Keep it Simple with Intune – #11 Deploying a PowerShell script

In part 11 of the Keep it Simple with Intune series, I’ll be showing you how you can deploy a simple PowerShell script via Intune, which opens up a world of possibilities.

For this demo I am adding a registry key into the HKLM\Software location.

In the MEM Admin Center

As noted in Part 8, we’ve now switched over to using the Microsoft Endpoint Manager Admin Center which is available at the URL

In the console, navigate to Devices\PowerShell scripts. Click the Add link to begin the process.


We now begin to work through the Add Powershell script wizard. Start by adding in a Name and a optional Description. Click Next.


Next we must upload the ps1 script from your local device, simply click the folder icon next to the Script location field and choose your PowerShell script.

Note the selections available you:

  • Run this script using the logged on credentials – the default is No which runs the script in the system context, however you may wish to switch to run as the currently logged on user.
  • Enforce script signature check – The default is No which means that the script does not need to be signed. If we are to be security conscious then we should be running signed scripts, however for my demo I am leaving this as default.
  • Run script in 64-bit PowerShell Host – The default is No which runs in 32-bit PS host. For my demo I am setting a registry key so I want to run this in 64-bit PS host so I have selected Yes.

Click Next when all selections have been made.


Now we need to choose what devices or users we will assign the PowerShell script to. Click Select groups to include. I have chosen my Intune test devices. Click Select.


Our selected group/s will appear in the Selected groups section. Click Next.


The Review screen will allow us to ensure we have configured as required before clicking Add to finalise the wizard.


The completed configuration will appear in the console and be assigned out to our devices or users.


On the endpoints

The devices need to sync with Intune. This can be forced from the Settings app\Accounts\Access work or school and then choosing Info.

Next, scroll to the Device sync status section and click Sync.


The delivery of the PowerShell script is handled by the Intune Management Extension and the IME creates its own log files in the location C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and you can use CMTrace to view the logs.

I can see the commands in the PowerShell script being executed with the reference to the registry key I want to set.


And in the registry I can see the key is created.


It’s worth noting that you can’t edit the PowerShell script once uploaded to the console. Keep a copy of your script in case you need to upload again. Alternatively, you can take a look at a post by my fellow MVP buddy Oliver Kieselbach  (@okieselb) where he explains how you can recover those scripts take a look here.

With the ability to deploy PowerShell scripts, you can tap into this powerful scripting language to do a plethora of activities on your endpoints.

Be sure to take a look at the other blog posts in the series:


    1. You need to check your PS script. It may not actually do what you want it to but Intune will report a success based on the exit code of the script. Make sure you check the script on a device manually to ensure it’s doing what you want it to do.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s