Deploy Powershell Script using Intune
After knowing all enrollment options to enroll Windows 10 or Windows 11 devices to Intune, we will now start learning how to manage Intune enrolled devices.
In this post, we will learn about how to push powershell script from MEM console and what options we have to configure.
Intune Management Extension(IME)
Before we start understanding how to push PS script. we should know about what is Intune Management Extension(IME) service/agent, how this agent useful for any Powershell script deployment. Actually, we need not to worry about how IME gets installed or how it works in backend.
So in short, I would say that IME is service which gets installed automatcially to the devices whenever we assign any powershell script to the user or device. So basically, Intune enrolled device utilizes IME service for Powershell script deployment.
Pre-requisites
Let’s understand what are the pre-requisites for script deployment. Any of the below pre-requites should be met before we depoy any PS script-
- Client machine must be running with Windows 10 version 1607 or later.
- Devices must be joined to Azure Active Directory
- Devices must be registered to Azure Active Directory.
- Devices must be enrolled into Intune.
- Co-managed devices are also supported.
Prepare PowerShell Script
If you have your PowerShell script, you can upload same. Here, I am creating test script that will create registry entries. This is only for testing purpose. Save the below script as PStest1.ps1 and then you can upload it in Intune.
New-Item -Path HKCU:\SOFTWARE\PStest
Set-ItemProperty HKCU:\Software\PStest -Name Username -Value "NkCloud" -Type String
Set-ItemProperty HKCU:\Software\PStest -Name Version -Value "20" -Type Dword
Steps required
Step 1: Sign in to the MEM Console.
Step 2: Select Devices > Scripts > Add > Windows 10 and later.
Step 3: In Basics, provide the Name of the script(PStest1.ps1), Description and Click Next.
Step 4: In Script settings, enter the following properties, and select Next
- Script Location: Browse the PowerShell script where you placed it, and the script must be less than 200 KB.
- Run the script using the logged-on credentials: Select Yes to run the script on the user credential’s. Or, select No (default); it will run in a system context. The administrator must decide on this setting according to the requirements.
- Enforce script signature check: Select Yes if the script is signed by a trusted publisher, else, select No (default) if there is no requirement.
- Run the script in a 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell host on a 64-bit client. Else, select No (default) to run the script in a 32-bit of PowerShell host.
For our example, we want to set a registry key so we are taking 64-bit.
Step 4: In Scope tag, leave as blank for now. For your learning, please refer this MS article.
Step 5: Select Assignments > Select groups to include and select Next.
Step 6: In Review + add, a summary is shown of the settings you configured. Select Add to save the script.
Monitor
You can monitor the run status of the PowerShell scripts for users and devices in the Intune portal. Go to Devices > Scripts, select your script. Then choose Monitor & see the below reports.
-Device Status -User Status
Troubleshoot
Once you deployed PS script, whenever device will sync policies next time, it will auto try to install your script(3 attempts Max in every hour in case of failure). If you are in testing phase and impatient as me, try to push the sync from Intune Or if you have remote of the device, you can sync from setting>Account>Access work or school> Info > Sync or the best option is restarting Micrsosft Intune Management Extension service.
Once it starts installation, you can track the installation using IntuneManagementExtension.log (Use CMtrace tool for good view) in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
And if you find no errors in log, please check the registry entry in regedit.
