Intune PowerShell Scripts: Complete Management Guide - CyberSystem Blog

PowerShell scripts in Microsoft Intune enable you to extend device management capabilities beyond standard MDM policies. Using the Intune Management Extension (IME), you can deploy and run PowerShell scripts on Windows devices to configure settings, install software, or perform custom management tasks.

Understanding PowerShell Scripts in Intune

PowerShell scripts in Intune use the Intune Management Extension to run scripts on Windows devices. The IME automatically installs when you assign a PowerShell script to a user or device, enabling advanced management capabilities.

Key Benefits

Extended Management: Configure settings not available through MDM
Automation: Automate complex configuration tasks
Customization: Perform custom device configurations
Flexibility: Run scripts in user or system context
Integration: Works with Win32 apps and other Intune features

For an overview, see Use PowerShell Scripts on Windows Devices in Intune.

Prerequisites

Before deploying PowerShell scripts:

Intune Subscription: Active Microsoft Intune license
Device Enrollment: Devices must be enrolled in Intune
Windows Version: Windows 10 version 1607 or later
Microsoft Entra Join: Devices must be Microsoft Entra joined or hybrid joined
Network Access: Devices need internet connectivity

For detailed requirements, see Intune Management Extension for Windows.

Creating PowerShell Scripts

Step 1: Prepare Your Script

Before uploading, ensure your script:

Is saved as .ps1 file
Is less than 200 KB (ASCII)
Uses proper error handling
Includes logging if needed
Is tested in your environment

Best Practices:

Use proper error handling (try-catch)
Include logging for troubleshooting
Test scripts thoroughly before deployment
Avoid hardcoded credentials
Use environment variables when possible

Step 2: Access Scripts

Sign in to the Microsoft Intune admin center
Navigate to Devices > Scripts and remediations > Platform scripts
Select Add > Windows 10 and later

Step 3: Configure Basics

Name: Enter descriptive name for the script
Description: Optional description of what the script does
Select Next

Step 4: Configure Script Settings

Script location: Browse and upload your .ps1 file
- Maximum file size: 200 KB (ASCII)
- Script must be valid PowerShell
Run this script using the logged on credentials:
- Yes (default): Run with user's credentials
- No: Run in system context
Enforce script signature check:
- Yes (default): Script must be signed by trusted publisher
- No: Allow unsigned scripts
Run script in 64-bit PowerShell host:
- Yes: Run in 64-bit PowerShell on 64-bit systems
- No (default): Run in 32-bit PowerShell host

Important:

Scripts set to user context with administrator rights run PowerShell by default under administrator privilege
Scripts timeout after 30 minutes
Scripts assigned to devices run for every new user that signs in

Select Next.

Step 5: Assign Scope Tags (Optional)

Select + Select scope tags
Choose scope tags to organize scripts
Select Next

Step 6: Assign to Groups

Select + Select groups to include
Choose user or device groups
Select Next

Note:

PowerShell scripts can be targeted to device or user security groups
For workplace joined (WPJ) devices, only device security groups work

Step 7: Review and Create

Review all settings
Select Add to save and deploy the script

For step-by-step guidance, see Use PowerShell Scripts on Windows Devices in Intune.

Script Execution Behavior

When Scripts Run

Scripts run:

When assigned to a device or user
When the script is changed and re-uploaded
After device reboot (IME checks for new scripts)
Not at every sign-in (only when assigned or changed)

Retry Behavior

If a script fails:

IME retries the script three times
Retries occur on next three consecutive check-ins
Check-ins typically occur every 8 hours

Execution Context

User Context:

Runs with logged-on user's credentials
Has access to user profile
Can interact with user session

System Context:

Runs with SYSTEM account
Has full system access
Cannot interact with user session

Best Practices

1. Script Design

Error Handling: Use try-catch blocks
Logging: Include logging for troubleshooting
Idempotency: Make scripts safe to run multiple times
Testing: Test thoroughly before deployment
Documentation: Include comments explaining script purpose

2. Security

Sign Scripts: Use code signing for production scripts
No Credentials: Never include passwords or secrets in scripts
Least Privilege: Use minimum required permissions
Validation: Validate inputs and outputs
Audit: Log security-relevant actions

3. Deployment

Pilot First: Deploy to small pilot group first
Monitor Results: Review script execution results
Gradual Rollout: Expand deployment gradually
Documentation: Document script purpose and behavior
Version Control: Track script versions

4. Performance

Efficiency: Optimize script performance
Timeouts: Keep execution under 30 minutes
Resources: Minimize resource usage
Network: Minimize network calls
Caching: Use caching when appropriate

Example Scripts

Example 1: Configure Registry Setting

# Configure a registry setting
try {
    $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows"
    $Name = "SettingName"
    $Value = "SettingValue"
    
    if (-not (Test-Path $Path)) {
        New-Item -Path $Path -Force | Out-Null
    }
    
    Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type String -Force
    
    Write-Output "Registry setting configured successfully"
    exit 0
}
catch {
    Write-Error "Failed to configure registry setting: $_"
    exit 1
}

Example 2: Install Software

# Install software silently
try {
    $InstallerPath = "C:\Temp\SoftwareInstaller.exe"
    $Arguments = "/S /V/qn"
    
    if (Test-Path $InstallerPath) {
        Start-Process -FilePath $InstallerPath -ArgumentList $Arguments -Wait -NoNewWindow
        Write-Output "Software installed successfully"
        exit 0
    }
    else {
        Write-Error "Installer not found"
        exit 1
    }
}
catch {
    Write-Error "Installation failed: $_"
    exit 1
}

Monitoring Script Execution

View Script Status

Go to Devices > Scripts and remediations > Platform scripts
Select a script
Review Device status and User status

Status Types

Succeeded: Script executed successfully
Failed: Script execution failed
Pending: Script not yet executed
Not applicable: Script doesn't apply to device

View Detailed Results

Select a script
Go to Device status or User status
Select a device to view detailed results
Review execution output and errors

Troubleshooting

Common Issues

Scripts Not Running
- Verify device enrollment
- Check IME installation
- Review script assignments
- Check device check-in status
- Review execution policy
Script Execution Fails
- Review script syntax
- Check error messages
- Verify file paths
- Test script manually
- Review IME logs
IME Not Installing
- Verify device enrollment
- Check network connectivity
- Review device requirements
- Check firewall settings

IME Logs

IME logs are located at:

%ProgramFiles(x86)%\Microsoft Intune Management Extension\Logs

Review logs for:

Script execution details
Error messages
Installation issues
Connectivity problems

For troubleshooting guidance, see Use PowerShell Scripts on Windows Devices in Intune.

Additional Resources

Conclusion

PowerShell scripts in Intune provide powerful capabilities for extending device management beyond standard MDM policies. By following these best practices:

✅ Design scripts with proper error handling and logging
✅ Test scripts thoroughly before deployment
✅ Use appropriate execution context
✅ Monitor script execution results
✅ Follow security best practices

You can automate complex device configurations and extend Intune's management capabilities to meet your organization's specific needs.

Remember: PowerShell scripts run with significant privileges. Always test scripts in a controlled environment, use code signing for production, and never include credentials or secrets in scripts.