Let’s find out the Best Way to Deploy Powershell Script using Intune. First, we can use Intune to upload the PowerShell scripts and then run the scripts on Windows 10 devices. Microsoft Intune management extension enhances the Windows device management, making life easy to move to modern management.
This feature also applies to Windows 10 and later versions (excluding Windows 10 Home). The Intune PowerShell script deployment is done using Intune management extension agent. This is an additional agent that gets automatically deployed to Intune managed devices.
Note:! If you assign the PowerShell script or Win32 app to the users or devices as part of prerequisites, the Intune Management Extension will install automatically in the system.
- If you assign the PowerShell scripts on user context and if the user has admin rights, then by default, the PowerShell script will run with administrator privilege.
- PowerShell script will run for every new user when they signed in to a shared device.
- PowerShell script can be executed without user login if the script is assigned to a device.
- PowerShell script will be executed first, and then the Win32 app will run.
- Intune management extension agent will check with Intune every hour if any changes are made on the script or assigned any new script. Even this process will run on the machine after every reboot.
- PowerShell scripts will time out after 30 minutes.
Prerequisites to Deploy PowerShell Script using Intune
Below prerequisites are required to install the Intune management extension. One of the prerequisites must be met to run the PowerShell script or Win32 app.
- The machine must be running with Windows 10 version 1607 or later. If devices are enrolled using bulk auto-enrollment, then they must be running with Windows 10 version 1709 or later.
- Devices must be joined with Azure Active Directory, including Hybrid Azure AD joined.
- Devices must be registered with Azure Active Directory.
- Devices must be enrolled into Intune.
- Co-managed devices are also supported.
Deploy PowerShell Script Using Intune (MEM)
The following steps will help you to upload the PowerShell to Intune (MEM portal).
- Sign in to the Microsoft Intune Admin or Endpoint.microsoft.com
- Select Devices > Scripts.
- Click on Add > Select Windows 10.
- In Basics provide the Name of the script and Description is optional > Click Next.
In Script Settings enter the below information according to the requirement and click Next. Follow steps to upload PowerShell.
- Script Location: Browse the PowerShell script where you placed it, and the script must be less than 200 KB.
- Run the script using the logged on credentials: Select Yes to run the script on the user credential. Else, select No (default); it will run on system context. The administrator must decide this setting according to the requirements.
- Enforce script signature check: Select Yes if the script is signed by a trusted publisher, else select No (default) if there is no requirement.
- Run script in 64-bit PowerShell host: Select Yes to run the script in 64-bit PowerShell host on a 64-bit client. Else, select No (default) to run the script in a 32-bit of PowerShell host.
- Select Scope tags, this is optional. According to the requirements Select an existing scope tag from a list if you created earlier. Then click Next when you’re ready.
Deployment Setting – Assignment Details
Now we are to Deploy PowerShell Script using Intune. You need to decide whether this PS script should get deployed to Azure AD User Group or Device Group.
- Select Assignments > select Included groups > Click Add groups. Select the appropriate group which you want to deploy and click Next. Also, you can select multiple groups.
- In Review + add, it will show you the settings you have configured. Select Add to save the script and after that the policy will be deployed to the assigned groups.
- You can see the script in Devices > Scripts section.
How to Monitor the run status in Intune Portal
Let’s see how to monitor the run status of the PowerShell script. You can monitor the run status of the PowerShell scripts for users and devices in the Intune portal.
- Select the script which you created under Devices > Scripts. Then choose Monitor and see the below reports.
- Device Status
- User Status
How to check Intune Management Extension Logs
Intune Management Extension agent logs will be available on client machines under this location: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
For more details on troubleshooting, you can refer to this Intune Management Extension Deep Dive – Win32 App Deployment Troubleshooting Help Guide.