In part 11 of the Keep it Simple with Intune series, I’ll be showing you how you can deploy a simple PowerShell script via Intune, which opens up a world of possibilities.
For this demo I am adding a registry key into the HKLM\Software location.
In the MEM Admin Center
As noted in Part 8, we’ve now switched over to using the Microsoft Endpoint Manager Admin Center which is available at the URL https://devicemanagement.portal.azure.com.
In the console, navigate to Devices\PowerShell scripts. Click the Add link to begin the process.
We now begin to work through the Add Powershell script wizard. Start by adding in a Name and a optional Description. Click Next.
Next we must upload the ps1 script from your local device, simply click the folder icon next to the Script location field and choose your PowerShell script.
Note the selections available you:
- Run this script using the logged on credentials – the default is No which runs the script in the system context, however you may wish to switch to run as the currently logged on user.
- Enforce script signature check – The default is No which means that the script does not need to be signed. If we are to be security conscious then we should be running signed scripts, however for my demo I am leaving this as default.
- Run script in 64-bit PowerShell Host – The default is No which runs in 32-bit PS host. For my demo I am setting a registry key so I want to run this in 64-bit PS host so I have selected Yes.
Click Next when all selections have been made.
Now we need to choose what devices or users we will assign the PowerShell script to. Click Select groups to include. I have chosen my Intune test devices. Click Select.
Our selected group/s will appear in the Selected groups section. Click Next.
The Review screen will allow us to ensure we have configured as required before clicking Add to finalise the wizard.
The completed configuration will appear in the console and be assigned out to our devices or users.
On the endpoints
The devices need to sync with Intune. This can be forced from the Settings app\Accounts\Access work or school and then choosing Info.
Next, scroll to the Device sync status section and click Sync.
The delivery of the PowerShell script is handled by the Intune Management Extension and the IME creates its own log files in the location C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and you can use CMTrace to view the logs.
I can see the commands in the PowerShell script being executed with the reference to the registry key I want to set.
And in the registry I can see the key is created.
It’s worth noting that you can’t edit the PowerShell script once uploaded to the console. Keep a copy of your script in case you need to upload again. Alternatively, you can take a look at a post by my fellow MVP buddy Oliver Kieselbach (@okieselb) where he explains how you can recover those scripts take a look here.
With the ability to deploy PowerShell scripts, you can tap into this powerful scripting language to do a plethora of activities on your endpoints.
Be sure to take a look at the other blog posts in the series:
- #1 Enable password reset for users
- #2 Push out your customised Start Menu
- #3 Disk Encryption
- #4 Deploying a Win32 app
- #5 Intune session from Charlotte Systems Management User Group
- #6 Configure OneDrive and KFR
- #7 Deploying the Edge Browser
- #8 Introduction to Device Restrictions
- #9 Manually enrolling a Windows 10 device into Intune
- #10 Applying App Protection
SCCMentor - Paul Winstanley 
I see all the execution is showing “Successful” but it is not completed Why?
You need to check your PS script. It may not actually do what you want it to but Intune will report a success based on the exit code of the script. Make sure you check the script on a device manually to ensure it’s doing what you want it to do.