Learn how to create and deploy SCCM PowerShell Script to uninstall applications without creating packages. How to uninstall 7Zip from all your managed devices from SCCM without using packages. In this post, I’ll explain how to deploy a PowerShell script via SCCM to remove the 7Zip application (using SCCM run script option) from Windows devices.
NOTE! – I know Win32_Product is EVIL and I used that WMI class to remove already installed application. This post is just an example how to use SCCM Script Deployment options.
Introduction
System Center Configuration Manager (SCCM) has an integrated ability to run PowerShell scripts. This feature was first introduced in version 1706 as a pre-release. Beginning with version SCCM 1802 (more details about SCCM version), this feature is no longer a pre-release feature. Create and deploy SCCM PowerShell Script using the script method. SCCM PowerShell Script Deployment without Creating Package is explained in this post.
There is an ability to run PowerShell scripts (SCCM run script) on Client devices using SCCM administrator console. The script can run either to a specific device or to the specific collection. The script deployment option from collection makes it easier to automate the task. The example: uninstall the application or restart the service to all client devices.
- Related Post – SCCM Run PowerShell Script Directly from Collections
- Related Post – Real-Time Graphical Representation SCCM Run Script Results
Prerequisites
Currently, SCCM support only PowerShell Scripts using SCCM run script. The following prerequisites should be in place to SCCM run the script options:
- The client device must be running PowerShell version 3.0 or later
- The client device must be running with SCCM 1706 client version or later
SCCM Run Script Authors and Approvers
SCCM Run Script uses the concept of script authors and script approvers as separate roles for implementation and execution of a script. Having the author and approver roles separated allows for a vital process check for the powerful tool that Run Scripts is.
There is an additional script runners role that allows execution of scripts, but not the creation or approval of scripts. You can create and deploy SCCM PowerShell Script using SCCM run script options in the software library. Uninstall 7Zip application with PowerShell Command line from SCCM.
Enable the Script authors to require additional script approver in Hierarchy settings for site server. The further approval and RBAC are to make sure the security part of running the script from the SCCM console. This process is essential for SCCM PowerShell Script Deployment without creating Package.
Additional Approvers – SCCM PowerShell Script
Security Permissions to Create and Deploy SCCM Run Script
In General, there are three (3) SCCM security roles are needed,
- Script Runners
- Script Authors
- Script Approvers
These three security roles used for running scripts are not created by default in SCCM. Please refer the below Roles to be configured. Additional notify permissions are added in SCCM 1810 version on wards.
Role Name: Script Runners
- Description: These permissions enable this role to only run scripts that were previously created and approved by other roles.
- Permissions: Ensure the following are set to Yes.
Description: These permissions enable this role is only to run scripts that were previously created and approved by other SCCM admins.
Permissions: Ensure the following settings set to Yes.
| Category | Permission | State |
| Collection | Run Script | Yes |
| Site | Read | Yes |
| SMS Scripts | Create | Yes |
| SMS Scripts | Read | Yes |
Role Name: Script Authors
- Description: These permissions enable this role to author scripts, but they can’t approve or run them.
- Permissions: Ensure the following permissions are set.
| Category | Permission | State |
| Collection | Run Script | No |
| Site | Read | Yes |
| SMS Scripts | Create | Yes |
| SMS Scripts | Read | Yes |
| SMS Scripts | Delete | Yes |
| SMS Scripts | Modify | Yes |
Role Name: Script Approver
- Description: These permissions enable this script approver role to approve scripts, but they can’t create or run them.
- Permissions: Ensure the following permission values are set to YES or NO respectively.
| Category | Permission | State |
| Collection | Run Script | No |
| Site | Read | Yes |
| SMS Scripts | Read | Yes |
| SMS Scripts | Approve | Yes |
| SMS Scripts | Modify | Yes |
How to Create SCCM PowerShell Script (SCCM Script)?
In this scenario, need to uninstall 7-Zip application (using PowerShell commandlets) in entire SCCM environment.
PowerShell Script (EVIL?)
$app = Get-WmiObject -Class Win32_Product -Filter “Name = ‘7-Zip 18.05 (x64 edition)'”
$app.Uninstall()
- In the SCCM console, click Software Library.
- In the Software Library workspace, click Scripts.
- On the Home tab, in the Create group, click Create Script.
- On the Script page of the Create Script wizard, configure the following settings:
- Enter the Script Name and PS Script
- Click Next
- Review the information and Click Next
- Script is created successfully, Click Close
How to Approve or Deny Script – SCCM PowerShell Script
Once the script is created and needs to approve the approver, it’s essential to have an SCCM script approval process in place so that you can make sure that there are no issues with the script.
To Approve the Script:
- Launch the SCCM Console
- In the SCCM console, click Software Library
- In the Software Library workspace, click Scripts
- Select the Script and Click Approve/Deny in the top ribbon menu
Approved – SCCM Script
- Review the Script details, Click Next
Create SCCM PowerShell Script
- Select Approve and then Click Next
Approve SCCM PowerShell Script
- Select Approve and then Click Next
- The Script is approved by the Approver, Click Close
SCCM PowerShell Script
- View the approval status in the console
How to Run a Script from SCCM Console
- After approving the script, Select the Collection or a Client Device
- Right click – Select Run Script options
RUN – SCCM PowerShell Script
- Select the Script and then Click Next
- Review the details, click Next
- Task is created and script is executed in the client device.
Results – SCCM PowerShell Script
How to Perform Script Monitoring from SCCM Console
To Monitor the Script execution status in the Configuration Manager (SCCM) console. SCCM PowerShell Script monitoring is also important, and it’s easy to monitor the script results in the latest versions of SCCM.
Client Side Logs
To view the status of Script execution in client side, refer the below client logs
CCMNotificationAgent.log
Script.log
Resources
- Related Post – Run SCCM PowerShell Script Directly from Collections
- Related Post – Real-Time Graphical Representation SCCM Run Script Results
- What’s New With SCCM’s Client Notification Feature – Here
Hi Kannan,
Few months back, I wrote about same feature by adding few SQL tables which are related to scripts feature.
https://gallery.technet.microsoft.com/ConfigMgr-Full-Feature-181a236e
Also, please mention devices which are found offline for one hour time period, we need to re-run the scripts.
-Praveen
Good Article Kannan. But querying Win32_Product WMI class not recommended. https://support.microsoft.com/en-gb/help/974524/event-log-message-indicates-that-the-windows-installer-reconfigured-al
After several Google searches I still do not know how to “Launch the SCCM Console”. Is it an .EXE file?? Where is it??
Let me try this with you over here https://www.anoopcnair.com/install-sccm-console-remotely/
is there an option to run the powershell script as administrator through SCCM?
How does SCCM actually deploy the scripts and return data? I have a thousand clients that I’d like to run a simple script on, such as checking if a service exists. Does SCCM blast the script to each client, have the local system run it, and then return the data using the CCMExec service? I don’t want to cause an I/O storm, but I can’t find much information on specifically how it works.
The architecture of SCCM Fast Channel deployments are explained here https://www.anoopcnair.com/troubleshoot-sccm-fast-channel-push-notification-issues/