PowerShell scripts can be deployed throughout GPO or manual with commands like Enter-Possession and Invoke-Command.
You must know that if you have an Intune to your environment or a customer has that you support then you can deploy a PowerShell script from Intune.
Today I will describe step by step how can use the Intune to deploy a PowerShell script in Devices that it's not in your internal network and can't use a GPO or other method.
Prerequisites
Before starting to deploy a PowerShell Script from Intune let's see a few prerequisites that must have.
- Windows 10 version 1607 and later.
- Devices must be Azure AD registered, Hybrid Join, or Workplace joined.
- Devices must be enrolled in Intune.
- Device System clock must be synchronized.
How long does it take a policy to apply
A lot of times IT Administrators have asked how long it takes a policy to apply to a user or a device.
When a new policy is assigned to the device Intune immediately notify the device to check in and receive the new policies or updates.
However, you can find in the tables more details for the schedule refresh cycle per device
Device | Refresh Cycle |
---|---|
Windows 10/11 PCs enrolled as devices |
About every 8 hours |
Windows 8.1 |
About every 8 hours |
iOS/iPadOS |
About every 8 hours |
macOS |
About every 8 hours |
Android |
About every 8 hours |
If the devices are recently enroll then compliance/non-compliance has more often refreshed the cycle
Device |
Refresh Cycle |
---|---|
Windows 10/11 PCs enrolled as devices every |
Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
Windows 8.1 |
Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
iOS/iPadOS |
Every 15 minutes for 1 hour, and then around every 8 hours |
macOS |
Every 15 minutes for 1 hour, and then around every 8 hours |
Android |
Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
The above tables are from Microsoft Docs.
If you need to find out more details regarding Refresh Cycles of policies you can go to
Common questions and answers with device policies and profiles in Microsoft Intune
Now that you have read the above details let's start !!!
Deploy the PowerShell Script from Intune
-
Open the Microsoft Endpoint Manager Admin Center.
-
Click on Devices
- Click on Scripts
- Click Add and select Windows 10 and later.
- Type a name to recognize the use for in the future and click Next.
- Upload the PowerShell script.
- Change to Yes only the Run this script using the logged-on credentials as first time use it.
- Once you have more experience you can play with the other options as well. Click Next.
- In the Assignment I would like to note that only AD Groups with user members can be assigned.
- If you don't have it, create the appropriate AD Groups and sync them with the Azure Active Directory to be available here.
- Take a look if all the settings are correct and click Add.
Monitoring the Status of the Deployment
We have deployed the PowerShell script to the devices. How can verify that the PowerShell Script has been applied without errors?
We can use different ways to see the status and identify any errors that might have been during the deployment.
Monitoring the Deployment from Intune
One way to monitor the deployment of the Powershell Script is from the Intune Portal.
Let's see how can use it.
-
Go again to Devices - Scripts.
- Then click on the script and you will see the status in the Device and Users.
- Hmm it seems that it doesn't apply the script to the device yet.
- Because I use a test user the problem was that a user didn't have a License.
- So until the problem was identified, it took time and the PowerShell script couldn't be deployed.
Monitoring the Deployment from IntuneManagementExtension Logs
Except for the Intune console, you can use the Logs of the Intune Management Extension.
From the logs, you can understand what kind of error populated throughout the deployment.
It will be very helpful while troubleshooting
- Go in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
- Open and red the Log File IntuneManagementExtension.log.
- From here you will understand why the Powershell script hasn't been deployed to the devices.
- In this log file all it seems good
- Logs like the below requires research to understand what is the source of the problem.
The deployment of the PowerShell script it's not difficult. The most difficult part is to troubleshoot the problem when the PowerShell script can't be deployed to the devices that you need.
I hope to help you understand how you can use Intune when you need to deploy a PowerShell script on devices outside of your internal network.