MicrosoftDocs
diff --git a/‎intune/intune-service/apps/intune-management-extension.md‎
Lines changed: 65 additions & 186 deletions b/‎intune/intune-service/apps/intune-management-extension.md‎
Lines changed: 65 additions & 186 deletions
diff --git a/‎intune/intune-service/apps/powershell-scripts.md‎
Lines changed: 226 additions & 0 deletions b/‎intune/intune-service/apps/powershell-scripts.md‎
Lines changed: 226 additions & 0 deletions
diff --git a/‎intune/intune-service/configuration/device-profile-create.md‎
Lines changed: 1 addition & 1 deletion b/‎intune/intune-service/configuration/device-profile-create.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎intune/intune-service/configuration/device-profiles.md‎
Lines changed: 1 addition & 1 deletion b/‎intune/intune-service/configuration/device-profiles.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎intune/intune-service/developer/reports-ref-devices.md‎
Lines changed: 1 addition & 1 deletion b/‎intune/intune-service/developer/reports-ref-devices.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎intune/intune-service/fundamentals/cloud-configuration.md‎
Lines changed: 1 addition & 1 deletion b/‎intune/intune-service/fundamentals/cloud-configuration.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎intune/intune-service/fundamentals/deployment-guide-platform-windows.md‎
Lines changed: 1 addition & 1 deletion b/‎intune/intune-service/fundamentals/deployment-guide-platform-windows.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎intune/intune-service/fundamentals/deployment-plan-configuration-profile.md‎
Lines changed: 1 addition & 1 deletion b/‎intune/intune-service/fundamentals/deployment-plan-configuration-profile.md‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,226 @@
+---
+# required metadata
+
+title: Add PowerShell scripts to Windows 10/11 devices in Microsoft Intune
+description: Create and run PowerShell scripts, assign the script policy to Microsoft Entra groups, and use reports to monitor the scripts. See the steps to delete scripts you add on Windows 10/11 devices in Microsoft Intune. Read common issues and resolutions. 
+keywords:
+author: Erikre
+ms.author: erikre
+manager: dougeby
+ms.date: 04/17/2025
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: apps
+ms.localizationpriority: high
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+ms.reviewer: bryanke
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection:
+- tier1
+- M365-identity-device-management
+- Windows
+- highpri
+- FocusArea_Apps_Win32
+---
+
+# Use PowerShell scripts on Windows 10/11 devices in Intune
+
+Use the Microsoft Intune management extension to upload PowerShell scripts in Intune. Then, run these scripts on Windows 10 devices. The management extension enhances Windows device management (MDM), and makes it easier to move to modern management.
+
+> [!NOTE]
+> For information about the Intune management extension for Windows, see [Intune management extension for Windows](../apps/intune-management-extension.md).
+
+## Before you begin
+
+- When scripts are set to user context and the end user has administrator rights, by default, the PowerShell script runs under the administrator privilege.
+
+- End users aren't required to sign in to the device to execute PowerShell scripts.
+
+- The Intune management extension checks after every reboot for any new scripts or changes. After you assign the policy to the Microsoft Entra groups, the PowerShell script runs, and the run results are reported. Once the script executes, it doesn't execute again unless there's a change in the script or policy. If the script fails, the Intune management extension retries the script three times for the next three consecutive Intune management extension check-ins.
+
+- A PowerShell script assigned to the device will run for every new user that signs in, except on multi-session SKUs where user check-in is disabled. 
+
+- PowerShell scripts are executed before Win32 apps run. In other words, PowerShell scripts execute first. Then, Win32 apps execute.
+
+- PowerShell scripts time out after 30 minutes.
+
+> [!IMPORTANT]
+> Best practices for privacy awareness when using PowerShell scripts and Remediation scripts include the following:
+> - Do not include any type of sensitive information in scripts (such as passwords)
+> - Do not include Personally Identifiable Information (PII) in scripts
+> - Do not use scripts to collect PII from devices
+> - Always follow privacy best practices
+>
+> For related information, see [Remediations](../fundamentals//remediations.md).
+
+## Prerequisites
+
+- Intune management extension installs automatically when a PowerShell script app is assigned to the user or device. For more information, see [Intune management extension for Windows](../apps/intune-management-extension.md).
+
+> [!IMPORTANT]
+> Scripts deployed to clients running the Intune management extension will fail to run if the device's system clock is exceedingly out of date by months or years. Once the system clock is brought up to date, script will run as expected.
