Enrollment
    • MDM Auto Enrollment
    • Co-Management Enrollment

Create PowerShell Script Using Intune

Let’s test the PowerShell script deployment with Microsoft Intune using the following guide.

Add Script

  • Select Devices > Windows -> PowerShell scripts > + Add.
PowerShell Script Using Intune
Add Option – PowerShell Script Using Intune

Name & Description

  • Name – Enter the Name of the PowerShell Script
  • Description – Enter the description of the PowerShell Script
  • Click on NEXT button to continue
Add PowerShell Script Name - PowerShell Script Using Intune
Add PowerShell Script Name – PowerShell Script Using Intune

PowerShell Script Settings

Let’s configure the PS script settings for PowerShell Script Using Intune.

  • Specify the PowerShell script file location to upload. The file must be less than 200 KB.
  • Click on the Folder icon and browse through the PowerShell script.
  • Select Run this script using the logged on credentials – The default value is NO. If the value is set to NO, the script runs on System Context.
    • If the value is set to YES, The script runs with the user’s credentials on the Windows 10 computer.

NOTE! – In this post, I’m trying to run a PowerShell script which should run from users’ context. I selected the value YES for Run this script using the logged on credentials.

  • Select Enforce script signature check – Default value is NO. So if you select NO, it won’t check for signature.
    • If you select, YES, then the script must be signed by a trusted publisher. If the script is NOT signed, the deployment won’t happen
  • Select Run the script in 64-bit PowerShell host: Default value is NO. And if you select NO, the script runs in a 32-bit PowerShell host.
    • Select Yes to run the script in a 64-bit PowerShell (PS) host on a 64-bit client architecture
  • Click on NEXT to continue
PowerShell script file location to upload - PowerShell Script Using Intune
PowerShell script file location to upload – PowerShell Script Using Intune

Scope Settings

My recommendation is to use Intune Scope tags to better admin experience. If you have not implemented scope, feel free to skip this section.

  • Click on +Select Scope Tags hyperlink option
  • Search for the scope tag to add
  • Click on SELECT button
  • Click on NEXT button to continue
+Select Scope Tags  PowerShell Script Using Intune
+Select Scope Tags PowerShell Script Using Intune

Assignments

Assignments are the main topic which you need to have some planning before deploying PowerShell Script Using Intune.

I shall keep all the PowerShell script deployment options as Required in most of the scenarios. I can’t see any reason for having an available for enrolled devices option available for this type of deployment.

  • Click on + Select groups to include (Required) – Select the Azure AD group for which you want to make this PowerShell script deployment as mandatory. The PS script installs automatically on enrolled devices.
  • Search for Azure AD groups
  • Confirm the selected members
  • Click on Select button to continue with the Win32 application assignment
+ Select groups to include - PowerShell Script Using Intune
+ Select groups to include – PowerShell Script Using Intune

Complete PowerShell Script Deployment Using Intune

This is the last step of the PowerShell Script deployment Using Intune management extension client.

  • Review and Confirm whether all the settings are OK or not.
  • If ok, click on the Add button to start the deployment on targeted devices/users.
Click ADD - PowerShell Script Using Intune
Click ADD – PowerShell Script Using Intune
PowerShell Script Successfully Assigned - Policy Created - PowerShell script successfully Created
PowerShell Script Successfully Assigned – Policy Created – PowerShell script successfully Created

IntuneManagementExtension.log Review

Let’s review the IME log files to understand the client-side process of IME PowerShell script deployment scenarios. I have tried to remove some details related to the authentication token from the below log snippet.

NOTE! – Are you looking for Intune Management Extension Troubleshooting tips? Here is the post which might help – Level Three (3) IME troubleshooting guide.

  • _IntuneManagementExtension.log (previous)
  • IntuneManagementExtension.log (current)
[PowerShell] Get 1 policies for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 in session 3
[PowerShell] Policy id 614bd82b-2a4c-4dd9-8e37-329e5d424e72 for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 has different hash, reset download count. hash in registry is MftX6V79C1A8zxXnRoilDZ2X7E9/mRp7M=, hash in policy is U1i6tNQ0HPZz3sYDRyIrfzo30gciiFaZBm44=
[PowerShell] Policy 614bd82b-2a4c-4dd9-8e37-329e5d424e72 for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 has download count = 0
[PowerShell] increasing the download count to 1
[PowerShell] After filter, get 1 policies for user e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1 in session 3
[PowerShell] Processing policy with id = 614bd82b-2a4c-4dd9-8e37-329e5d424e72 for user
[PowerShell]  Policy body = ***********
.
.
[PowerShell] The policy needs be run as User
[GetElevatedToken] user elevationType is 3
[GetLinkedToken] Creating token handle based on tokenInformation
[GetElevatedToken] Close Handle of UserToken from Session.
[PowerShell] After impersonation: AzureAD\Anoop
[PowerShell] configuring ACL for current user
PowerShell: Enforce signature check = False
PowerShell: Running mode = 0
C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe  -powershell  "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.ps1" "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.output" "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.error" "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results\e9c9ed11-cc2e-420b-ab25-e65fcfe66ca1_614bd82b-2a4c-4dd9-8e37-329e5d424e72.timeout" 600000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0 0 0]
User profile successfully loaded, the user name is AzureAD\Anoop
environment block is created successfuly.
Launch powershell executor in user session
Create proxy process successfully.
process id = 3100
[Win32App] Got result with session id 23ac10e4-8a23-44e3-8fe4-d988726b7633. Result: {   "odata.metadata":"https://fef.msuc02.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/$metadata#SideCarGatewaySessions/@Element","odata.id":"urn:StatelessSideCarGatewayService/SideCarGatewaySessions(guid'23ac10e4-8a23-44e3-8fe4-d988726b7633')","Key":"23ac10e4-8a23-44e3-8fe4-d988726b7633","SessionId":"23ac10e4-8a23-44e3-8fe4-d988726b7633","RequestContentType":"RequestApplication","RequestPayload":"","ResponseContentType":"PolicyResponse","ResponsePayload":"gD0AAB
Deploy -  PowerShell Script Using Intune
Deploy – PowerShell Script Using Intune

Results

Let’s see some results of PowerShell Script Deployment Using Intune below.

 Results - PowerShell Script Using Intune
Results – PowerShell Script Using Intune

Resources

2 thoughts on “How to Deploy PowerShell Script Using Intune |MEM”

  1. Hi,

    i tried to deploy some scripts. According to the intune log the scripts are running and the tasks in the scripts are successfully done on the client but Intune itself shows always a failure. What can i do that intune recognizes that the script runs successful?

    greetings

    Reply

Leave a Comment