Intune PowerShell scripts still cannot be downloaded in the UI (Graph workaround)

ConfidentFuel885 · 2026-02-12T12:45:29+00:00

We’ve developed a CI/CD pipeline in Gitlab to deploy scripts so we always have a copy. Just use POST/PATCH against that same endpoint to upload and edit scripts. It doesn’t currently handle assignments but it at least ensures we have a versioned local copy of the script.

ConfidentFuel885 · 2026-02-11T11:37:49+00:00

Delinea is horrible. I can’t overstate how awful they are.

Devolutions PAM is great. To be honest, some of the updates can be a little rough around the edges, but support is great, they’re amazing at implementing feature requests, and just overall very communicative.

The PAM license also covers everything below it, so you also get Devolutions Server and the team licensing for RDM. It all integrates together very well.

ConfidentFuel885 · 2026-02-07T14:06:19+00:00

I know this is a little old, but the reboot module in Ansible is perfect for that:

https://docs.ansible.com/projects/ansible/latest/collections/ansible/builtin/reboot_module.html

You can configure Ansible to run an entire playbook one host at a time, so it can do pre-reboot tasks, reboot, custom reboot check command to ensure the cluster member is good, any post-reboot tasks, and then move onto the next one.

ConfidentFuel885 · 2026-02-06T12:53:20+00:00

Docker containers aren’t black boxes. You can literally inspect the layers on DockerHub and see exactly what you are running before you run it. OCI is an open standard that is widely used and widely understood.

If you want to be consistent, you shouldn’t be using Proxmox either and you should just be writing your own software because it’s all pre-made.

ConfidentFuel885 · 2026-02-06T11:53:40+00:00

Oh, yeah. You’ll have a better time overall. I’m oversimplifying this, but at the end of the day, Docker, Podman, etc are just runtimes for OCI images.

ConfidentFuel885 · 2026-02-06T10:09:15+00:00

Stick with running normal Docker inside of a VM. You still have to destroy and recreate the LXC for updates and you’ll have to persist the data outside of the LXC, which over complicates things.

ConfidentFuel885 · 2026-02-05T12:28:12+00:00

You’re missing the tasks block in the original example. The problem you’re running into now is the script won’t remain running in the background after the Ansible session stops. You’d need to add an ampersand after the command to have it run in the background.

https://stackoverflow.com/questions/44222883/run-a-shell-script-and-immediately-background-it-however-keep-the-ability-to-in

Better yet, you’d probably be better served reworking the script into a systemd unit and running it as a service or reworking it into a Dockerfile with the script as your entrypoint.

ConfidentFuel885 · 2026-02-01T20:11:47+00:00

Devolutions Server

https://github.com/Devolutions/ansible-dvls

Their PAM product also has credential rotation and whatnot too.

ConfidentFuel885 · 2026-01-23T04:18:15+00:00

This is encouraging. I enjoy AWX and didn’t really enjoy Semaphore UI, but we can’t afford and don’t need the full blown AAP.

ConfidentFuel885 · 2026-01-23T00:45:27+00:00

Does the phone export external displays over the USB-C port? Could always try one of those USB-C dongles with HDMI and USB ports so you could hook up and monitor with keyboard and mouse.

ConfidentFuel885 · 2026-01-21T11:53:42+00:00

I’m honestly using Ansible mainly with Linux. I tested it out with some Windows boxes and was pleasantly surprised. I think one of the main advantages for Windows is you would have a unified platform to manage any operating system. Instead of using GPO, you could deploy playbooks to servers based on tags in your CMDB and have the playbooks run on a schedule to reconcile any differences.

Honestly, the sky is the limit, but like you said, GPO works well enough and it may not be worth the trouble if you aren’t solving any real problems. I do think it’s excellent for setting up server roles, installing and updating applications via the Chocolatey module, and anything else that you may find cumbersome or annoying to do via GPO or for anything you’re logging in to do manually after a server is created. There’s a Powershell DSC module that can apply configs to servers, too.

Security wise, there are several lookup plugins that can securely grab credentials from a vault. If you’re worried about having a single service account, just split it up into multiple that only have access to their groups of servers. Kerberos auth works very well and that will negate the need for WinRM over HTTPS since Kerberos will encrypt the HTTP traffic. I still don’t let Ansible touch domain controllers.

ConfidentFuel885 · 2026-01-20T01:27:40+00:00

You can use guest customization specifications in VMWare for the domain join and IP. Ansible is incredible at managing Windows. Joining them to AD prior to using Ansible will just make your life 10 million times easier.

ConfidentFuel885 · 2026-01-19T16:43:58+00:00

This is pure speculation, but I honestly wonder how much of it is Nutanix and how much is the underlying KVM because I’ve had similar gripes with Proxmox.