+
+## Create a script policy and assign it
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Scripts and remediations** > **Platform scripts** > **Add** > **Windows 10 and later**.
+
+    ![Screenshot that shows creating a new script for a Windows 10 device.](./media/intune-management-extension/create-script-windows.png)
+
+3. In **Basics**, enter the following properties, and select **Next**:
+    - **Name**: Enter a name for the PowerShell script.
+    - **Description**: Enter a description for the PowerShell script. This setting is optional, but recommended.
+4. In **Script settings**, enter the following properties, and select **Next**:
+    - **Script location**: Browse to the PowerShell script. The script must be less than 200 KB (ASCII).
+    - **Run this script using the logged on credentials**: Select **Yes** (default) to run the script with the user's credentials on the device. Choose **No** to run the script in the system context. Many administrators choose **Yes**. If the script is required to run in the system context, choose **No**.
+    - **Enforce script signature check**: Select **Yes** (default) if the script must be signed by a trusted publisher. Select **No** if there isn't a requirement for the script to be signed.
+    - **Run script in 64-bit PowerShell host**: Select **Yes** to run the script in a 64-bit PowerShell host on a 64-bit client architecture. Select **No** (default) runs the script in a 32-bit PowerShell host.
+
+      When setting to **Yes** or **No**, use the following table for new and existing policy behavior:
+
+      | Run script in 64-bit host | Client architecture | New script | Existing policy script |
+      | --- | --- | --- | --- |
+      | No | 32-bit  | 32-bit PowerShell host supported | Runs only in 32-bit PowerShell host, which works on 32-bit and 64-bit architectures. |
+      | Yes | 64-bit | Runs script in 64-bit PowerShell host for 64-bit architectures. When ran on 32-bit, the script runs in a 32-bit PowerShell host. | Runs script in 32-bit PowerShell host. If this setting changes to 64-bit, the script opens (it doesn't run) in a 64-bit PowerShell host, and reports the results. When ran on 32-bit, the script runs in 32-bit PowerShell host. |
+
+5. Select **Scope tags**. Scope tags are optional. [Use role-based access control (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md) has more information.
+
+    To add a scope tag:
+
+    - Choose **Select scope tags** > select an existing scope tag from the list > **Select**.
+
+    - When finished, select **Next**.
+
+6. Select **Assignments** > **Select groups to include**. An existing list of Microsoft Entra groups is shown.
+
+    - Select one or more groups that include the users whose devices receive the script. Choose **Select**. The groups you chose are shown in the list, and will receive your policy.
+
+        > [!NOTE]
+        > PowerShell scripts in Intune can be targeted to Microsoft Entra device security groups or Microsoft Entra user security groups.
+        > However, when targeting workplace joined (WPJ) devices, only Microsoft Entra device security groups can be used (user targeting will be ignored).
+
+    - Select **Next**.
+
+        ![Assign or deploy PowerShell script to device groups in Microsoft Intune](./media/intune-management-extension/mgmt-extension-assignments.png)
+
+7. In **Review + add**, a summary is shown of the settings you configured. Select **Add** to save the script. When you select **Add**, the policy is deployed to the groups you chose.
+
+### Scenario - Failure to run script
+
+**8 AM**
+
+- Check in
+- Run script **ConfigScript01**
+- Script fails
+
+**9AM**
+
+- Check in
+- Run script **ConfigScript01**
+- Script fails (retry count = 1)
+
+**10 AM**
+
+- Check in
+- Run script **ConfigScript01**
+- Script fails (retry count = 2)
+  
+**11 AM**
+
+- Check in
+- Run script **ConfigScript01**
+- Script fails (retry count = 3)
+
+**12 PM**
+
+- Check in
+- No additional attempts are made to run **ConfigScript01**script.
+- If no additional changes are made to the script, then no additional attempts are made to run the script.
+
+## Monitor run status
+
+You can monitor the run status of PowerShell scripts for users and devices in the portal.
+
+In **PowerShell scripts**, select the script to monitor, choose **Monitor**, and then choose one of the following reports:
+
+- **Device status**
+- **User status**
+
+## Delete a script
+
+In **PowerShell scripts**, right-click the script, and select **Delete**.
+
+## Common issues and resolutions
+
+### Issue: PowerShell scripts do not run
+
+**Possible resolutions**:
+
+- The PowerShell scripts don't run at every sign in. They run:
+
+  - When the script is assigned to a device
+  - If you change the script, upload it, and assign the script to a user or device
+  
+    > [!TIP]
