SCCM Run Script Deployment Step by Step Guide – Uninstall 7Zip without Package

Learn how to create and deploy SCCM PowerShell Script to uninstall applications without creating packages. How to uninstall 7Zip from all your managed devices from SCCM without using packages.

This post will explain how to deploy a PowerShell script via SCCM to remove the 7Zip application (using the SCCM run script option) from Windows devices.

You can refer to SCCM CB Run PowerShell Script Directly from the Collection post to get more details about the run PowerShell script option. There are also posts about PowerShell script deployment feature architecture and troubleshooting guide.

NOTE! – I know Win32_Product is EVIL, and I used that WMI class to remove an already installed application. This post is just an example of how to use SCCM Script Deployment options.

Introduction

System Center Configuration Manager (SCCM) has an integrated ability to run PowerShell scripts. This feature was first introduced in version 1706 as a pre-release. This feature is no longer a pre-release feature, beginning with version SCCM 1802 (more details about the SCCM version).

Create and deploy SCCM PowerShell Script using the script method. SCCM PowerShell Script Deployment without Creating Package is explained in this post.

There is an ability to run PowerShell scripts (SCCM run script) on Client devices using the SCCM administrator console. The script can run either to a specific device or a specific collection.

The script deployment option from collection makes it easier to automate the task. The example: uninstall the application or restart the service to all client devices.

Related Post – SCCM Run PowerShell Script Directly from Collections and Real-Time Graphical Representation SCCM Run Script Results

Prerequisites

Currently, SCCM support only PowerShell Scripts using SCCM run script. The following prerequisites should be in place to SCCM run the script options:

1. The client device must be running PowerShell version 3.0 or later
2. The client device must be running with SCCM 1706 client version or later

SCCM Run Script Authors and Approvers

SCCM Run Script uses the concept of script authors and script approvers as separate roles for the implementation and execution of a script. Having the author and approver roles separated allows for a vital process check for the powerful tool that Run Scripts is.

There is an additional script runners role that allows execution of scripts, but not the creation or approval of scripts. You can create and deploy SCCM PowerShell Script using SCCM run script options in the software library. Uninstall 7Zip application with PowerShell Command line from SCCM.

Enable the Script authors to require an additional script approver in Hierarchy settings for the site server. The further approval and RBAC ensure the security part of running the script from the SCCM console. This process is essential for SCCM PowerShell Script Deployment without creating a Package.

Security Permissions to Create and Deploy SCCM Run Script

In General, there are three (3) SCCM security roles are needed,

1. Script Runners
2. Script Authors
3. Script Approvers

These three security roles used for running scripts are not created by default in SCCM. Please refer to the below Roles to be configured. Additional notify permissions are added in SCCM 1810 version onwards.

Role Name: Script Runners

• Description: These permissions enable this role only to run scripts that were previously created and approved by other roles.
• Permissions: Ensure the following are set to Yes.

Description: These permissions enable this role only to run scripts that were previously created and approved by other SCCM admins.
Permissions: Ensure the following settings are set to Yes.

Category	Permission	State
Collection	Run Script	Yes
Site	Read	Yes
SMS Scripts	Create	Yes
SMS Scripts	Read	Yes

Role Name: Script Authors

• Description: These permissions enable this role to author scripts, but they can’t approve or run them.
• Permissions: Ensure the following permissions are set.

Category	Permission	State
Collection	Run Script	No
Site	Read	Yes
SMS Scripts	Create	Yes
SMS Scripts	Read	Yes
SMS Scripts	Delete	Yes
SMS Scripts	Modify	Yes

Role Name: Script Approver

• Description: These permissions enable this script approver role to approve scripts, but they can’t create or run them.
• Permissions: Ensure the following permission values are set to YES or NO, respectively.

Category	Permission	State
Collection	Run Script	No
Site	Read	Yes
SMS Scripts	Read	Yes
SMS Scripts	Approve	Yes
SMS Scripts	Modify	Yes

How to Create SCCM PowerShell Script (SCCM Script)?

In this scenario, you need to uninstall the 7-Zip application (using PowerShell commandlets) in the entire SCCM environment.

PowerShell Script (EVIL?)

$app = Get-WmiObject -Class Win32_Product -Filter “Name = ‘7-Zip 18.05 (x64 edition)'”

$app.Uninstall()

• In the SCCM console, click Software Library.
• In the Software Library workspace, click Scripts.
• On the Home tab, in the Create group, click Create Script.
• On the Script page of the Create Script wizard, configure the following settings:
  • Enter the Script Name and PS Script
  • Click Next

Review the information and Click Next

The script is created successfully, Click Close

How to Approve or Deny Script – SCCM PowerShell Script

Once the hand is created and needs to approve by the approver, it’s essential to have an SCCM script approval process in place to make sure that there are no issues with the script.

