Let’s find out the Best Way to Deploy Powershell Script using Intune. First, we can use Intune to upload the PowerShell scripts and then run the scripts on Windows 10 devices.
Microsoft Intune management extension enhances the Windows device management, making life easy to move to modern management. This feature also applies to Windows 10 and later versions (excluding Windows 10 Home).
The Intune PowerShell script deployment is done using Intune management extension agent. This is an additional agent that gets automatically deployed to Intune managed devices.
Note:! If you assign the PowerShell script or Win32 app to the users or devices as part of prerequisites, the Intune Management Extension will install automatically in the system.
- 1) If you assign the PowerShell scripts to the user context and if the user has admin rights, then by default, the PowerShell script will run with administrator privilege.
- 2) PowerShell script will run for every new user when they sign in to a shared device.
- 3) PowerShell script can be executed without user login if the script is assigned to a device.
- 4) PowerShell script will be executed first, and then the Win32 app will run.
5) Intune management extension agent will check with Intune every hour if any changes are made to the script or assigned any new script. Even this process will run on the machine after every reboot.
- 6) PowerShell scripts will time out after 30 minutes.
Prerequisites to Deploy PowerShell Script using Intune
Below are the prerequisites required to install the Intune management extension. One of the prerequisites must be met to run the PowerShell script or Win32 app.
- The machine must be running with Windows 10 version 1607 or later. If devices are enrolled using bulk auto-enrollment, they must be running with Windows 10 version 1709 or later.
- Devices must be joined with Azure Active Directory, including Hybrid Azure AD joined.
- Devices must be registered with Azure Active Directory.
- Devices must be enrolled into Intune.
- Co-managed devices are also supported.
Deploy PowerShell Script Using Intune (MEM)
The following steps will help you upload the PowerShell to Intune (MEM portal).
- Sign in to the Microsoft Intune Admin or Endpoint.microsoft.com
- Select Devices > Scripts.
- Click on Add > Select Windows 10.
In Basics, provide the Name of the script, and the Description is optional > Click Next.
In Script Settings, enter the below information according to the requirement and click Next. Follow the steps to upload PowerShell.
- Script Location: Browse the PowerShell script where you placed it, and the script must be less than 200 KB.
- Run the script using the logged-on credentials: Select Yes to run the script on the user credential. Else, select No (default); it will run in a system context. The administrator must decide on this setting according to the requirements.
- Enforce script signature check: Select Yes if the script is signed by a trusted publisher, else, select No (default) if there is no requirement.
- Run the script in a 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell host on a 64-bit client. Else, select No (default) to run the script in a 32-bit of PowerShell host.
- Select Scope tags, this is optional. Select an existing scope tag from a list you created earlier according to the requirements. Then click Next when you’re ready.
Deployment Setting – Assignment Details
Now we are to Deploy PowerShell Script using Intune. You need to decide whether this PS script should get deployed to Azure AD User Group or Device Group.
- Select Assignments > select Included groups > Click Add groups. Select the appropriate group which you want to deploy and click Next. Also, you can select multiple groups.
In Review + add, it will show you the settings you have configured. Select Add to save the script, and after that, the policy will be deployed to the assigned groups.
You can see the script in the Devices > Scripts section.
How to Monitor the run status in Intune Portal
Let’s see how to monitor the run status of the PowerShell script. You can monitor the run status of the PowerShell scripts for users and devices in the Intune portal.
- Select the script which you created under Devices > Scripts. Then choose Monitor and see the below reports.
- Device Status
- User Status
How to check Intune Management Extension Logs
Intune Management Extension agent logs will be available on client machines under this location: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
For more details on troubleshooting, you can refer to this Intune Management Extension Deep Dive – Win32 App Deployment Troubleshooting Help Guide.
Resources
Add PowerShell scripts to Windows 10 devices in Microsoft Intune – Azure | Microsoft Docs
Author
Debabrata Pati has more than 7+ years of experience in IT. Skilled in MEMCM, Azure, and Powershell. More than five (5) years of experience in MEMCM (SCCM) administration, OSD, and Troubleshooting for the environment with more than 100K client devices.
Anoop,
I want to be specific, whether this powershell script should be applied to devices or users? For example changing the admin account password on a local machine what would be the best option (User Group or Device Group)?
Tom,
When you’re considering where to apply a PowerShell script, specifically one that modifies local machine settings such as changing the admin account password, you should target the device itself rather than the user.
Here’s why:
Scope of Impact:
Changing a local machine’s admin password is a device-specific operation. The password change impacts the machine, not the user’s profile or account in Azure AD or on-premises AD. Hence, applying this at a device level ensures that the change affects the intended target: the machine.
Security Consideration:
Applying a script that changes local admin passwords to a user group can inadvertently impact machines the user logs into if they log into multiple devices. This may not be the desired effect. Targeting the device directly ensures precision.
Principle of Least Privilege:
The operation pertains to device configuration. It’s a best practice to limit the scope of scripts to the smallest necessary target. If the intent is to change a setting on a device, then target the device group.
I need help as the GUI is changed for “scripts” option now. On the basis of Tenable report, I want to push a powershell script to the affected Windows 11 devices to uninstall the vulnerable MS store apps such as Paint 3D, VP9, HEIF etc. I know that we can find the installed version with the command Get-AppxPackage -AllUsers *paint*
Similarly we can find the the installed version for HEIF with the command Get-AppxPackage -AllUsers *HEIF*
Sometimes the store apps doesn’t get uninstalled easily with generic commands because those are installed in user context. So we use the below 2 commands to uninstall it properly from all user profiles in 1 go.
Add-AppxPackage “C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.63001.0_x64__8wekyb3d8bbwe\AppxManifest.xml” -Register -disabledevelopmentmode
Get-AppxPackage -PackageTypeFilter Main, Bundle, Resource -AllUsers| Where-Object {$_.PackageFullName -like “*HEIF*”} | Remove-AppxPackage -AllUsers
How can I write these things in 2 parts now? I see there are “Detection script file” and “Remediation script file” in Intune -> Devices -> Scripts and remediations. My requirement is to append the vulnerable MS store apps in powershell script as and when I get it in tenable report every month so day by day the script will be growing as vulnerable applications with older versions will be getting added. I believe I can write the last 2 commands in a powershell script and then browse that file under “Remediation script file”.
What to be written in “Detection script file”?
What to be written in “Remediation script file” if my above understanding is wrong?