Let’s discuss the SCCM CB Run PowerShell Script Directly from Collection Configuration Manager ConfigMgr. SCCM CB fast channel has an option to push PowerShell scripts to devices. These PowerShell scripts can be pushed almost in real time.
The video tutorial attached above explains this real-time push of the RUN PowerShell script. This post will see “SCCM Run Scripts options and architecture“.
For more details about the run PowerShell script option, refer to SCCM CB Run PowerShell Script Directly from the Collection post.
Post PowerShell script deployment feature architecture and troubleshooting guide. The new communication channel between SCCM server components and clients. More details about Real-Time Graphical Representation SCCM Run Script Results.
Table of Contents
- How to Retrieve PowerShell Scripts from Intune using Microsoft Graph
- Intune Policy Assignment Classification Easy Secrets of using Graph API with PowerShell
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
- PowerShell Script to Create a Local Admin Account using Intune
SCCM 1810 Updates – Improvements in SCCM Run Scripts
There have been many improvements to SCCM run script deployment in recent releases. One of the latest releases is SCCM 1810, and the following are some upgrades that Microsoft brought in.
With SCCM 1810, you can view detailed script output in raw or structured JSON format. The following SCCM script performance and troubleshooting improvements apply from the SCCM 1810 version onwards:
- Updated SCCM 1810, clients return output of less than 80 KB to the site over a fast communication channel. This change increases the performance of viewing script or query output.
- Additional logs for troubleshooting, as I mentioned in the CMPivot post.
What is the Process of Pushing PowerShell Scripts using the SCCM Right Click Option?
SCCM CB 1706 supports pushing normal PowerShell scripts using this method. However, the SCCM team included two new features in the Run Script option in SCCM CB preview releases. The architecture details of SCCM Run Scripts are explained.
- Enable the Create and Run Script feature
- Import PowerShell Script
- Approve or Decline the PowerShell Script
- Right-click on Device Collection and run the script
- Get the status of PowerShell script execution via the Monitoring workspace
- Read parameters from the PowerShell script.
- The capabilities of PowerShell script parameters have been improved. They now detect mandatory and optional parameters and prompt you to enter mandatory and optional parameters.
Why is the “Script” Node Not Visible in the SCCM CB Console?
Create and Run Script is a pre-release feature of SCCM CB 1706. The script node is visible in the Software Library workspace. So, if you have not enabled this feature from “Administration – Updates & Servicing – Features, “Navigate through the console path \Administration\ Overview\Updates and Servicing\Features. Right-click on the “Create and Run Script” feature and select Turn On.
How to Import PowerShell Script to SCCM CB?
As I explained in the video, navigate the SCCM console Software Library workspace (“\Software Library\Overview\Scripts”) and click on the Scripts node. Right-click on the script node and select the Create Script option. Script wizard will guide you through importing PowerShell script to SCCM CB.
Provide the appropriate Script name, “Create Files and Folders.” The supported script language is ONLY PowerShell now. We may soon have some other supported options. Don’t expect SCCM to check the PowerShell script syntax errors before importing.
How to Approve PowerShell Script via Fast Channel Push Method?
The SCCM team included an approval flow into the Run Script engine to avoid accidental PowerShell script pushes to devices. By default, you can’t approve your PowerShell script.
To enable the approval script option to yourself, you must disable the following option from Hierarchy settings properties “Do Not Allow Script authors to approve their scripts“.
You can right-click on the script you want to execute and select the Approve/Deny button. The Approve or Deny script wizard will walk you through the script Approval process. The video guide has more details.
How to Execute the PowerShell Script via SCCM CB Fast Channel using the Push Method? SCCM Run Scripts?
Once SCCM approves the Script, that script will be available for execution. The PowerShell script is initiated from “\Assets and Compliance\Overview \Device Collections” in the SCCM CB console.
Select the device collection you want to target to execute the PowerShell script and right-click on the group – select the Run Script (SCCM Run Scripts) option.
The Run Script wizard will not show all the PowerShell scripts imported into SCCM. It will only show the scripts that admins have approved. You can select one approved script at a time from the SCCM Console.
How to Execute the PowerShell Script via SCCM CB Fast Channel |
---|
Device Collections |
All Desktop and Server Clients |
Run Script |
Confirm the Script Execution Details |
End-User Experience of Run PowerShell Script via Fast Channel Push Method?
Once the script is initiated for a collection, all the devices with the correct SCCM client version (SCCM CB 1706 and above) will get a push notification to execute a script (SCCM Run Scripts). The SCCM client Windows 10 devices will immediately execute the script on the device.
As you can see in the video here, I initiated a file and Folder creation script for Windows 10 devices. The SCCM client received a notification from the notification server and immediately executed the script on the Windows 10 machine.
The script created 20 files and folders in the C drive root of the Windows 10 device. I have another post explaining troubleshooting of running a script, “What is Fast channel push notification“.
How to Monitor the Execution of PowerShell Scripts through Push channel?
Once the PowerShell script is executed on a Windows 10 machine, the client will send the result to the SCCM notification server. You can see the results in “\Monitoring \Overview\ Client Operations”. If I’m not wrong, the operation Name is “Run Script (SCCM Run Scripts)”, and each task will be active for 1 hour.