To Approve the Script:

• Launch the SCCM Console
• In the SCCM console, click Software Library
• In the Software Library workspace, click Scripts
• Select the Script and Click Approve/Deny in the top ribbon menu

Review the Script details, Click Next

Select Approve and then Click Next

Select Approve and then Click Next

The Script is approved by the Approver, Click Close

• View the approval status in the console

How to Run a Script from SCCM Console

After approving the script, Select the Collection or a Client Device.

• Right-click – Select Run Script options

Select the Script and then click Next.

Review the details, and click Next.

The task is created, and the script is executed on the client device.

How to Perform Script Monitoring from SCCM Console

To Monitor the Script execution status in the Configuration Manager (SCCM) console. SCCM PowerShell Script monitoring is also important, and it’s easy to monitor the script results in the latest versions of SCCM.

Client-Side Logs

To view the status of Script execution on the client-side, refer to the below client logs.

CCMNotificationAgent.log

Script.log

Install Adobe Acrobat Reader using Run Script

NOTE! – This is a sample script method that you can try using Windows Package Manager. However, this won’t work because WinGet works only in the User context, not the device context. You might be able to make this work if you modify the PowerShell script to work in the logged-in user’s context.

Follow the steps mentioned below to complete the creation of the SCCM Script workflow to install or uninstall Adobe Acrobat Reader.

• Navigate to \Software Library\Overview\Scripts.
• Click on Scripts Node and select Create Script button from the ribbon menu.

From the Create Script wizard, enter the details of the script you want to create to install Adobe Acrobat Reader.

• Enter the Script Name – Adobe Acrobat Reader.
• Select the Script Language – PowerShell.
• You can import a PowerShell script if you have one. Otherwise, copy and paste the PowerShell command below the line.
• Click on the Next button to continue.

Winget Install --silent --id Adobe.Acrobat.Reader.64-bit

Click on the Next button from the Confirm the details summary page.

Click on the Close button to complete the Create Script wizard. Now your script package is ready in SCCM.

SCCM Script Approval Process

You need to approve the script before deploying it to a collection. Depending on the configuration on Hierarchy Settings, you might need to request another SCCM admin to approve your script.

If the following option is ENABLED from Hierarchy settings, then you need another SCCM admin to approve the script package that is created above.

Script authors require an additional script approver

In my lab environment, the Script authors require another script approver that is not enabled. Hence I can approve the script myself.

• Navigate back to \Software Library\Overview\Scripts.
• Select Adobe Acrobat Reader x64 Install Using WinGet Tool script.
• Click on Approve/Deny button from the Ribbon menu.

Go through Approve or Deny Script Wizard to approve the script for installing Adobe Acrobat Reader x64 from Windows Package Manager using the WinGet tool and SCCM.

• Click on the Next Button from Specify Script Details page. You can review the script from this page and decide to Approve or Deny it.

You have an option to Approve or Deny the script from the Script approval page of Approve or Deny Script wizard. You get a message that this script requires approval before it can run.

• Select the Approve option to approve the script package from the SCCM console. You also have a chance to provide additional Approval or Denial comments on the same page.

Click on the Next page to continue to the progress and completion page of Approve or Deny Script wizard.

Click on the Close button to complete the approval process of the script package called Adobe Acrobat Reader x64 from Windows Package Manager using the WinGet tool and SCCM.

The SCCM Script package to install Adobe Acrobat from the Windows Package Manager service using WinGet is ready to deploy now. You can check the Approval State of the script package and confirm it’s Approved.

Deploy SCCM Script to Install Adobe Acrobat Reader using WinGet Tool

Let’s deploy SCCM Script to Install Adobe Acrobat Reader using WinGet Tool on Windows 11 PC. You can deploy this script to Windows 10 devices as well. Follow the steps mentioned below to initiate the immediate deployment.

• Navigate to \Assets and Compliance\Overview\Devices.
• Right-Click on the Windows 11 domain joined ONLINE device.
• Click on the Run Script option to start the deployment process.

NOTE! – You can deploy the SCCM script to a Device collection if required, but in this scenario, I wanted to test this with only one device.

From the Run Script Wizard, select the script name Adobe Acrobat Reader x64 and click on the Next button to continue.

Script execution details – Script Name: Adobe Acrobat Reader x64 Install Using WinGet Tool
Script Type: PowerShell

You selected 1 resource. Online clients will be notified to run the script as soon as possible. Click the Next button to continue.

This worked OK as per the SCCM Run Script wizard and as per the \Monitoring\Overview\Script Status.

Author

Kannan C S is a Technical Architect with more than 15 years of experience in the IT domain. He has worked on various technologies like Windows server administration, SCCM, SCOM, and Desktop Engineering domains. For the last 10 years, he has worked in Microsoft SCCM, focusing on Configuration Manager and Intune technologies.