top of page
Search

Deploying PowerShell Scripts using Intune (Windows)

Writer's picture: Gareth OxendineGareth Oxendine
Jun 2, 20243 min read

Updated: Feb 2

SUMMARY:

One of Intune's most powerful tools is allowing administrators to deploy PowerShell scripts to enrolled Windows devices! In this article, I'll provide some generic, but helpful, tips and tricks for deploying PowerShell scripts using Intune.

Table of Contents


Prerequisites

Since the default execution policy for Windows client devices is Restricted (meaning scripts are NOT allowed to be executed), you may have to use a configuration policy to set your devices' execution policy. See the link below to learn how to use Intune and a Configuration Profile to set the execution policy:

NOTE:

If your organization's execution policy is Allsigned or RemoteSigned, you may have to sign your PowerShell scripts and then deploy your public-key certificate to the devices' trusted publisher store. Click the links below to learn how:

Some Things to Note

  • If a script fails or errors out, Intune will attempt to try again three more times, one for each next check-in. If the script remains unsuccessful, it will not try again; either a change has to be made to the script or the script must be deleted and re-uploaded.

  • Once a script succeeds, it will not run again on the device unless there is a change made to the script or policy.

  • If you need a script to run consecutively (ex. once a month), you'll have to delete the script instance and follow the steps listed below to re-add it. Note that you cannot just re-upload the script file using the same script instance in Intune; you must delete the script instance and re-create it. Another option would be to use the Remediations tab rather than the Platform Scripts tab. Remediation scripts allow you to run the scripts on a schedule, but your environment must have the required Microsoft licenses. Click here to learn more.


Steps to Upload and Deploy Your Script

Adding a Script using Microsoft Endpoint Manager (Intune)

  • Open the Endpoint Manager (Intune) portal.

  • Select Devices in the left-hand menu blade.

  • Select Windows > Scripts & Remediations.

  • Select the Platform Scripts tab.

  • Select + Add.


"Run this script using the logged on credentials" script setting.

  • Run this script using the logged on credentials

    • Yes: the script will run under the user context (from C:\Users\username); the script will only run with elevated privileges if the user has local admin rights to the computer.

    • No: the script will run under the system context (from C:\System32); the script will always run with elevated privileges.

IMPORTANT:

Before choosing one or the other, think about the commands in your script and whether they have to run under one context or the other. You must ask yourself two questions:


  • Do any of the commands in my script need to be run with elevated permissions?

  • Do any of the commands in my script need to be run under the user context?

For example, if your script includes a command to copy a file to the user's directory, you will most likely use an environmental variable in the file path such as %userprofile% or $env:username. If you run the script under the system context, the command won't work as expected.

  • Enforce script signature check

    • Yes: choose this option if you sign your PowerShell scripts

    • No: choose this option if you do NOT sign your PowerShell scripts


Once you've uploaded the script and configured the settings, add the appropriate assignment and finalize the deployment!


When Will the Computer Receive & Execute the Script?

The assigned computers will receive and execute the script the next time they check in with Intune; remember that devices sync with Intune every eight hours. Also, the end user can manually initiate a sync using the Windows Settings app or the Intune Company portal app, or as the administrator, you can force sync devices using the Intune portal or a PowerShell script. To learn more about using a PowerShell script to sync multiple devices at once, click the link below:

TIP:

If a script does not execute even after a device checks in with Intune, try rebooting the device.


 
 
 

3 Comments

Guest
2 hours ago

Thanks for your knowledge sharing. I have one query- If we have to uninstall 3-4 HP Apps on user device via script from Intune, I believe Winget works with user context, not the system context. User does not have admin rights on the machine. How to modify the script or how to run those winget uninstallation command on user device via Intune

Like
Ram
9 hours ago

Is it possible to get report like script executed success or fail on each windows device? or is it possible to store script output?

Like
Gareth Oxendine
Gareth Oxendine
4 hours ago
Replying to

Hi Ram! I'm unsure of a way to view the script output of failed or successful scripts. Personally, I try running the PowerShell script interactively on a computer that failed using PowerShell ISE to see what the error is. Many times, fixing the script for one computer and then redeploying it will fix it for others. This may not be possible in your environment, but I hope it helps if you are trying to troubleshoot failing scripts.


Edited
Like

Recent Posts

Click the Heart to Like!

If this post is helpful,please click the heart at the bottom of the page. 

Follow us on LinkedIn!

We'd like to invite you to follow us on LinkedIn! Click the icon to follow.

Never Miss a Post. Subscribe Now!

Want to be notified whenever a new article is posted? Enter your email address and subscribe!

Thanks for submitting!

Donate to the Blog?

We hope the blog was helpful to you! If so, we'll take a donation as a form of thanks! :) 

© 2024 by DMTT. Powered and secured by Wix

$

Thank you for your donation!

bottom of page