Intune

How to Deploy a PowerShell Script via Intune

Published 18 March 2026 · 8 min read

Intune lets you run PowerShell scripts on Windows devices via the Intune Management Extension (IME). This is one of the most flexible tools in Intune - use it for configuration tasks that have no built-in policy, post-install setup, remediation, or anything that needs scripting. This guide covers the full process from script to execution, including how to check results and handle common issues.

Contents
  1. How Intune PowerShell scripts work
  2. Prerequisites
  3. Upload and configure the script
  4. Script settings explained
  5. Assign and deploy
  6. Monitor execution
  7. Reading the IME log
  8. Script writing tips for Intune

How Intune PowerShell scripts work

When you deploy a PowerShell script via Intune, the Intune Management Extension (IME) agent on the device downloads and runs it. The IME is installed automatically when you deploy a Win32 app or PowerShell script to a device.

Scripts run under one of two contexts:

💡
Scripts vs Proactive Remediations
For one-off configuration tasks, use Scripts. For recurring detection and fix jobs (e.g. check a setting every hour and fix it if wrong), use Proactive Remediations instead - they run on a schedule and report pass/fail status.

Prerequisites

Upload and configure the script

Intune Admin Centre → Devices → Scripts → + Add → Windows 10 and later
  1. Give the script a clear name and description
  2. Upload your .ps1 file
  3. Configure the settings below
  4. Assign to a device or user group

Script settings explained

⚙️
Script settings
These control how and where the script runs
Run script in 64-bit PowerShell hostAlways set Yes unless your script specifically needs 32-bit. 64-bit gives access to the full registry and system paths.
Yes
Run this script using the logged on credentialsSet to No for system tasks. Set to Yes for user-level tasks like setting per-user registry keys or app preferences.
No (SYSTEM)
Enforce script signature checkSet to Yes only if your org signs scripts. With No, any .ps1 runs - fine for most environments.
No
Run script in 64-bit PowerShell host
Yes
⚠️
Script output is not returned to Intune
Intune only reports success (exit 0) or failure (non-zero exit). It does not capture Write-Output or Write-Host. Use exit codes to signal pass/fail, and write to a log file if you need output for troubleshooting.

Assign and deploy

Assign to Device groups for SYSTEM context scripts. Assign to User groups for user-context scripts. Scripts run within 1 hour of assignment on online devices, or at next check-in.

💡
Test on a pilot group first
Always assign new scripts to a small test group before rolling out to all devices. A script with a bug running as SYSTEM on 500 devices can cause real damage - test carefully.

Monitor execution

Devices → Scripts → select your script → Device status

Each device shows one of three states:

Reading the IME log

For detailed troubleshooting, read the Intune Management Extension log on the device:

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

Search for your script name in the log to find the execution entry. It shows the script content hash, execution time, exit code, and any errors from the PowerShell engine.

You can also run IME diagnostics from the device by launching the IME tray icon or running:

%ProgramFiles%\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe

Script writing tips for Intune

Always use explicit exit codes

# Good - explicit exit codes
try {
    # Your script logic here
    Set-ItemProperty -Path "HKLM:\SOFTWARE\MyApp" -Name "Setting" -Value 1
    Write-Host "Success"
    exit 0
} catch {
    Write-Host "Error: $_"
    exit 1
}

Write a log file for troubleshooting

$logPath = "C:\ProgramData\MyOrg\Scripts\MyScript.log"
New-Item -ItemType Directory -Force -Path (Split-Path $logPath)
Add-Content $logPath "[$(Get-Date)] Script started"
# ... your logic ...
Add-Content $logPath "[$(Get-Date)] Script completed successfully"

Check if the script already ran

# Prevent re-running if already applied
$flagPath = "C:\ProgramData\MyOrg\Scripts\myconfig.done"
if (Test-Path $flagPath) { exit 0 }
# ... your logic ...
New-Item $flagPath -Force
exit 0

Frequently Asked Questions

Q: How do I deploy a PowerShell script via Intune?

Go to Devices > Scripts > Add > Windows 10 and later. Upload your .ps1 file, set Run script in 64-bit PowerShell host to Yes, and assign to a device or user group. The script runs within 1 hour on enrolled devices.

Q: Does Intune run PowerShell scripts as SYSTEM or the logged-in user?

You choose. Set Run this script using the logged on credentials to Yes to run as the current user, or No to run as SYSTEM. Most admin tasks like installing software or changing system settings need SYSTEM context.

Q: How do I check if an Intune PowerShell script ran successfully?

Go to Devices > Scripts, select the script, and click Device status. You can see per-device success, failure, or pending status. For detailed output, check the Microsoft Intune Management Extension log at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log.

Q: Can Intune PowerShell scripts run more than once?

By default, scripts run once per device. Set Run script in 64-bit PowerShell host and Enforce script signature check as needed. To re-run a script, you must edit it (even a minor change) or reassign it - Intune tracks execution by script hash.

Related Guides
-> Autopilot Setup-> Proactive Remediations-> Deploy Win32 Apps
// need intune set up properly?
Fixed-price Intune setup for UK businesses

I set up Intune for UK small businesses at a fixed price - app deployment, compliance policies, Conditional Access, and full documentation.

View Packages