How to Deploy PowerShell Script using Intune (MEM)
In this post I will show you how to deploy PowerShell script using Intune (MEM). You can use the Microsoft Intune management extension to upload PowerShell scripts in Intune. Once you upload the PowerShell script, you can run the script on Windows 10 devices.
You might be thinking what exactly is Intune management extension. The management extension enhances Windows device management (MDM), and makes it easier to move to modern management. Intune will automatically install the Intune Management Extension (IME) on the device if a PowerShell script or a Win32 app is targeted to the user or device.
When you deploy a PowerShell script to devices in Intune, you will notice Intune Management Extension installed on the device.
Table of Contents
Before you deploy PowerShell Script in Microsoft Endpoint Manager
Some of the important points to understand before you deploy PowerShell scripts.
- When creating the PowerShell script in Intune, if a script is set to user context and the end user has administrator rights, by default, the PowerShell script runs under the administrator privilege.
- End users don’t need to sign-in to the device to execute PowerShell scripts. This is a good thing.
- The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported.
- For shared devices, the PowerShell script will run for every new user that signs in.
- PowerShell scripts are executed before Win32 apps run and PowerShell scripts time out after 30 minutes.
Prerequisites for deploying PowerShell Script in Intune
Before you deploy PowerShell script in Intune, listed below are the Intune management extension prerequisites.
- You must use devices running Windows 10 1709 or later.
- Azure AD Joined Devices or Hybrid Azure AD joined Devices.
- Devices Enrolled to Intune – GPO Enrollment or Manual Enrollment or MDM Auto Enrollment.
- Co-managed devices that use Configuration Manager and Intune.
Create the PowerShell Script
If you have a PowerShell script that is ready to be uploaded in Intune or MEM portal, you can proceed with next. In this post I am using a very simple PowerShell script that creates registry entries on the device. This is only for testing purpose. You can use the below PowerShell script for your testing. Save the script as filename.ps1 and you can upload it in Intune.
New-Item -Path HKCU:\SOFTWARE\Prajwal
Set-ItemProperty HKCU:\Software\Prajwal -Name Username -Value "Prajwal" -Type String
Set-ItemProperty HKCU:\Software\Prajwal -Name Version -Value "20" -Type Dword
Deploy PowerShell Script Using Intune (MEM)
We will now look at the steps to add and deploy PowerShell Script Using Intune (MEM). The steps to add a new PowerShell script are as follows.
- Sign in to Microsoft Endpoint Manager portal (Intune)
- Select Devices and then select Windows devices.
- Under Windows Policies, select PowerShell Scripts.
- To add a new PowerShell script, click Add button and deploy it to Windows 10 devices.
Specify the name of the PowerShell script and you may add a description as well. Click Next.
PowerShell Script Settings in Intune
On the Script Settings window, you specify the script location. Click the folder icon and specify the PowerShell that you intend to deploy using Intune to devices.
There are additional settings here which are useful. You may configure them if required.
- Run this script using the logged on credentials – When this setting is enabled the script runs with the users credentials on the client computer. By default, the script runs in system context. The default value is NO and I am not going to change this value.
- Enforce script signature check – When enabled the script requires to be signed by a trusted publisher. By default, no warning or prompt displays and the script runs unblocked. The default value is NO and I am not going to change this value.
- Run script in 64 bit PowerShell host – When enabled the script will run in a 64-bit PowerShell Host for a 64-bit client architecture. By default, the script will run in a 32-bit PowerShell Host. The default value is NO and I have enabled this setting.
Next we configure Assignments. This determines to who you deploy the PowerShell script. Click Add Group and select your test group. I usually recommend deploying the PowerShell script to test groups in Intune and confirm the working. If it works, you can deploy it to other groups.
In the Review+Add section, review your deployment settings and click Add.
Take a look at the notifications. The PowerShell script is successfully created and is assigned to the test group.
On the test machine, you can launch the Company Portal and manually sync your device. Wait until you the sync is complete and you see Last sync was successful.
Review IntuneManagementExtension Log File
Win32app and PowerShell Scripts deployed are installed using the Intune Management Extension and there are log files to troubleshoot application deployment. The log files for the Intune Management Extension are located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. Review the IntuneManagementExtension.log.
Notice that the new registry entries are created on the test computer as the log file.
On the test computer the registry entries are created. This was just an example of PowerShell script deployment with Intune. I hope this post helps you to deploy PowerShell script using Intune.
With these settings and in script added -force will work:
Run this script using the logged on credentials – Yes
Enforce script signature check – No
Run script in 64 bit PowerShell Host – No
Included groups – All Users
How download or pull the Installer script from Intune portal
Is there any justification for this change?
“The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or
“The Intune management extension agent checks after every reboot for any new scripts or changes.”
Hi Prajwal, I have followed your instructions to the letter but the PS file will not deploy from Intune even though it says it’s successful, I have tested it locally on my device and it works fine but will not push through from Intune. Do you know why that might be? Thanks Jason
Having the same issue. Running the script manually works 100%, but pushing it through deployment does nothing even though the status for the test machines show Successful.
Try adding -force at the end of each line in powershell when configuring registry.