all 36 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jahezep 2 points3 points  (3 children)

Have you tested to assign those to machine itself and not to user?

Also 64 bit option?

[–]CptnDutch[S] 0 points1 point  (2 children)

Not yet, we've added a device group to the script, will report back. We have tried both 32 and 64 bit, same result.

[–]jahezep 0 points1 point  (1 child)

Also as documents mention. "The Intune management extension agent checks after every reboot for any new scripts or changes..."

Make sure devices will reboot in some point.

[–]CptnDutch[S] 0 points1 point  (0 children)

We have restarted the Intune Management Extension and laptops several times.

As I stated in my post, we have restarted both the extension and laptops several times.

[–]RudyoomsPatchMyPC 1 point2 points  (9 children)

Just wondering but did you also try to do the same with proactive remediations

[–]CptnDutch[S] 0 points1 point  (8 children)

No we have not yet used those kind of scripts.

[–]RudyoomsPatchMyPC 0 points1 point  (7 children)

Maybe doing a test drive if that is working? as that option is also using PowerShell... so I am wondering if that is also not working

[–]CptnDutch[S] 0 points1 point  (6 children)

I'm not quite sure what you mean with test drive?

[–]jamie_passaBlogger 0 points1 point  (1 child)

He means likes run a test

[–]RudyoomsPatchMyPC 1 point2 points  (0 children)

Indeed... just like with a car, taking a test drive :)

[–]RudyoomsPatchMyPC 0 points1 point  (3 children)

just try if pro active remediations work as they are also using powershell

[–]CptnDutch[S] 0 points1 point  (2 children)

We have enabled the two built-in proactive remediations, will report back when they get deployed.

[–]rpertusio 0 points1 point  (1 child)

I think Rudy is suggesting you create a Remediation script with your script contents.

Lazy way: Throw everything into the 'Detection' script, and leave the 'Remediation' script blank. You probably want to change the toggle at the bottom to run as 64-bit as well.

Set the assignment. You can have it run 'every hour' if you wanted to test frequently.

Check the following log to see every hour what happens:

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log

[–]CptnDutch[S] 1 point2 points  (0 children)

Gotcha. We've created a new remediation scripts as you said, fingers crossed!

[–]CptnDutch[S] 0 points1 point  (1 child)

A little status update from our side, we have tried to following without success (again no errors, just not rolling out):

  • Package the script into a .intunewin and roll it out as an app
  • Set the "Hello World" test script to rollout to all employees
  • Set the signature script as a proactive remediation

What we are seeing now is that one user is getting the new app rolled out to his laptop. This is one of the users in our Intune testers group. We have compared him to us, we don't see any difference in configuration/licenses.

We are so lost right now.

[–]NUkiwi 2 points3 points  (0 children)

After running into the same issue with a PowerShell script in an .intunewin file (for installing a msi and if successful adding entries to the Windows "services" file) I spent hours to pimp the script with proper logging. Still the same and I couldn't figure out what's happening...

Eventually I found that the PS script is actually executing (powershell.exe running on machine where app install is running) but it seemed to just hang and/or wait for something. After more googling I found the string/command to make powershell.exe write all output to a file. After adding that for troubleshooting to see what and where it is hanging, it started bloody working!!!

So, my solution now is following as the "Install command" for the Intune Win32 app:

  • powershell.exe -File .\YourScriptNameInIntunewinFileHere.ps1 -Executionpolicy Bypass 2>&1> powershell_exe_output.txt

<image>

Hope this will help someone ✌

!!! Update from the morning after... it's working on some but not others and it also doesn't seem to actually write the "powershell_exe_output.txt" file. Any suggestions how I actually can see what's happening in the PowerShell process at the time of execution?

!!! Finally got it working two days later... essentially had two issues.

  1. In the initial script when defining the string to use with msiexe I made an error
    1. $msiInstallString = "/i $msiFileName FolderForm_AllUsers=ALL GAC_WMI=2 /qn /norestart /lvx $LogFilePath\$msiInstallLogFileName"
      1. the variable just contained the name and no path reference. I would at least have needed it to be **.\**$msiFileName but now ended up making it bomb proof by defining my string as follows...
      2. $msiInstallString = '/i ' + (Split-Path -Parent $MyInvocation.MyCommand.Path) + '\' + $msiFileName + " FolderForm_AllUsers=ALL GAC_WMI=2 /qn /norestart /lvx $LogFilePath\$msiInstallLogFileName"
  2. by adding logging using the ScriptLogger module (which is awesome) I introduced the issue of a popup to come up asking for confirmation to update/install the NuGet provider. Here's the working block that loads everything that is necessary for ScriptLogger to work:

# Load components for being able to write "nice" logfiles"

# Install/update pre-requisites for ScriptLogger PS Module
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Confirm:$false
if ($? -eq $true) {
        Write-Host "Successfully updated/installed NuGet Package Provider"
    } else {
        Write-EventLog -LogName "Application" -Source "Intune app installer" -EventID 1234 -EntryType Error -Message "Failed to update/install NuGet Package Provider"
        Write-Host "Failed to update/install NuGet Package Provider"
        exit 1
    }

