PowerShell Scripts
Deploy and manage PowerShell scripts to Windows devices through Intune. Run custom scripts for configuration, remediation, and automation tasks that go beyond standard policy settings.
Note: Platform scripts run once or on schedule. For ongoing detection and remediation, use Proactive Remediations (Endpoint Analytics) which continuously monitors and fixes issues.
Script Library
| Column | Description |
|---|---|
| Name | Script display name |
| Platform | Windows, macOS, or Linux |
| Run As | System or Logged-on User |
| Assigned Groups | Target device groups |
| Last Modified | When script was last updated |
| Status | Success, Failed, Pending counts |
Script Types
PowerShell Scripts (Windows)
Full PowerShell scripting capability. Can run as System or logged-on user. Supports 64-bit and 32-bit execution contexts.
File format: .ps1 files
Shell Scripts (macOS)
Bash/Zsh scripts for macOS device configuration. Run as root or current user. Can require specific shell.
File format: .sh files
Creating a Script
1. Basic Information
- Name — Descriptive name for the script
- Description — What the script does
- Platform — Windows or macOS
2. Script Content
- Upload script file or paste content
- Script must be UTF-8 encoded
- Maximum size: 200 KB
3. Execution Settings
- Run in 64-bit PowerShell — Use 64-bit host
- Run as logged-on user — vs System account
- Enforce script signature check — Require signed scripts
- Run in 64-bit host on 64-bit client — Architecture override
4. Scope and Assignments
- Add include groups (required)
- Add exclude groups (optional)
- Filter by device properties
Execution Context
Run as System
- Full local admin privileges
- Can modify system settings
- Can install software
- Runs even when no user is logged in
- No access to user profile or HKCU
Run as Logged-On User
- User’s security context
- Access to user profile
- Access to HKCU registry
- User must be logged in
- Limited based on user permissions
Common Use Cases
Configuration
- Set registry values not exposed in policies
- Configure application settings
- Customize Windows features
- Set power management options
Software Deployment
- Install software via winget or chocolatey
- Download and install from URL
- Configure installed applications
- Remove unwanted software
Security Hardening
- Disable legacy protocols (SMBv1, TLS 1.0)
- Configure Windows firewall rules
- Harden OS settings
- Remove local admin rights
Troubleshooting
- Collect diagnostic information
- Reset network settings
- Clear application caches
- Repair Windows components
Script Monitoring
Device Status
View execution status per device: Success, Failed, Pending, Not Applicable. Drill into devices to see error details.
Exit Codes
Scripts should return exit code 0 for success, non-zero for failure. Exit code visible in device status details.
Output Logging
Script output (stdout/stderr) logged to device. Review in Intune device details or via diagnostic collection.
Best Practices
- Include error handling — Use try/catch blocks and meaningful exit codes for troubleshooting.
- Add logging — Write to Event Log or log file for debugging. Include timestamps.
- Test locally first — Validate scripts on test devices before deploying to production.
- Avoid hardcoded credentials — Never embed passwords or secrets in scripts. Use secure methods.
- Keep scripts focused — One script per task. Easier to troubleshoot and maintain.
API Reference
GET /api/devices/scripts— List all device scriptsPOST /api/devices/scripts— Create new scriptGET /api/devices/scripts/:id/status— Get script execution statusPUT /api/devices/scripts/:id/assignments— Update script assignmentsDELETE /api/devices/scripts/:id— Delete script