+    > The **Microsoft Intune Management Extension** is a service that runs on the device, just like any other service listed in the Services app (services.msc). After a device reboots, this service may also restart, and check for any assigned PowerShell scripts with the Intune service. If the **Microsoft Intune Management Extension** service is set to Manual, then the service may not restart after the device reboots.
+
+- Be sure devices are [joined to Microsoft Entra ID](/azure/active-directory/user-help/user-help-join-device-on-network). Devices that are only joined to your workplace or organization ([registered](/azure/active-directory/user-help/user-help-register-device-on-network) in Microsoft Entra ID) won't receive the scripts.
+- Confirm the Intune management extension is downloaded to `%ProgramFiles(x86)%\Microsoft Intune Management Extension`.
+- Scripts don't run on Surface Hubs or Windows 10 in S mode.
+- Review the logs for any errors. See [Intune management extension logs](../apps/intune-management-extension.md#intune-management-extension-logs) (in this article).
+- For possible permission issues, be sure the properties of the PowerShell script are set to `Run this script using the logged on credentials`. Also check that the signed in user has the appropriate permissions to run the script.
+
+- To isolate scripting problems, you can:
+
+  - Review the PowerShell execution configuration on your devices. See the [PowerShell execution policy](/powershell/module/microsoft.powershell.security/set-executionpolicy) for guidance.
+  - Run a sample script using the Intune management extension. For example, create the `C:\Scripts` directory, and give everyone full control. Run the following script:
+
+    ```powershell
+    write-output "Script worked" | out-file c:\Scripts\output.txt
+    ```
+
+    If it succeeds, output.txt should be created, and should include the "Script worked" text.
+
+  - To test script execution without Intune, run the scripts in the System account using the [psexec tool](/sysinternals/downloads/psexec) locally:
+
+    `psexec -i -s`  
+
+  - If the script reports that it succeeded, but it didn't actually succeed, then it's possible your antivirus service may be sandboxing AgentExecutor. The following script always reports a failure in Intune. As a test, you can use this script:
+  
+    ```powershell
+    Write-Error -Message "Forced Fail" -Category OperationStopped
+    mkdir "c:\temp" 
+    echo "Forced Fail" | out-file c:\temp\Fail.txt
+    ```
+
+    If the script reports a success, look at the `AgentExecutor.log` to confirm the error output. If the script executes, the length should be >2.
+
+  - To capture the `.error` and `.output` files, the following snippet executes the script through AgentExecutor to PowerShell x86 (`C:\Windows\SysWOW64\WindowsPowerShell\v1.0`). It keeps the logs for your review. Remember, the Intune Management Extension cleans up the logs after the script executes:
+  
+    ```powershell
+    $scriptPath = read-host "Enter the path to the script file to execute"
+    $logFolder = read-host "Enter the path to a folder to output the logs to"
+    $outputPath = $logFolder+"\output.output"
+    $errorPath =  $logFolder+"\error.error"
+    $timeoutPath =  $logFolder+"\timeout.timeout"
+    $timeoutVal = 60000 
+    $PSFolder = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"
+    $AgentExec = "C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe"
+    &$AgentExec -powershell  $scriptPath $outputPath $errorPath $timeoutPath $timeoutVal $PSFolder 0 0
+    ```
+
+### Issue: Why are scripts running even though Windows is no longer managed? 
+
+When a Windows device with assigned scripts is no longer managed, the IME isn't removed immediately. The IME detects that the Windows isn't managed at the next IME check-in (usually every 8 hours) and cancels script-runs. In the meantime, any locally stored scripts may run. When the IME is unable to check in, it retries checking in for up to 24 hours (device-awake time) and then removes itself from the Windows device. 
+
+## Next steps
+
+[Monitor](../configuration/device-profile-monitor.md) and [troubleshoot](../configuration/device-profile-troubleshoot.md) your profiles.
@@ -74,7 +74,7 @@ Profiles are created in the [Microsoft Intune admin center](https://go.microsoft
 - **Overview**: Lists the status of your profiles, and provides more details on the profiles you assigned to users and devices.
 - **Monitor**: Check the status of your profiles for success or failure, and also view logs on your profiles.
 - **By platform**: Create and view policies and profiles by your platform. This view can also show features specific to the platform. For example, select **Windows 10 and later**. You see Windows-specific features, such as **Windows Update Rings** and **PowerShell scripts**.
-- **Manage devices**: Create device profiles, upload custom [PowerShell scripts](../apps/intune-management-extension.md) to run on devices, and add data plans to devices using [eSIM](esim-device-configuration.md).
+- **Manage devices**: Create device profiles, upload custom [PowerShell scripts](../apps/powershell-scripts.md) to run on devices, and add data plans to devices using [eSIM](esim-device-configuration.md).
 
