Intune provides the capability to run PowerShell scripts on Windows 10 and later devices. These scripts can be used for various purposes, such as configuring device settings, deploying software, or collecting inventory data. PowerShell scripts are distributed through Intune’s PowerShell Scripts or Proactive Remediation Scripts and executed using the Intune Management Extension (IME).
Table of Contents
1.0 What’s Intune Management Extension Service
The Intune Management Extension (IME) is a Windows application that enhances the built-in Windows MDM capabilities with Intune. It allows for the deployment of:
- Win32 Apps
- PowerShell Scripts
- Proactive Remediation Scripts
- Custom Compliance Policies
- New Store Applications
to Azure AD, Hybrid joined Devices, co-managed enrolled and Azure AD registered devices as well.
2.0 Any action needed to install Intune Management Extension?!!
The IME is automatically installed by default for any Windows devices enrolled to Intune even co-managed devices (even if workload is shifted all to SCCM).
Service is installed under C:\program files (x86)\Microsoft Intune Management Extension
Version of the service can be checked through “Microsoft.Management.Services.IntuneWindowsagent.exe”
3.0 Intune Management Extension (IME) restart?
IME Service is hardcoded to restart once every 60 minutes, so if the script is modified or assigned and was not reflecting immediately on the device. It’ll be 100% targeted or effective by next restart of IME Service.
4.0 How to troubleshoot PowerShell Scripts
Logs are crucial for understanding the execution and outcome of PowerShell scripts. Intune provides several locations where logs can be found:
Intune Management Extension Logs: These logs contain detailed information about script execution and can be found at “C:\ProgramData\Microsoft\IntuneManagementExtension\Logs”. Key logs include multiple files.
4.1 Confirm Script ID from Intune Side
Search for Script ID which can be obtained from Intune Portal > Devices > Windows > Scripts and Remediations > Platform Scripts and in the URL Bar for the browser you can see Policy ID
4.2 Check IME Log Files
Open Intune Management Extension log file “IntuneManagementExtension.log” and/or its archives “IntuneManagementExtensionxxxx.log” using CMtrace.exe or any other preferred texting tool.
And then search in Logs with Script ID from previous step.
for the above highlights:
I- PowerShell Script is detected as assigned or targeted to user.
II- PowerShell Content is shown in this step
III- Script will be installed from the temp file downloaded in C:\Program Files X86\Microsoft Intune Management Extension\Policies\Scriptxxx.ps1 file.
VI- Script Context is recalled here, If the Admin is targeting Script in User or Device Context it will be showing here. If Script is running in user context then User Token MUST be retrieved in
4.3 Process handed over to Agent Executor Service
IME Service or Component will complete Token Retrieval from Azure and once it’s completed successfully, Then this is the green light for Script to be deployed immediately.
IME Service will hand-over Script deployment to Agent Execution Service
From Above screenshot:
I. Agent Execution Service starting to execute the script.
II. Script CMD Line is called (this is the default CMD to run PowerShell Scripts from Intune side, Admin can’t modify)
III. PowerShell Script executed successfully with exit code 0
VI. PowerShell Script showing 0 errors written and Agent Executor Service is going to hand it over again to IME Service.
4.4 Back again to IME Logs
IME Logs again will collect results from Agent Execution Service and it’s ready to be reported back in Intune Portal.
Here’s my Advises for PowerShell Execution and Troubleshooting:
- Always try to test the script prior pushing from Intune to confirm it is functioning as expected.
- Best Application to analyze Intune Management Extension Logs is SCCM “CMtrace.exe”.
- If the script content is running in user-context, there is no need to use script using logged in credentials.
- If the script needs administrator privilege, you should use the script WITHOUT user login (which is system context).
Interested to read all our articles about PowerShell and Intune Management Extension, click here to jump to this category
Leave a Reply