For Windows 11 devices, you can upload PowerShell scripts in Intune, which can then be run on Windows 11 devices. Intune includes a management extension, which facilitates adding PowerShell scripts.
Deployment of PowerShell scripts using Intune is supported for all enrolled Windows 11 devices that are Azure AD–joined, Hybrid Azure AD domain–joined, or co-managed. The Intune management extension has the prerequisites outlined in Table 3-8.
TABLE 3-8 Intune management extension prerequisites
| Requirement | Prerequisite |
| Windows 11 version | Windows 11 Pro, Enterprise, or Education.If the device is enrolled using bulk auto-enrollment. |
| Directory joined devices | Allows Hybrid Azure AD-joined and on-premises Active Directory–joined devices.Azure AD–registered devices. |
| Devices enrolled in Intune | Devices enrolled in a group policy (GPO).Devices enroll in Intune via auto-enrollment.Users enroll their devices using their Azure AD accounts.Co-managed devices that use Configuration Manager and Intune. |
When you run a PowerShell script using Intune, there are three script settings, as described in Table 3-9.
TABLE 3-9 PowerShell script runtime settings
| Setting | Description |
| Run This Script Using The Logged-On Credentials | By default, the script will run in the system context. Optionally, this can be modified to run the script with the user’s credentials on the device. |
| Enforce Script Signature Check | By default, the signature check is not enforced. If there is a requirement for the script to be signed, you can choose to enforce the signature check, and a trusted publisher must sign the script. |
| Run Script In 64-Bit PowerShell Host | By default, the script is run in a 32-bit PowerShell host. Optionally, you can run the script in a 64-bit PowerShell host on a 64-bit client. |
For example, you can create a PowerShell script that installs a Win32 app to your Windows 11 device. This scenario involves these high-level steps:
- Write a PowerShell script to install a Win32 app.
- Upload the script to Intune as a Device Configuration profile.
- Configure the script runtime settings.
- Assign the script to an Azure AD group of users or devices.
- The script runs on the assigned group.
- You can then use Intune to monitor the run status of your script.
To create a PowerShell script policy, use these steps.
- Open Microsoft Intune admin center.
- Select Devices, and then under Policy, click Scripts.
- On the Devices | Scripts page, click Add, and select Windows 10 and later. Note that you can also create scripts for Linux and macOS.
- On the Add PowerShell script page, enter the following properties on the Basics tab:
• Name Enter a descriptive name for the script.
• Description Enter a description for the script. - Click Next.
- On the Script settings tab, shown in Figure 3-22, enter the following properties:
• Script location Browse to the PowerShell script. The script must be less than 200 KB (ASCII).
• Run this script using the logged on credentials Select Yes to run the script with the user’s credentials on the device, or choose No (default) to run the script in the system context.
• Enforce script signature check Select Yes or No (default).
• Run script in 64 bit PowerShell Host Select Yes to run the script in a 64-bit PowerShell host or select No (default) to run the script in a 32-bit PowerShell host.
FIGURE 3-22 Adding PowerShell Script
- Click Next.
- On the Assignments blade, assign the policy to users, devices, or groups and then click Next.
- On the Review + add blade, review the summary and click Create.
After you have uploaded a PowerShell script to Intune, the management extension client checks with Intune for any new PowerShell scripts or changes; this check is done once every hour and after every reboot. After the PowerShell script has been executed on a targeted device, the PowerShell script is not executed again unless there’s a change in the script or policy.
Note Powershell Permissions
When you deploy PowerShell scripts using Intune, the script can be executed with or without a user signed into the device. PowerShell scripts can be targeted to Azure AD device security groups and Azure AD user security groups.
