Use PowerShell to run scripts against Microsoft Intune

  • 9 minutes

PowerShell scripts give you a way to perform custom configuration and remediation on managed Windows devices. This unit covers how Intune delivers those scripts through the Intune Management Extension, how execution is controlled on devices, and how you monitor deployment results.

How PowerShell scripts work in Intune

Intune uses the Intune Management Extension (IME) to deploy and run PowerShell scripts on Windows 10 and later devices. When a script is assigned to a device or user group, the IME downloads the script and executes it according to the policy settings.

Note

The Intune Management Extension is installed automatically on devices when a PowerShell script or supported Win32 app is assigned.

Prerequisites for script deployment

Scripts deployed through Intune require:

  • Windows 10 version 1607 or later.
  • Devices that are Microsoft Entra joined or Entra hybrid joined.
  • Enrollment in Microsoft Intune.
  • A script file that is under 200 KB in size.

Create and configure a PowerShell script deployment

Use the Intune admin center to add and deploy scripts:

  1. Go to Devices > Scripts and remediations.
  2. Select Add > Windows 10 and later.
  3. Provide a name and description for the script.
  4. Upload your .ps1 file.
  5. Choose the run context:
    • User: runs in the signed-in user context.
    • System: runs with local system privileges.
  6. Optionally enforce script signature requirements.
  7. Choose whether to run the script in a 64-bit PowerShell host.
  8. Assign the script to user or device groups.

Tip

Use the system context for remediation or configuration tasks that require elevated privileges. Use user context for per-user settings such as profile adjustments or personalization.

Execution behavior and scheduling

Intune PowerShell scripts follow a defined execution pattern:

  • Scripts run once by default after assignment.
  • The IME retries failed scripts up to three times.
  • Scripts do not rerun automatically unless the script content or assignment changes.
  • The IME checks for new or changed scripts every hour and after device reboot.
  • Each script has a maximum execution timeout of 30 minutes.
  • PowerShell scripts are generally executed before Win32 app installations on the device.

Important

Make scripts idempotent when possible. If a script runs again during troubleshooting or reassignment, it should avoid causing duplicate changes or side effects.

Monitor script deployment and results

Track script progress in the Intune admin center:

  • Review the run status for each assigned device or user.
  • Identify outcomes such as success, failed, or not applicable.
  • Use the IME logs on Windows devices for deeper diagnostics.

Best practices for Intune PowerShell scripts

  • Avoid storing sensitive data in scripts.
  • Use secure storage such as Azure Key Vault for secrets.
  • Version-control script content and maintain clear naming.
  • Keep scripts small and modular to simplify maintenance.
  • Prefer remediation scripts for recurring repair tasks when your tenant supports them.