8,330 questions
Hi,
do you have the script for me?
it is important that you have an output at the end of the script, e.g.
Write-Host "ok"
Exit 0
Powershell script pushed from Intune>Scripts and Remediations "Failed" with no error code
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 47%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Dustin H
0
Reputation points
Hello, we have a simple Powershell script to disable SMBv1 that we are pushing to a test Windows 10 device via assignment group. Intune shows that the script has a status of "Failed" with no error code or other detail. Same outcome after rebuilding the script and trying again.
When running the same script as a PS1 file on the device locally, the script runs without issue.
What are the most probable causes of the "Failed" status and the best ways to troubleshoot?
Windows for business Windows Server User experience PowerShell
Microsoft Security Intune Other
5,569 questions
{count} votes
-
Dustin H 0 Reputation points
2024-03-25T14:19:44.9133333+00:00 Thanks for the responses. Current code is below. Note this is running as a Platform Script in Intune, not a Remediation script, so I am not using a separate detection script. We will target known affected devices via an assignment group.
This action requires admin access and logged-on users will not be admins, so "run this script using the logged on credentials" is disabled. This also should be a silent action with no output to the user ideally.
try { # Disable SMBv1 Protocol silently Set-SmbServerConfiguration -EnableSMB1Protocol $false -ErrorAction SilentlyContinue > $null } catch { }Settings:
Run this script using the logged on credentials
No
Enforce script signature check
No
Run script in 64 bit PowerShell Host
No
-
MotoX80 36,291 Reputation points2024-03-25T18:01:33.11+00:00 The whole idea of using a try/catch block is to catch errors and then perform some action to either correct the error or to notify someone that an error occurred. Not only do you not do anything in your catch block, you suppress the output of the Set-SmbServerConfiguration cmdlet by piping it's output to $null. So if Intune does capture the output of your script, there won't be anything there, because you suppressed everything.
Do it like this and then review the content of the log file.
start-transcript -Path C:\Windows\temp\SmbConfig.log Set-SmbServerConfiguration -EnableSMB1Protocol $false stop-transcriptI would think that you need to run the script in the 64 bit version of Powershell.
Sign in to comment
4 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 19%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Dominik Hasenkopf 5 Reputation points2024-03-24T15:15:01.7966667+00:00 -
MotoX80 36,291 Reputation points
2024-03-24T23:39:52.85+00:00 I do not have any Intune experience, but I would hope that any tool like that could capture the output of the script that you are running. Look for that first.
When running PS scripts the first place to check is the execution policy.
https://www.bing.com/search?pglt=41&q=powershell+execution+policy
If you can't set the policy, add "-executionpolicy bypass" as a command line switch to the PS command.
What account is the script running as? The system account? Some user account? Is the user a member of the administrators group?
In your .ps1 file, add a transcript.
If the transcript file does not get created then Intune must not be running the script. Check its logs.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Crystal-MSFT 53,981 Reputation points Microsoft External Staff2024-03-25T02:14:27.5266667+00:00 @Dustin H, Thanks for posting in Q&A. From your description, I know the Remediation script to disable SMBv1 is failed.
Firstly, please ensure we met the script requirements.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/remediations#script-requirements
Secondly, please check what we set for the following settings. Make sure the credential we run the script has enough permission. Meanwhile, please let us know which account you are using to test. Is it a local admin?
Run this script using the logged-on credentials:
Enforce script signature check
Run script in 64-bit PowerShell
As the Intune Management Extension is response to get the script and tun them. Please ensure the Microsoft Intune Management Extension service is running and check the Intunemanagementextension.log and AgentExcution.log under C:\ProgramData\Microsoft\IntuneManagementExtension\Logs to see if there's any finding.
Note: non-Microsoft link, just for the reference.
Meanwhile, you can also add your own logging via the start-transcript functionality to troubleshoot the issue if you are familiar with it.
https://andrewstaylor.com/2022/04/12/proactive-remediations-101-intunes-hidden-secret/
Note: non-Microsoft link, just for the reference.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-