Intune Script Secrets: How to Deploy Any Script with MS Intune

When it comes to deploying scripts for Intune admins, there is only one script method available: Intune PowerShell Scripts. PowerShell can be a powerful format, but you likely have existing scripts you want to leverage with your domain-joined and non-domain-joined machines. Intune script capabilities don’t enable you to deploy VBscripts, batch scripts, or JavaScript scripts.

    • These PowerShell scripts from Intune may only succeed and run only one time, and never again (unless the script changes). Additionally, if the script fails after three retries, no additional attempts are made to run the script. This makes reoccurring scripts impossible via the Intune PowerShell scripting method.
    • When a user or computer changes groups in Intune (or a policy no longer applies) whatever the script did stays on the machine. Intune has no way to “revert” or “undo” a script after its delivered.
    • There’s no way to trigger a script based upon an event, like connecting to a VPN, or to schedule a script to run at a specific time or day or when a process launches.
    • There’s no way to filter where your script should run. If you have users or computers together in various groups, you might need to unwind your existing Azure or AD group memberships just to use Intune scripts.
    • Beyond that, scripts cannot be run interactively nor can they perform admin-like things in the user context.

WEBINAR: Microsoft Intune Basics

The enterprise has changed, and new work-from-home requirements have changed the security and management landscape. IT administrators can no longer expect to manage their enterprises with the same legacy tools as they did in the past. Today’s landscape requires new tools, paradigms, and rules for success.

The screenshot below shows the full complement of options available for script deployment using MEM (Intune).

 

Add powershell script microsoft intune

 

Deploy Scripts via Intune to Windows 10 Computers with Four Times the Choice

PolicyPak Scripts Manager offers your four times the choice that Intune has, which means you can leverage more power over any of your Windows 10 machines, regardless of whether they are MDM-enrolled, domain-joined, or non-domain-joined. What’s more, the PolicyPak editors are built inside the Group Policy Management Editor, a tool that admins already use. You can take those scripts and use them on-prem with Group Policy or export them for use within Intune.

WHITE PAPER: How to Maximize Your MDM and Autopilot Investment

PolicyPak MDM Edition can supplement your MDM service, like Microsoft Intune, VMware Workspace One, or MobileIron, with features those MDM services don’t have. If you want to augment your Windows 10 management capabilities significantly, deliver nearly 100% of Microsoft Group Policy settings, as well as provide lockdown security protection for your users and devices, then this paper is for you. In this paper, we show you how PolicyPak MDM Edition can maximize the investment you made in your MDM service, and give you control over your Windows 10 computers in a way you didn’t think possible.


Creating a policy in PolicyPak Scripts manager is easy (see image below).

policypak script manager microsoft intune

 

PolicyPak Scripts Manager uses a wizard to guide you through the policy making process. PolicyPak Scripts Manager supports multiple script types including Batch, PowerShell, VB, and JavaScript, which gives you real choice as to which script type works best for you. You can either write the script commands out yourself or browse to an already existing file using the File button shown below.

WHITE PAPER: MDM vs Group Policy: Where MDM Still Comes up Short

As more organizations consider implementing an MDM solution, an obvious question arises: does MDM replace Group Policy? After all, both of these tools deliver managed settings and can deploy applications. So do you need both, or can you retire your GPOs and replace them with MDM profiles?

apply action intune script

 

The power of choice that PolicyPak Scripts Manager delivers isn’t restricted to just its selection of script formats. It also provides you the ability to revert scripts when a policy doesn’t apply. For instance, in the previous screenshot we mapped a shared printer. Let’s say we want to delete all network printers should the user ever fall out of scope of the designated policy. If we want to use a VB script this time instead of a Batch file, it’s no problem. Just create the reverted action script using a VB Script as shown below.

 

revert action for trigger based intune scripting

 

Of course, if you prefer PowerShell, you can also select it as your choice. Let’s say we wanted to map a network drive. In this case we will run it interactively as “Get-Credential” will prompt the user to enter a password as shown below.

 

apply action intune powershell script

 

windows powershell request

 

The final step in this example is to decide how often you want the script to run. You can choose to run it on every policy processing and log in with the “Always” flag, as shown below.

specify process mode script manager

 

Use Freedom of Choice when Triggering Scripts

If you really want super admin-like powers for script deployment then look at the various trigger options available with PolicyPak Scripts Manager. Triggering is nothing new. Group Policy has allowed you to utilize logon and logoff triggers since the beginning. However, it’s a different world today than it was 20 years ago, and PolicyPak is constantly evolving in order to adapt to the dynamic, ever-changing world of tomorrow. PolicyPak Scripts Manager offers you to a variety of trigger points to choose from.

 

Have you been trying to figure out how to continue to deploy your arsenal of on-premise scripts to users in your newly VPN-connected world?  With PolicyPak Scripts Manager you can initiate scripts when a user connects with VPN regardless of your VPN solution. This means you can map that drive when connected and then delete the mapping once disconnected. You can also trigger scripts based on the start or closing of a designated process, a session lock, an assigned schedule, or the traditional logon and logoff actions as shown below.

 

specify process mode on trigger

 

Granular Choice of Item-level Targeting

Microsoft Intune doesn’t enable you to granularly select where your scripts should apply. But using Intune with PolicyPak is different.

 

If we want to accurately deploy our script policy by VPN triggering, we could choose only members of a select user group that use Windows 10 portable machines. We can even add an IP range so that the policy only applies when the computer is located off of the corporate network. You can see all of these conditions in the screenshot below.

item level targeting targeting editor

 

Choice Gives You Power

PolicyPak can accentuate your Intune scripting abilities. As we’ve seen, Intune’s scripting isn’t bad, but it is limited to:

 

  • Only supporting PowerShell
  • No filtering/item-level targeting
  • No revert script capabilities
  • No interactivity
  • No ability to always re-apply a script
  • No triggers

Here are a few videos to help you see the full picture of what we’ve gone over here:

If choice is power, PolicyPak delivers it.

Jeremy Moskowitz

Founder & CTO, Microsoft MVP in Group Policy, Enterprise Mobility, and MDM

Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.

Ready to Get Started? Register for Our Webinar.

Our PolicyPak Webinars explain everything you need to know to get started with the software. Once you've attended the webinar, you'll be provided a download link and license key to start a free trial.