Learn how to create and deploy SCCM PowerShell Script to uninstall applications without creating packages. How to uninstall 7Zip from all your managed devices from SCCM without using packages.
This post will explain how to deploy a PowerShell script via SCCM to remove the 7Zip application (using the SCCM run script option) from Windows devices.
You can refer to SCCM CB Run PowerShell Script Directly from the Collection post to get more details about the run PowerShell script option. There are also posts about PowerShell script deployment feature architecture and troubleshooting guide.
NOTE! – I know Win32_Product is EVIL, and I used that WMI class to remove an already installed application. This post is just an example of how to use SCCM Script Deployment options.
Introduction
System Center Configuration Manager (SCCM) has an integrated ability to run PowerShell scripts. This feature was first introduced in version 1706 as a pre-release. This feature is no longer a pre-release feature, beginning with version SCCM 1802 (more details about the SCCM version).
Create and deploy SCCM PowerShell Script using the script method. SCCM PowerShell Script Deployment without Creating Package is explained in this post.
There is an ability to run PowerShell scripts (SCCM run script) on Client devices using the SCCM administrator console. The script can run either to a specific device or a specific collection.
The script deployment option from collection makes it easier to automate the task. The example: uninstall the application or restart the service to all client devices.
Related Post – SCCM Run PowerShell Script Directly from Collections and Real-Time Graphical Representation SCCM Run Script Results
Prerequisites
Currently, SCCM support only PowerShell Scripts using SCCM run script. The following prerequisites should be in place to SCCM run the script options:
- The client device must be running PowerShell version 3.0 or later
- The client device must be running with SCCM 1706 client version or later
SCCM Run Script Authors and Approvers
SCCM Run Script uses the concept of script authors and script approvers as separate roles for the implementation and execution of a script. Having the author and approver roles separated allows for a vital process check for the powerful tool that Run Scripts is.
There is an additional script runners role that allows execution of scripts, but not the creation or approval of scripts. You can create and deploy SCCM PowerShell Script using SCCM run script options in the software library. Uninstall 7Zip application with PowerShell Command line from SCCM.
Enable the Script authors to require an additional script approver in Hierarchy settings for the site server. The further approval and RBAC ensure the security part of running the script from the SCCM console. This process is essential for SCCM PowerShell Script Deployment without creating a Package.
Security Permissions to Create and Deploy SCCM Run Script
In General, there are three (3) SCCM security roles are needed,
- Script Runners
- Script Authors
- Script Approvers
These three security roles used for running scripts are not created by default in SCCM. Please refer to the below Roles to be configured. Additional notify permissions are added in SCCM 1810 version onwards.
Role Name: Script Runners
- Description: These permissions enable this role only to run scripts that were previously created and approved by other roles.
- Permissions: Ensure the following are set to Yes.
Description: These permissions enable this role only to run scripts that were previously created and approved by other SCCM admins.
Permissions: Ensure the following settings are set to Yes.
Category | Permission | State |
Collection | Run Script | Yes |
Site | Read | Yes |
SMS Scripts | Create | Yes |
SMS Scripts | Read | Yes |
Role Name: Script Authors
- Description: These permissions enable this role to author scripts, but they can’t approve or run them.
- Permissions: Ensure the following permissions are set.
Category | Permission | State |
Collection | Run Script | No |
Site | Read | Yes |
SMS Scripts | Create | Yes |
SMS Scripts | Read | Yes |
SMS Scripts | Delete | Yes |
SMS Scripts | Modify | Yes |
Role Name: Script Approver
- Description: These permissions enable this script approver role to approve scripts, but they can’t create or run them.
- Permissions: Ensure the following permission values are set to YES or NO, respectively.
Category | Permission | State |
Collection | Run Script | No |
Site | Read | Yes |
SMS Scripts | Read | Yes |
SMS Scripts | Approve | Yes |
SMS Scripts | Modify | Yes |
How to Create SCCM PowerShell Script (SCCM Script)?
In this scenario, you need to uninstall the 7-Zip application (using PowerShell commandlets) in the entire SCCM environment.
PowerShell Script (EVIL?)
$app = Get-WmiObject -Class Win32_Product -Filter “Name = ‘7-Zip 18.05 (x64 edition)'”
$app.Uninstall()
- In the SCCM console, click Software Library.
- In the Software Library workspace, click Scripts.
- On the Home tab, in the Create group, click Create Script.
- On the Script page of the Create Script wizard, configure the following settings:
- Enter the Script Name and PS Script
- Click Next
Review the information and Click Next
The script is created successfully, Click Close
How to Approve or Deny Script – SCCM PowerShell Script
Once the hand is created and needs to approve by the approver, it’s essential to have an SCCM script approval process in place to make sure that there are no issues with the script.
To Approve the Script:
- Launch the SCCM Console
- In the SCCM console, click Software Library
- In the Software Library workspace, click Scripts
- Select the Script and Click Approve/Deny in the top ribbon menu
Review the Script details, Click Next
Create SCCM PowerShell Script
Select Approve and then Click Next
Approve SCCM PowerShell Script
Select Approve and then Click Next
The Script is approved by the Approver, Click Close
- View the approval status in the console
How to Run a Script from SCCM Console
After approving the script, Select the Collection or a Client Device.
- Right-click – Select Run Script options
Select the Script and then click Next.
Review the details, and click Next.
The task is created, and the script is executed on the client device.
Results – SCCM PowerShell Script 14
How to Perform Script Monitoring from SCCM Console
To Monitor the Script execution status in the Configuration Manager (SCCM) console. SCCM PowerShell Script monitoring is also important, and it’s easy to monitor the script results in the latest versions of SCCM.