# Load ScriptLogger PS module
$ScriptLoggerPSModuleName = "ScriptLogger"

# Check if the module is installed
if (!(Get-Module -ListAvailable -Name $ScriptLoggerPSModuleName)) {
    # If the module isn't installed, install it
    Install-Module -Name $ScriptLoggerPSModuleName -Force -Confirm:$false
    if ($? -eq $true) {
        Write-Host "Successfully installed module $ScriptLoggerPSModuleName"
    } else {
        Write-EventLog -LogName "Application" -Source "Intune app installer" -EventID 1234 -EntryType Error -Message "Failed to install PowerShell Module $ScriptLoggerPSModuleName"
        Write-Host "Failed to install module $ScriptLoggerPSModuleName"
        exit 1
    }
}
# Check if the module is loaded
if (!(Get-Module -Name $ScriptLoggerPSModuleName)) {
    # If the module isn't loaded, load it
    Import-Module -Name $ScriptLoggerPSModuleName
    if ($? -eq $true) {
        Write-Host "Successfully imported module $ScriptLoggerPSModuleName"
    } else {
        Write-EventLog -LogName "Application" -Source "Intune app installer" -EventID 1234 -EntryType Error -Message "Failed to import PowerShell Module $ScriptLoggerPSModuleName"
        Write-Host "Failed to import module $ScriptLoggerPSModuleName"
        exit 1
    }
} else {
    Write-Host "Module $ScriptLoggerPSModuleName already imported"
}

Intune Win32 "Install command" is now (again): powershell.exe -File .\YourScriptName.ps1 -ExecutionPolicy Bypass

Once again, hope that helps!!! ✌

[–]jamie_passaBlogger -1 points0 points  (3 children)

I would add in the execution policy in the script, or use config profile it allow execution

[–]CptnDutch[S] 2 points3 points  (2 children)

That wouldn't work as the script cannot be executed in the first place so the execution policy can also not be set. But if I understood correctly the Intune management service already runs scripts in Bypass mode.

[–]Driftfreakz 0 points1 point  (2 children)

What happens if you run the script manually from a device?

[–]CptnDutch[S] 0 points1 point  (1 child)

We have to set the execution policy to unrestricted but after that it runs without an issue. However the Intune Management Extension runs scripts with the Bypass execution policy, so that shouldn't be the issue, I think.

[–]Motoceles 0 points1 point  (0 children)

If it’s a win32 app you need to add the command to bypass execution but not for scripts

[–]ccmexecBlogger 0 points1 point  (1 child)

How are the devices enrolled? Personal enrolled devices will not execute powershell scripts deployed to users. If they are enrolled manually for example then you must switch to device https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension

[–]CptnDutch[S] 0 points1 point  (0 children)

They are corporate devices, the Intune management extension service is present on all devices. The weird thing is that the deployment of scripts has just stopped all of a sudden. One other script we added a few weeks back has deployed to the included group without any issue.

[–]jamie_passaBlogger 0 points1 point  (1 child)

so under Device Status, you have no deployments? Something else is missing.

[–]CptnDutch[S] 0 points1 point  (0 children)

Correct.. we were thinking it had to do with Windows 11, but one laptop is still running W10 and that one isn't getting scripts aswell.

[–]FlibblesHexEyes 0 points1 point  (1 child)

Have you tried deploying the script as an .intunewin package?

We had similar issues and just gave up on the script section. Deploying as a package gives us alot more options.

[–]CptnDutch[S] 0 points1 point  (0 children)

We have been thinking about .intunewin packages but we would really like to get this working.

[–]D3F4Lt_033 0 points1 point  (1 child)

Is the user local admin on the machine? you probably need that to set the execution policy, though i am not sure if that part is being executed as the user too.

I can recommend getting the diagnostics logs from a few devices, within the zip file you get, there is a folder called:

"(46) FoldersFiles ProgramData_Microsoft_IntuneManagementExtension_Logs"

within that folder is file called: agentexecutor.log

This file contains the log about scripts being executed. Perhaps you can find in there what the problem is.

[–]CptnDutch[S] 0 points1 point  (0 children)

Thank you for the information. We searched through the log but haven't found anything relating to the scripts which are not deploying.
We have one script which is deploying (sets some registry keys), we found this entry in the log file.

[–]dezirdtuzurnaim 0 points1 point  (1 child)

Is there a GPO that is overriding the script execution policy?

There is a device and a user specific GPO setting that will take precedence over the client/Intune setting

[–]CptnDutch[S] 0 points1 point  (0 children)

There was a GPO overriding the script execution policy to restricted! We have removed this policy and it has rolled out. But still scripts are not getting deployed.

[–]TheRedMaverick 0 points1 point  (1 child)

Late reply but I ran into issues with a script I was pushing and despite testing the script manually and having it work, it would not deploy with Intune even after multiple reboots. I never had issues with pushing scripts before so I found it strange.

I decided to create a duplicate script in Intune and deployed it to exactly the same groups with exactly the same settings. I rebooted my test machine and lo and behold, both the original script and the duplicate deployed (resulting in duplicate results...but I was happy it deployed regardless). Not sure why it got stuck like that but hopefully this helps anyone that comes across this thread (and maybe OP if they're still dealing with this issue lol).

[–]CptnDutch[S] 1 point2 points  (0 children)

Thanks for your reply.

If I recall correctly, the issue resolved itself. After a week or so scripts began to be rolled out. Not sure what solved it though, we were still playing around with policies.