2,093 questions
How to fix Intune platform scripts not running on fresh Windows 11 devices
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 14.000000000000002%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Jara Entren
35
Reputation points
Hey everyone,
I'm facing an issue where platform scripts don't execute on some fresh Windows 11 devices without any pattern.
Some things to say right away:
- No, I don't want to use Win32 apps or remediations. I shouldn't need to rely on a feature that's meant for other purposes or something that requires special licensing. All I need to do is run a simple PowerShell script once.
- Yes, I have tried everything suggested in Microsoft Learn articles such as reassigning the script, assigning the script to user and device (device only didn't work either), restarting IME. All these steps aren't viable to me since more than a single device is affected.
- No, there is no pattern to it which I could recognize.
My scripts run with 64-bit PowerShell, in system context, unsigned. This is not changeable in my situation. Everything else on the devices works fine (app installations, remediations, compliance policy, configuration profiles and much more). The devices are fresh from the factory on their OEM image and clients with the identical image work without issue. All users are licensed the same and sufficiently. I have waited for over a week for the scripts to run so time is not a factor here.
From what I know the scripts never appear in the logs. Making a new script and only assigning it to a user group with a single affected PC and user did make the new script run, but not the others. Replacing the script contents on the affected script didn't help either.
My Intune portal and Microsoft account is set to English so there should be no issue with the portal messing up on another language. My clients however are enrolled in German, I'm not aware of any issues regarding language incompatibility ever since the enroll account as standard user bug has been fixed.
Devices have been enrolled via Autopilot by having the hardware hash in our Intune.
I'm running out of ideas and this is making me lose my mind. Contacting Microsoft Support is out of scope for this issue too since I don't have the time to report the same logs 5 times just to be told that my issue is out of scope after 2 months. There must be a simple solution to this, which I may be missing.
Microsoft Security Intune Configuration
{count} votes
-
Rahul Jindal [MVP] 10,911 Reputation points MVP2025-05-19T13:42:23.4333333+00:00 If the script has already run successfully once, then it won't run again unless you change the name of the script itself (regardless of the content), which will bump up the policy. If the script is running in system context, then it is recommended to assign to a device based group.
-
Jara Entren 35 Reputation points
2025-05-19T13:54:42.8266667+00:00 @Rahul Jindal [MVP] My primary issue is, that the script never ran in the first place. Changing the name of the script instead of the content is a cool idea - and I will try this, but this won't fix the general issue of some devices not running any scripts at all for no apparent reason.
-
Rahul Jindal [MVP] 10,911 Reputation points MVP
2025-05-19T13:59:57.5966667+00:00 @Jara Entren what is the compliance status against the devices in question? Not applicable? Is the IME log throwing any errors?
-
Jara Entren 35 Reputation points
2025-05-19T14:04:14.53+00:00 @Rahul Jindal [MVP] Devices are compliant, logs from one affected device where I've checked with the test script doesn't have unexpected or weird looking errors.
-
Rahul Jindal [MVP] 10,911 Reputation points MVP
2025-05-19T14:09:06.02+00:00 @Jara Entren sorry, I meant to ask what is the compliance status against the script itself?
-
Jara Entren 35 Reputation points
2025-05-19T14:11:44.5033333+00:00 @Rahul Jindal [MVP] Do you mean the status of the scripts as shown in the screenshot
? All devices that it was able to apply to, it's "Succeeded". No other status.
-
Rahul Jindal [MVP] 10,911 Reputation points MVP
2025-05-19T14:16:01.51+00:00 If the status is reporting as compliant then the script is expected to run. Could it be a case of the script running, but not giving the desired result? Could you also check the agent executor log?
-
Jara Entren 35 Reputation points
2025-05-19T14:27:29.0266667+00:00 @Rahul Jindal [MVP] No, the affected clients do not show up on the individual device list. The script therefore didn't even run. I did check the AgentExecutor log and I can find some script errors but they are very vague:
<![LOG[PowerShell path is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe]LOG]!><time="16:15:22.7281180" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> <![LOG[[Executor] created powershell with process id 22876]LOG]!><time="16:15:22.7551154" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> <![LOG[Powershell exit code is 0]LOG]!><time="16:15:23.6294348" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> <![LOG[length of out=2]LOG]!><time="16:15:23.6294348" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> <![LOG[length of error=2]LOG]!><time="16:15:23.6294348" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> <![LOG[error from script = ]LOG]!><time="16:15:23.6294348" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> <![LOG[Powershell script is successfully executed.]LOG]!><time="16:15:23.6294348" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> <![LOG[write output done. output = , error = ]LOG]!><time="16:15:23.6294348" date="5-13-2025" component="AgentExecutor" context="" type="1" thread="1" file=""> -
Rahul Jindal [MVP] 10,911 Reputation points MVP
2025-05-19T14:42:29.7033333+00:00 How long has it been since the script was assigned to the devices in question? According to the log you shared and regardless of the execution status, it does appear that the script ran. The compliance status of the PS scripts can take some time to reflect on Intune.
-
Jara Entren 35 Reputation points
2025-05-19T14:45:29.5566667+00:00 @Rahul Jindal [MVP] The script was assigned to the autopilot dynamic group, before the device was even enrolled. Device has been enrolled for over a month.
Sign in to comment
Sign in to answer