Deploy PowerShell scripts in Intune – Manage policies and profiles

Deploy PowerShell scripts in Intune – Manage policies and profiles

Posted on By Keiarra Mclemore
Deploy PowerShell scripts in Intune

For Windows 10 devices (excluding Windows 10 Home), you can upload PowerShell scripts in Intune, which can then be run on Windows 10 devices. Intune includes a management extension, which facilitates adding PowerShell scripts. In addition to the Windows 10 version, you must also enable automatic MDM enrollment in Azure AD, and devices must be auto enrolled to Intune. Deployment of PowerShell scripts using Intune is supported for all enrolled Windows 10 devices that are Azure AD–joined, Hybrid Azure AD domain–joined, or co-managed.

The Intune management extension has the prerequisites outlined in Table 2-6.

TABLE 2-6 Intune management extension prerequisites

RequirementPrerequisite
Windows 10 versionWindows 10 version 1607 or later. If the device is enrolled using bulk auto-enrollment, then the device must use Windows 10 version 1709 or later. Not supported on Windows 10 in S mode.
Directory joined devicesAllows Hybrid Azure AD-joined and on-premises Active Directory joined. Azure AD registered/Workplace joined including Bring Your Own Device (BYOD) devices.
Devices enrolled in IntuneDevices enrolled in a group policy (GPO). Devices enrolled in Intune, via auto-enrollment. Users enrolled their device using their Azure AD account. Co-managed devices that use Configuration Manager and Intune.

When you choose to run a PowerShell script using Intune, there are three script settings, as shown in Table 2-7.

TABLE 2-7 PowerShell script runtime settings

SettingDescription
Run This Script Using The Logged-On CredentialsBy default, the script will run in the system context. Optionally, this can be modified to run the script with the user’s credentials on the device.
Enforce Script Signature CheckBy default, the signature check is not enforced. If there is a requirement for the script to be signed, you can choose to enforce the signature check, and the script must be signed by a trusted publisher.
Run Script In 64-Bit PowerShell HostBy default, the script is run in a 32-bit PowerShell host. Optionally, you can choose to run the script in a 64-bit PowerShell host on a 64-bit client.

For example, you can create a PowerShell script that installs a Win32 app to your Windows 10 device. This scenario involves the following stages:

  • Write a PowerShell script to install the Win32 app.
  • Upload the script to Intune as a Device Configuration profile.
  • Configure the script runtime settings.
  • Assign the script to an Azure AD group of users or devices.
  • The script runs on the assigned group.
  • You can then use Intune to monitor the run status of the script.

To create a PowerShell script policy, follow these steps:

  1. Sign into the Microsoft Endpoint Manager admin center at https://endpoint.microsoft.com as a global administrator.
  2. Select Devices, and then under Policy, click Scripts.
  3. On the Scripts blade, click Add and select Windows 10.
  4. On the Add Powershell script blade, enter the following properties in the Basics tab:
  • Name Enter a descriptive name for the script.
  • Description Enter a description for the script.
  1. Click Next.
  2. Under Script settings, as shown in Figure 2-6, enter the following properties:

Figure 2-6 Add PowerShell script

  • Script location: Browse to the PowerShell script. The script must be less than 200 KB (ASCII).
    • Run this script using the logged-on credentials: Select Yes to run the script with the user’s credentials on the device, or choose No (default) to run the script in the system context.
    • Enforce script signature check: Select Yes or No (default).
    • Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell host or select No (default) to run the script in a 32-bit PowerShell host.
  1. Click Next.
  2. On the Assignments blade, assign the policy to users, devices, or groups and then click Next.
  3. On the Review + add blade, review the summary and then click Create.
    Once you have uploaded a PowerShell script to Intune, the management extension client checks with Intune for any new PowerShell scripts or changes; this check is done once every hour and after every reboot. After the PowerShell script has been executed on a targeted device, the PowerShell script is not executed again unless there’s a change in the script or policy.
    Note Powershell Permissions
    When you deploy PowerShell scripts using Intune, the script can be executed with or without a user signed into the device. PowerShell scripts can be targeted to Azure AD device security groups and Azure AD user security groups.

Keiarra Mclemore

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Configure and manage certificates on client devices – Deploy and upgrade operating systems

By Keiarra MclemorePosted on Posted in Configure device profiles, Deploy PowerShell scripts in Intune, Implement Network Protection, Microsoft Certification Exam, Microsoft MD-101, Policy refresh cycle times

Configure and manage certificates on client devices Certificates are commonly used to provide for device authentication. It’s important that you know how to configure and manage certificates on your client devices. Typically, in an on-premises environment, your organization will deploy the Active Directory Certificate Services (AD CS) role. This role provides the ability to deploy, […]

Read More

Implement Network Protection – Manage and protect devices

By Keiarra MclemorePosted on Posted in Configure device profiles, Microsoft Certification Exam, Microsoft MD-101

Implement Network Protection Network Protection helps you to prevent your users from using apps to access internet-based domains that might present a risk of malware, scams, or other malicious content. You can use GPOs, mobile device management (MDM) policies, or Windows PowerShell to enable Network Protection. To use GPOs, use the following procedure: To use […]

Read More