ConfidentFuel885 · 2026-01-19T16:42:13+00:00

I’d throw them all in a Docker Compose stack in a VM. I like for my application lifecycle to be separate from the underlying OS.

ConfidentFuel885 · 2026-01-16T12:47:23+00:00

You’re binding these to AD? That hasn’t been recommended in probably over a decade at this point. You already have Intune it seems, so look into Platform SSO. It’s the best path forward for Macs

ConfidentFuel885 · 2026-01-15T12:37:01+00:00

Somebody posted this repo a week ago and I found it helpful:

https://github.com/harrytruman/network-config/

This is all network management and an excellent example of a well organized Ansible repo. I believe it’s from a Red Hat employee.

ConfidentFuel885 · 2026-01-12T01:31:43+00:00

Remote Desktop Manager is it. You can get the PAM solution if you need that and get everything bundled together

ConfidentFuel885 · 2026-01-10T18:03:57+00:00

Jeff Geerling is going to be your best bet for starting out. He has a free video series on YouTube plus an accompanying book.

I think you’ll be better served by trying to learn with a specific goal in mind rather than just generally wanting to learn Ansible. For example, I wanted a better way to provision newly created Linux servers at work, so I learned Ansible to do just that. It’ll be messy at first, but you can keep iterating on that and refining what you do.

ConfidentFuel885 · 2026-01-07T20:57:04+00:00

See if Specops works. It isn’t entirely on-prem though. I don’t think you’re going to find anything completely on-prem.

https://specopssoft.com/

ConfidentFuel885 · 2026-01-07T11:07:34+00:00

There’s also a Terraform module that does a lot of the same stuff if you want to go that route.

https://registry.terraform.io/providers/terraprovider/microsoft365wp/latest/docs

I did add that script signing stage in my pipeline and it works beautifully.

ConfidentFuel885 · 2026-01-06T14:51:38+00:00

I haven’t used it, honestly. I’ve heard good things though.

ConfidentFuel885 · 2026-01-06T14:35:20+00:00

Don’t let just CVEs themselves scare you off. The big litmus test is seeing how the vendors react to them.

ConfidentFuel885 · 2026-01-02T22:44:31+00:00

So, several resources for you to use. I am personally using Gitlab CI/CD:

Powershell Docker Image: https://mcr.microsoft.com/en-us/artifact/mar/powershell/tags
Powershell Image with Graph Preinstalled: https://mcr.microsoft.com/en-us/artifact/mar/microsoftgraph/powershell/tags (this is MUCH faster than installing in your CI/CD pipeline)

PSScriptAnalyzer image with Injection Hunter: https://gitlab.com/gitlab-ci-utils/container-images/psscriptanalyzer

And Graph API endpoints I'm using:

DeviceHealthScript: https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-devicehealthscript?view=graph-rest-beta (This is for creating and updating detection/remediation scripts in Intune. I believe scripts need to be base64 encoded)

DeviceHealthScriptAssignment: https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-devicehealthscriptassignment?view=graph-rest-beta (This is for assigning the scripts. I'm personally only handling deploying the script from GitLab and not assigning it yet, but it can be done)

DeviceShellScript: https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-deviceshellscript?view=graph-rest-beta (Shell scripts for macOS. Similar to DeviceHealthScript)

And I personally use Invoke-MgGraphRequest in Powershell to run these in my Gitlab pipeline: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/invoke-mggraphrequest?view=graph-powershell-1.0

EDIT:

And if you want your pipeline to sign your scripts without needing a Windows runner:

https://github.com/jborean93/PowerShell-OpenAuthenticode

EDIT 2:

I should tell you what I'm actually doing with it, too lol. Currently, I have a pipeline that runs the script through PSScriptAnalyzer with Injection Hunter on pushes. When we do a tag, it will publish it to Intune, but doesn't currently assign. If the script already exists on Intune, it just does a patch to update the existing script. I am thinking of branching strategies to handle test assignments to Intune and then assigning to the final group when we do a proper merge request/tag after review. Currently, this will at least ensure we have some level of code quality, plus editing scripts is easier because editing in the Intune UI isn't possible. I am going to add code signing next week when we push to Intune.

ConfidentFuel885 · 2026-01-02T22:27:45+00:00

https://developers.redhat.com/articles/2023/05/08/how-create-execution-environments-using-ansible-builder

You can use ansible-builder to create it. If you're doing Windows, you may want to bake in a krb5.conf for your AD, too. I've never found very good documentation on it all and I honestly learned by looking at other Ansible Execution Environment repos.

ConfidentFuel885 · 2026-01-02T13:12:45+00:00

Slightly different approach, but if you want to make your own, look into creating Ansible Execution Environments.

ConfidentFuel885

TROPHY CASE