How to deploy PowerShell scripts on Windows 10/11 devices with Microsoft Intune

Use the Microsoft Intune management extension to upload PowerShell scripts in Intune. Then, run these scripts on Windows 10 devices. The management extension enhances Windows device management (MDM), and makes it easier to move to modern management.

This feature applies to:

• Windows 10 and later (excluding Windows 10 Home)

Before you begin

• When scripts are set to user context and the end user has administrator rights, by default, the PowerShell script runs under the administrator privilege.
• End users aren’t required to sign in to the device to execute PowerShell scripts.
• The Intune management extension agent checks after every reboot for any new scripts or changes. After you assign the policy to the Microsoft Entra groups, the PowerShell script runs, and the run results are reported. Once the script executes, it doesn’t execute again unless there’s a change in the script or policy. If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-ins.
• For shared devices, the PowerShell script will run for every new user that signs in.
• PowerShell scripts are executed before Win32 apps run. In other words, PowerShell scripts execute first. Then, Win32 apps execute.
• PowerShell scripts time out after 30 minutes.

Create a script policy and assign it

1. Sign in to the Microsoft Intune admin center.
2. Select Devices > Scripts > Add > Windows 10 and later.

1. In Basics, enter the following properties, and select Next:
   • Name: Enter a name for the PowerShell script.
   • Description: Enter a description for the PowerShell script. This setting is optional, but recommended.
2. In Script settings, enter the following properties, and select Next:
   • Script location: Browse to the PowerShell script. The script must be less than 200 KB (ASCII).
   • Run this script using the logged on credentials: Select Yes (default) to run the script with the user’s credentials on the device. Choose No to run the script in the system context. Many administrators choose Yes. If the script is required to run in the system context, choose No.
   • Enforce script signature check: Select Yes (default) if the script must be signed by a trusted publisher. Select No if there isn’t a requirement for the script to be signed.
   • Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell host on a 64-bit client architecture. Select No (default) runs the script in a 32-bit PowerShell host.When setting to Yes or No, use the following table for new and existing policy behavior:

• Select Scope tags. Scope tags are optional. Use role-based access control (RBAC) and scope tags for distributed IT has more information.To add a scope tag:
  1. Choose Select scope tags > select an existing scope tag from the list > Select.
  2. When finished, select Next.
• Select Assignments > Select groups to include. An existing list of Microsoft Entra groups is shown.
  1. Select one or more groups that include the users whose devices receive the script. Choose Select. The groups you chose are shown in the list, and will receive your policy.
• Select Next.

• In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the policy is deployed to the groups you chose.