How to deploy a powershell script using Intune

You can deploy any powershell script or a batch file to devices which are enrolled in to Azure AD and managed by Intune. All latest Windows 10 and Windows 11 devices have built-in management client which communicates with Intune to run any management tasks which are assigned to that device.

When you assign a powershell script or Win32 app to a user or device first time, Intune management extension is installed automatically on that device. Intune Management extension is a service which runs on the device and every time you reboot the device, it checked to see if there are any new powershell scripts assigned to that device via Intune.

Therefore, Please make sure Microsoft Intune Management Extension service should be set to Automatic and should not be disabled or set to manual otherwise the Powershell scripts or any Win32 app deployment may get failed when deployed.

You can check and confirm if Intune Management extension is installed on that device by going to C:\Program files(x86)\Microsoft Intune Management Extension location.

To check the status of Microsoft Intune Management Extension service:

  • Press Windows button + R to open a Run box.
  • Type services.msc and press Enter. This will open Services Management mmc.
  • Search for Microsoft Intune Management Extension service.
  • Make sure the status is Running.

Important Points before deploying a Powershell script using Intune

  • There is no requirement for user to be logged on to the device to execute Powershell Scripts. When Powershell script is assigned to the device, it will be automatically downloaded on that device and executed.
  • Intune Management extension service will check after every reboot of the device for any New Powershell scripts assignments or if any changes are made to existing powershell script deployment.
  • Once a Powershell script is executed on a device, it will not execute it again unless there is any change in the script.
  • Powershell scripts take priority over Win32 app deployment. If both are deployment to a particular device, Powershell script will be executed first.
  • The default timeout of Powershell script is 30 minutes. That means any Powershell script taking longer than 30 minutes to execute on a device, will be automatically cancelled.

Prerequisites

  • Minimum requirement of Devices is Windows 10 version 1607 or later.
  • Devices must be either joined to Azure Active Directory or Hybrid Azure AD joined.
  • Devices must be enrolled into Intune.
  • Make sure the Device system clock is not out of Sync.

Powershell Script

You will need to create a powershell script first before creating a deployment from Microsoft Endpoint manager admin center. For the purpose of demo, we will use below powershell script. This powershell script runs on the end user device to update Microsoft defender Antivirus signature definitions.

Its best practice to test any code locally on a test machine first before deploying it on end user devices. After you are satisfied that the code is working fine as expected, copy and paste your powershell code in a file and save the file with .ps1 extenstion.

Sample Powershell script to update Defender Antivirus Signature definitions

Clear-Host
Set-Location "C:\Program Files\Windows Defender"
.\mpcmdrun.exe -SignatureUpdate

Deploy Powershell Script using Intune

Once we have a powershell script tested and ready to deploy. We need to create a deployment from Microsoft endpoint manager admin center. Please follow below steps to deploy it:

Basics tab

On the basics tab, Provide a Name and Description of the Powershell script deployment and the click on Next.

Script Settings

On the Script Settings tab, You will need to provide below Information and then click on Next.

  • Script location – Select the Powershell script which you want to deploy.
  • Run this script using the logged on credentials – Keep No.
  • Enforce script signature check – Keep No.
  • Run script in 64 bit PowerShell Host – Change it to Yes.

Assignments

Create an Azure AD Security group which contains users or devices where this powershell script needs to be deployed. Please note that if you add users into the list, it will deploy this script on all users devices joined to Azure and Enrolled into Intune. If you want to deploy the app to specific devices then you should add devices in the Azure AD security group not users.

Review + add

Final step is to review the information and click on Add to start the deployment process.

Intune Policy Refresh Cycle

The Device will Sync / Check in and download / execute the powershell script on target device. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process.

Also, you can restart the device as well which also triggers device check-in process. Manual sync is not mandatory on all user’s devices as the device check-in process happens automatically. But if you are testing the script on a test device then this can speed up your testing and can save some time.

Where Intune downloads / cache’s Powershell script on the end user device ?

You can push powershell scripts to end user devices using Intune by going to Microsoft Endpoint Manager admin center -> Devices -> Scripts. The scripts are first downloaded on End user device and then executed either in User context or Device context depending upon the settings configured from the Microsoft Endpoint Manager admin center.

The Intune powershell scripts are downloaded at C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts location and deleted after the script execution is completed. So you may generally find this folder empty.

In case you want to retreive a script from this location, first you need to push this script on a device where this script has never been deployed and monitor this location. You will have to be quick to copy the script to another folder before it gets deleted.

How to find the status of Powershell script deployed from Intune

To verify the status of powershell script deployment, you can either check the deployment status of the script from Microsoft Endpoint Manager admin center or you can check the status of the Powershell script deployment from end user device as well. I will show you both the methods for you to verify the status of Powershell script deployment using Intune.

Using Microsoft Endpoint Manager admin center

  • Login on Microsoft Endpoint Manager admin center.
  • Go to Devices -> Scripts
  • Click on the Powershell Script and check Overview tab.
  • Overview tab shows Device status and User status to verify the deployment status.

Using End User Device via Registry Editor

You can verify the status of Powershell script deployment from End user device as well. This can be confirmed using registry editor. But before you open registry editor on the target device, you need to find the Unique Identifier of the Powershell Script Deployment from Microsoft Endpoint Manager admin center. To find this Unique Identifier, you need to follow below steps:

  • Go to Devices -> Scripts
  • Click on the Powershell Script which you want to verify the deployment for
  • Check the Address bar and scroll to the end to find this Unique ID.

Example:

https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/ConfigureWMPolicyMenuBlade/~/overview/policyId/b9dd15ec-a6a7-4cca-8e2c-60db2e64801c/policyType~/0

After you find this Identifier, we can check the Poweshell script deployment status from End user machine using below steps:

  • Login on the target device.
  • Go to Start -> type Run -> In Run box type regedit
  • Go to the Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies

Search for the Unique Identifier of the powershell script deployment we noted earlier and on the right hand side you can check the Result registry entry which shows the status is either Success or Failed.

If you are curious to know more details about the Result then you can open ResultDetails registry entry and copy its text to notepad to read more information about the deployment. ResultDetails registry entry contains really useful information specially when the deployment is not successful. You will be able to get the reason of Powershell deployment failure if you check ResultDetails registry entry.

Conclusion

In this blog post, we have seen how to easily deploy a powershell script using Intune on all your organization devices. You can create useful powershell scripts which run only once on the device. We have also checked where Intune downloads the script on the user device and how you can retreive it back. You can monitor the status of the powershell script from your Powershell script deployment. Please note that the status of powershell script deployment takes time to report back to Intune / Microsoft endpoint manager admin center.