References
- Video Guide to Troubleshoot SCCM CB Fast Channel Push Notification Issues – here
- Fast Channel Client Notification in SCCM – Here
- Fast channel notification and MP replica issues – Here
- What’s New With ConfigMgr’s Client Notification Feature – Here
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Thanks Anoop for a wonderful article.
Happy to hear you liked it
Hey, my sccm was running scripts fine but its stuck are creating client jobs when running scripts.
Any idea?
What you mean by client jobs ? If you run the script manually it works fine ?
Hello, after updating to Hotfix for 2010 this week, I am getting a Operation Name – Run Script in the Monitoring/Client Operations view.
I do not initiate it but it appeared after update was successful. It runs and then runs again over and over. I can not figure out what it is? it is no collection, not clients etc.
Run Script 3/10/2021 4:07:00 PM Expired 0 0 0 0 0 SMS00001 NT AUTHORITY\SYSTEM
Run Script 3/11/2021 8:18:00 AM Active 0 0 0 0 0 SMS00001 NT AUTHORITY\SYSTEM
Strange …
I can’t see this under in my lab.
Can you see these entries under \Monitoring\Overview\Script Status?
Have you installed the latest hotfix https://www.anoopcnair.com/28-issues-fixed-with-configmgr-2010-update-rollup-hotfix-kb4600089-sccm/
SMS00001 = All Systems collection
It’s worth checking server logs to understand this BGBServer.log
Hi Thanks Anoop,
Nothing appears in – \Monitoring\Overview\Script Status
No items found.
Yes installed March 9, that is when I started getting the run scripts (note we are in production as we do not have Lab) –
Configuration Manager 2010 Hotfix Rollup (KB4600089) 3/3/2021 12:00:00 AM Installed No No 5.00.9040.1044 5.00.9040.1044 3/9/2021 4:12:00 PM Fixes issues explained in KB4600089 Configuration Manager site server updates Configuration Manager console updates Configuration Manager client updates 5.00.9040.9999 5.00.9040.0000
Thanks, I understand the SMS00001 = All System Collection
on my MP in the BGBServer.log I see a few errors but unfortunately for me they make no sense.
ERROR: Failed to get message from disconnected client queue: System.InvalidOperationException: The collection argument is empty and has been marked as complete with regards to additions.~~ at System.Collections.Concurrent.BlockingCollection`1.Take()~~ at Microsoft.ConfigurationManager.BgbServerChannel.BgbHttpListener.GetDisconnectedClient() SMS_NOTIFICATION_SERVER 3/11/2021 8:24:44 AM 13832 (0x3608)
ERROR: Failed to get message from server to client queue: System.InvalidOperationException: The collection argument is empty and has been marked as complete with regards to additions.~~ at System.Collections.Concurrent.BlockingCollection`1.Take()~~ at Microsoft.ConfigurationManager.BgbServerChannel.BgbHttpListener.RetrieveServerToClientMessage() SMS_NOTIFICATION_SERVER 3/11/2021 8:24:44 AM 10456 (0x28D8)
Created disconnectedClient Queue and serverToClientMessage Queue SMS_NOTIFICATION_SERVER 3/11/2021 8:24:44 AM 10456 (0x28D8)
ERROR: The read operation failed. Exception: System.IO.IOException: Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond~~ at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)~~ — End of inner exception stack trace —~~ at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)~~ at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)~~ at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)~~ at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)~~ at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)~~ at System.Net.Security.SslStream.Read(Byte[] buffer, Int32 offset, Int32 count)~~ at Microsoft.ConfigurationManager.BgbServerChannel.BgbTcpListener.ReceiveSignInMessage(TcpConnectionInfo connection) SMS_NOTIFICATION_SERVER 3/11/2021 8:26:08 AM 9980 (0x26FC)
Ah sorry … Even I can see two active Run Script events .. I have no clue what are those … I can’t find anything at client device – script.log as well. It’s a bit weird.
Thanks sir.
I noticed this occurred the last time I ran the previous Hot Fix in January. It is strange. I was able to somehow stop back then but gosh I have no clue now how I did it. But after update on the 9th it reappeared.
If you figure out something let me know, thanks.
You don’t have to worry about that sir. I got a confirmation that this related to https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/scenario-health
HI.
I’ve got a tricky question.
Situation : Several VLANs with isolation. Remote Management not Allowed.
Idea : use SCCM to run scripts on all clients…and retrieve script execution results (Lots of gathering like services, installed softwares, certificates, …)
Problem : 4MB result size limit.
Is there any way to increase it ?
Hi Anoop, wonderful article and very useful. I can imagine now, several things we can perform easily(Uninstallation, Toast messages, etc).
How this deal with Execution Policy? There´s a need to change it?
Hi,
thank you.
Can i trigger the “Run Scripts” with Powershell ?
I like to Auotmate some things over that way if possible.
Tanks
Hello @Carsten,
Did you find a way to trigger it using powersehll?
Thanks,
Hello @Carsten
If we do the same operation through remote desktop through powershell, by creating session, ending session of SCCM server.
How to get the output of these operations?
For example
If I do Get-ProcessMitigation, what I expect is I get all the mitigation details of all the devices of that endpoint, do I get in real time or is it stored somewhere is SCCM db and I have to retrieve it seperately?