 When you create a profile (**Devices** > **Manage devices** > **Configuration** > **Create**), choose your platform:
 
 
@@ -335,7 +335,7 @@ On Linux devices, you can [add existing Bash scripts](../configuration/device-pr
 
 On macOS devices, you can [add existing shell scripts](../apps/macos-shell-scripts.md), and then deploy these scripts to your macOS devices.
 
-On Windows devices, you can use the Intune Management Extension to upload your [PowerShell scripts](../apps/intune-management-extension.md) in Intune, and then run these scripts on your devices. Also see what's required to use the extension, how to add them to Intune, and other important information.
+On Windows devices, you can use the Intune Management Extension to upload your [PowerShell scripts](../apps/powershell-scripts.md) in Intune, and then run these scripts on your devices. Also see what's required to use the extension, how to add them to Intune, and other important information.
 
 This feature supports:
 
 
@@ -270,7 +270,7 @@ The **devices** entity lists all enrolled devices under management and their cor
 | windowsOsEdition           | Windows Operating System edition.                                                                                                                             |
 | ethernetMacAddress           | The unique network identifier of this device.                                                                                                                                        |
 | model                      | The device model.                                                                                                                                                                      |
-| office365Version           | The version of Microsoft 365 that is installed on the device. `Office365Version` is only collected when the Intune management extension agent is installed on a Windows machine. The admin must also create and assign a PowerShell or Win32 App for the agent to be installed. For more information, see [Use PowerShell scripts on Windows 10 devices in Intune](../apps/intune-management-extension.md) and [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md).<p>**NOTE**:<br>There's a known issue with the Intune Data Warehouse **devices** table. The `office365Version` property for the device record may be null. This property is currently under maintenance and may be subject to deprecation. Therefore, you should consider not using this property value for reporting purposes.                                                                                                                               |
+| office365Version           | The version of Microsoft 365 that is installed on the device. `Office365Version` is only collected when the Intune management extension agent is installed on a Windows machine. The admin must also create and assign a PowerShell or Win32 App for the agent to be installed. For more information, see [Use PowerShell scripts on Windows 10 devices in Intune](../apps/powershell-scripts.md) and [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md).<p>**NOTE**:<br>There's a known issue with the Intune Data Warehouse **devices** table. The `office365Version` property for the device record may be null. This property is currently under maintenance and may be subject to deprecation. Therefore, you should consider not using this property value for reporting purposes.                                                                                                                               |
 | SubnetAddressV4Wifi           | The subnet address for IPV4 Wifi connection.                                                                                                                             |
 | IpAddressV4Wifi           | The IP address for IPV4 Wifi connection.                                                                                                                             |
 
 
@@ -90,7 +90,7 @@ Using Microsoft Intune, you can use a guided scenario to deploy a cloud configur
 
 - Deploys a Windows PowerShell script that removes built-in apps, and simplifies the Start menu.
 
-  For information about PowerShell scripts in Intune, go to [Use PowerShell scripts on Windows client devices](../apps/intune-management-extension.md).
+  For information about PowerShell scripts in Intune, go to [Use PowerShell scripts on Windows client devices](../apps/powershell-scripts.md).
 
 - Creates a Windows client update ring policy. This policy automatically updates the devices, including product updates, drivers, and Windows updates.
 
 
@@ -134,7 +134,7 @@ As you set up apps and app policies, think about your organization's requirement
 |[Add Microsoft 365 apps](../apps/apps-add-office365.md) |Add Microsoft 365 Apps for enterprise. |
 |[Assign apps to groups ](../apps/apps-deploy.md)|After you add apps to Intune, assign them to users and devices.|
 |[Include and exclude app assignments ](../apps/apps-inc-exl-assignments.md)|Control access and availability to an app by including and excluding selected groups from assignment.|
-|[Use PowerShell scripts](../apps/intune-management-extension.md)|Upload PowerShell scripts to extend Windows device management capabilities in Intune and make it easier to move to modern management.|
+|[Use PowerShell scripts](../apps/powershell-scripts.md)|Upload PowerShell scripts to extend Windows device management capabilities in Intune and make it easier to move to modern management.|
 
 ## Step 8: Enroll devices
 
 
@@ -557,7 +557,7 @@ This level expands on what you configured in levels 1 and 2. It adds extra secur
 - **Deploy shell scripts**:
 
   - [**macOS**: Use shell scripts](../apps/macos-shell-scripts.md)
-  - [**Windows**: Use Windows PowerShell scripts](../apps/intune-management-extension.md)
+  - [**Windows**: Use Windows PowerShell scripts](../apps/powershell-scripts.md)
 
 ## Follow the minimum recommended baseline policies