Client-Side Logs
To view the status of Script execution on the client-side, refer to the below client logs.
CCMNotificationAgent.log
Script.log
Install Adobe Acrobat Reader using Run Script
NOTE! – This is a sample script method that you can try using Windows Package Manager. However, this won’t work because WinGet works only in the User context, not the device context. You might be able to make this work if you modify the PowerShell script to work in the logged-in user’s context.
Follow the steps mentioned below to complete the creation of the SCCM Script workflow to install or uninstall Adobe Acrobat Reader.
- Navigate to \Software Library\Overview\Scripts.
- Click on Scripts Node and select Create Script button from the ribbon menu.
From the Create Script wizard, enter the details of the script you want to create to install Adobe Acrobat Reader.
- Enter the Script Name – Adobe Acrobat Reader.
- Select the Script Language – PowerShell.
- You can import a PowerShell script if you have one. Otherwise, copy and paste the PowerShell command below the line.
- Click on the Next button to continue.
Winget Install --silent --id Adobe.Acrobat.Reader.64-bit
Click on the Next button from the Confirm the details summary page.
Click on the Close button to complete the Create Script wizard. Now your script package is ready in SCCM.
SCCM Script Approval Process
You need to approve the script before deploying it to a collection. Depending on the configuration on Hierarchy Settings, you might need to request another SCCM admin to approve your script.
If the following option is ENABLED from Hierarchy settings, then you need another SCCM admin to approve the script package that is created above.
Script authors require an additional script approver
In my lab environment, the Script authors require another script approver that is not enabled. Hence I can approve the script myself.
- Navigate back to \Software Library\Overview\Scripts.
- Select Adobe Acrobat Reader x64 Install Using WinGet Tool script.
- Click on Approve/Deny button from the Ribbon menu.
Go through Approve or Deny Script Wizard to approve the script for installing Adobe Acrobat Reader x64 from Windows Package Manager using the WinGet tool and SCCM.
- Click on the Next Button from Specify Script Details page. You can review the script from this page and decide to Approve or Deny it.
You have an option to Approve or Deny the script from the Script approval page of Approve or Deny Script wizard. You get a message that this script requires approval before it can run.
- Select the Approve option to approve the script package from the SCCM console. You also have a chance to provide additional Approval or Denial comments on the same page.
Click on the Next page to continue to the progress and completion page of Approve or Deny Script wizard.
Click on the Close button to complete the approval process of the script package called Adobe Acrobat Reader x64 from Windows Package Manager using the WinGet tool and SCCM.
The SCCM Script package to install Adobe Acrobat from the Windows Package Manager service using WinGet is ready to deploy now. You can check the Approval State of the script package and confirm it’s Approved.
Deploy SCCM Script to Install Adobe Acrobat Reader using WinGet Tool
Let’s deploy SCCM Script to Install Adobe Acrobat Reader using WinGet Tool on Windows 11 PC. You can deploy this script to Windows 10 devices as well. Follow the steps mentioned below to initiate the immediate deployment.
- Navigate to \Assets and Compliance\Overview\Devices.
- Right-Click on the Windows 11 domain joined ONLINE device.
- Click on the Run Script option to start the deployment process.
NOTE! – You can deploy the SCCM script to a Device collection if required, but in this scenario, I wanted to test this with only one device.
From the Run Script Wizard, select the script name Adobe Acrobat Reader x64 and click on the Next button to continue.
Script execution details – Script Name: Adobe Acrobat Reader x64 Install Using WinGet Tool
Script Type: PowerShell
You selected 1 resource. Online clients will be notified to run the script as soon as possible. Click the Next button to continue.
This worked OK as per the SCCM Run Script wizard and as per the \Monitoring\Overview\Script Status.
Author
Kannan C S is a Technical Architect with more than 15 years of experience in the IT domain. He has worked on various technologies like Windows server administration, SCCM, SCOM, and Desktop Engineering domains. For the last 10 years, he has worked in Microsoft SCCM, focusing on Configuration Manager and Intune technologies.
Hi Kannan,
Few months back, I wrote about same feature by adding few SQL tables which are related to scripts feature.
https://gallery.technet.microsoft.com/ConfigMgr-Full-Feature-181a236e
Also, please mention devices which are found offline for one hour time period, we need to re-run the scripts.
-Praveen
Good Article Kannan. But querying Win32_Product WMI class not recommended. https://support.microsoft.com/en-gb/help/974524/event-log-message-indicates-that-the-windows-installer-reconfigured-al
After several Google searches I still do not know how to “Launch the SCCM Console”. Is it an .EXE file?? Where is it??
Let me try this with you over here https://www.anoopcnair.com/install-sccm-console-remotely/
is there an option to run the powershell script as administrator through SCCM?
How does SCCM actually deploy the scripts and return data? I have a thousand clients that I’d like to run a simple script on, such as checking if a service exists. Does SCCM blast the script to each client, have the local system run it, and then return the data using the CCMExec service? I don’t want to cause an I/O storm, but I can’t find much information on specifically how it works.
The architecture of SCCM Fast Channel deployments are explained here https://www.anoopcnair.com/troubleshoot-sccm-fast-channel-push-notification-issues/
Good article! Does SCCM scripts expire? Meaning, what happens to computers that are not online say for a week from the date the script run? Does the script still run when machines comes online after a while?
It does expire … you might need to retry….
Thank you for the example. I would love to see an example with the application to uninstall passed in as a parameter… I’m having trouble with Run Scripts that take a string parameter and the string passed in has a space.