Enable SCCM Run scripts Feature from Intune Portal | ConfigMgr

Microsoft recently released a new feature with Tenant attach rollup hotfix (KB4580678) for Configuration Manager CB, version 2006. This KB helps you to Enable the SCCM Run scripts Feature from Intune Portal (a.k.a Microsoft Endpoint Manager admin center) and also fix some issues related to tenant attach.

The KB 4580678 is a feature enablement hotfix! And it’s not very common in the SCCM world until now. The new feature will allow admins to use the Intune portal (MEM admin center) to initiate Run Script functionality without logging into the SCCM console.

This KB article update is available in the Updates and Servicing node of the ConfigMgr console for environments that completed the tenant attach process. and were installed by using an early update ring or globally available builds of version 2006.

Announcement

This was announced by Rob York Program Manager for Microsoft Endpoint Manager on OSD, CMG, and codifying of Windows management.

It seems Microsoft is giving additional cloud value features added for Help Desk personas when the ConfigMgr environment is completed with the Tenant Attach feature.

Yet more #CloudValue will appear for tenant attached customers over the next week. Run scripts, in real time on #ConfigMgr devices from the admin center. A small, hotfix-esque update is required on top of CM2006 to enable this feature. https://t.co/oGz0kFfWme #mempowered pic.twitter.com/K2aMNsDBki

— Rob York (@robdotyork) September 18, 2020

Issues Fixed with KB 4580678

Apart from enabling the option to run a script from Intune portal, this hotfix helps to fix some known issues with tenant attach.

• Features, such as Scripts, in the admin center, do not appear for users that are assigned to all security scopes but are not full administrators.
• Internet-based links to approve or deny user application requests via email fail in ConfigMgr, version 2006.
  • This occurs for internet-based clients managed with a cloud management gateway (CMG).
  • The administrator will receive an HTTP Error 400 when clicking the email link.
• The online status listed for devices on the internet connecting via a cloud management gateway (CMG) in the ConfigMgr console may be incorrect.

Prerequisite

To Enable the SCCM Run scripts Feature from Intune Portal, you need to have the following things completed.

• All of the prerequisites for Tenant attach.
• A minimum of ConfigMgr version 2006 with KB4580678 – Tenant attach rollup for ConfigMgr 2006 installed.
• All sites in the hierarchy must meet the minimum ConfigMgr version requirement. And that is SCCM 2006.
• ConfigMgr clients must be running the latest version client. I do NOT think there is any client-side update is available for KB4580678. Hence check whether your client version is the latest one mentioned in the GA of ConfigMgr 2006.
• To run PowerShell scripts, the client must be running PowerShell version 3.0 or later.
• At least one script that is already created and approved in ConfigMgr.
  • Scripts that have parameters aren’t supported at this time and won’t be visible in the Intune Portal (Microsoft Endpoint Manager admin center).
  • Only scripts that are already created and approved appear in the admin center (a.k.a Intune Portal).

NOTE! – Permissions for Tenant attached is updated. You don’t need to give permissions to Configuration Manager Microservice https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/client-details#permissions

Permissions Required

• Admin user to run script should have – SCCM (a.k.a ConfigMgr) Related access rights required to run the script.

Category	Permission	State
Collection	Run Script	Yes
Site	Read	Yes
SMS Scripts	Create	Yes
SMS Scripts	Read	Yes

• Intune Portal (Admin center) access rights are required to run the script from the Microsoft Endpoint Manager admin center.
• The Admin User role for the Configuration Manager Microservice application in the Azure AD portal.
  • Add the role in Azure AD from Enterprise applications > Configuration Manager Microservice > Users and groups > Add user

Install KB4580678 to Enable Run Script

Let’s install the KB from the ConfigMgr console to enable the new feature in the Intune portal. The new feature will allow admins to use the Intune portal (MEM admin center) portal to initiate the Run Script without logging into the SCCM console.

The summary of the update package installation for Configuration Manager 2006 is given in the following post 👉👉 update installations.

• Install Update Package Configuration Manager 2006 Hotfix (KB4580678)
• Prerequisite warnings will be ignored
• Test a new version of the client in production

Client-Side Update

• There is no client-side update for the KB4580678.
• The full version of the site server got updated to – 5.00.9012.1028.
• No update is required for the SCCM console after installing KB4580678.

NOTE! – The site version is not changed under Site Configuration – Sites. After the installation of KB4580678, the site version and build number remain the same 👉 5.00.9012.1000!

Run a Script Uploaded to SCCM via Intune Portal

1. Open https://endpoint.microsoft.com with an admin user ID that is already discovered via SCCM Azure AD User.
2. Select Devices then All Devices.
3. Select a device that is synced from SCCM via tenant attach.
4. Select Scripts.
5. Click on the Run Scripts button to view all the approved scripts.

Resources

• Tenant attach rollup for Configuration Manager current branch, version 2006
• Tenant attach: Run Scripts (preview) from the admin center