Part 16 – Configure Microsoft Intune – PowerShell Scripts

Basically, Microsoft Intune can deploy only the mobile apps for iOS, Windows and Android platform and MSI installers for Windows 10. Some legacy applications got only an EXE installer. Which means that you cannot deploy this specific legacy application via Microsoft Intune. Fortunately, Microsoft Intune has something awesome! You can use PowerShell scripts for configuring, deploying or removing on Windows 10 devices. This means that you can use a PowerShell script to deploy the legacy application on the Windows 10 devices. Do you want to know how this works? Then you have to read further. Because this time, it is all about PowerShell in Microsoft Intune!

What does this PowerShell option do in Microsoft Intune?

Within Device Configuration, you have the option to use a configuration profile or PowerShell script. With a script, you can do everything on the client, like renaming the computer name, configuring the IP address, install an application based on EXE installation and so on. It is so powerful.

Microsoft Intune uses an extension that lets you upload PowerShell scripts in Intune to run on Windows 10 devices. Intune installs the Intune Management Extension first before running the scripts on the Windows 10 device.

For more information:


Before we implement the script into Intune, you have to make a script first. I already have one, like this. I got his from Oliver Kieselbach (Thanks! and this is his blog site: and modified a bit.


 Version: 1.2
 Author: Albert Neef
 Script: Intune_PSScript_test.ps1
 Intune Management Extension - PowerShell script template with logging,
 error codes, standard error output handling and x64 PowerShell execution.
 Release notes:
 Version 1.0: Original published version.
 Version 1.1: Added standard error output handling.
 Version 1.2: modified for Adobe Reader and errorhandling
 The script is provided "AS IS" with no warranties.

$exitCode = 0

if (![System.Environment]::Is64BitProcess)
 # start new PowerShell as x64 bit process, wait for it and gather exit code and standard error output
 $sysNativePowerShell = "$($PSHOME.ToLower().Replace("syswow64", "sysnative"))\powershell.exe"

$pinfo = New-Object System.Diagnostics.ProcessStartInfo
 $pinfo.FileName = $sysNativePowerShell
 $pinfo.Arguments = "-ex bypass -file `"$PSCommandPath`""
 $pinfo.RedirectStandardError = $true
 $pinfo.RedirectStandardOutput = $true
 $pinfo.CreateNoWindow = $true
 $pinfo.UseShellExecute = $false
 $p = New-Object System.Diagnostics.Process
 $p.StartInfo = $pinfo
 $p.Start() | Out-Null

$exitCode = $p.ExitCode

$stderr = $p.StandardError.ReadToEnd()

if ($stderr) { Write-Error -Message $stderr }
 # start logging to TEMP in file "scriptname".log
 Start-Transcript -Path "$env:TEMP\$($(Split-Path $PSCommandPath -Leaf).ToLower().Replace(".ps1",".log"))" | Out-Null

# Check if Software is installed already in registry.
 $CheckADCReg = Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | where {$_.DisplayName -like "Adobe Acrobat Reader DC*"}
 # If Adobe Reader is not installed continue with script. If it's istalled already script will exit.
 If ($CheckADCReg -eq $null)
 # Path for the temporary downloadfolder. Script will run as system so no issues here
 $Installdir = "c:\temp\install_adobe"
 New-Item -Path $Installdir -ItemType directory

# Download the installer from the Adobe website. Always check for new versions!!
 $source = ""
 $destination = "$Installdir\AcroRdrDC1800920044_en_US.exe"
 Invoke-WebRequest $source -OutFile $destination
 Write-Error -Message "Could not download the installer from the Adobe website" -Category OperationStopped
 $exitCode = -1

# Start the installation when download is finished
 Start-Process -FilePath "$Installdir\AcroRdrDC1800920044_en_US.exe" -ArgumentList "/sAll /rs /rps /msi /norestart /quiet EULA_ACCEPT=YES"
 Write-Error -Message "Could not install Adobe Reader" -Category OperationStopped
 $exitCode = -1
 # Wait for the installation to finish. Test the installation and time it yourself. I've set it to 240 seconds.
 Start-Sleep -s 240

# Finish by cleaning up the download. I choose to leave c:\temp\ for future installations.
 rm -Force $Installdir\AcroRdrDC*
 Stop-Transcript | Out-Null

exit $exitCode

What does the script do? This script will download Adobe Reader from and install Adobe Reader on the client. There are some logging and error handling in the script. For example, if the download is not succeeded, then you will find this back in the log. The error will report to Microsoft Intune. You can see the status back under Device Status of the script but for more information, you have to check the log on the client. Maybe you can build an option to upload the log to a central point.

Copy this script to PowerShell ISE and save this script. We have to upload the .ps1 file to Microsoft Intune later in this blog.

Let’s begin:

Go to the Intune portal -> Device Configurations -> PowerShell scripts

Click on Add.

Enter a name and browse to your PowerShell script file. Click on Configure.

Leave the settings. The script must run under system context and no check on a trusted signature. Click on the Ok button and on the create button.

The script is added to Intune. Now you have to assign the script to a group. Go to assignments.

Click on the Select group button and add the group. Click on the select button. Click on the Save button.

The deployment will begin in a few minutes. To check the installation, check the Device status or on the client self.

Intune will install an extension first before running the scripts.

On the client in Program and Features, you see that Intune Management Extension is installed. Intune will continue with the script. If you have enabled logging in the script, you should see some logging on the client. You can also check the Task Manager for the running process; maybe you will find the installation process.

This is it. Adobe Reader installation has finished, based on a script.


You have installed an application, based on an EXE installer, on a Windows 10 device. Not with SCCM but with Microsoft Intune only. Because of supporting PowerShell, it makes Intune more flexible for Windows 10. PowerShell is powerful and you can use it for almost everything. This makes it for the IT guy or girl very easy to deploy legacy applications or do some remote configurations on the client.

I am ending this blog. I hope you liked the post. If you have any questions or comments, please do not hesitate to send an email or leave a comment.

Good luck and greetings.


12 thoughts on “Part 16 – Configure Microsoft Intune – PowerShell Scripts

  1. daniel

    Thank you for this post. We are trying to do the same to install Java on our PCs and copy over the java sites exception files to a specific user folder that java creates after install. It seems when we run the script, it tries to copy the exceptions.sites file before the install is complete. Any suggestion on what we can do to try again?

    Is there a way to tell Intune to run PS script in chronological order instead of random?


    1. Hi Daniel, thanks for your comment. No, that is not possible at the moment, maybe in future based on priority. The deployment of PowerShell scripts will deploy at random order to your machines. The only thing you could do is to integrate all the scripts in 1 script. I think this is the only solution for your Java scenario.

  2. Take a look at Chocolatey 🙂

    1. Thanks for the tip, Stefan!

  3. Greg M

    Nice Article! I’m having one slight problem though, I assigned a group and verified that the computers are a part of the group to have Intune deploy the script, but no devices are showing up even though the assignment is correct.

    1. HI Greg M, thanks for your comment. You mean that the script is not running on the target/assignment devices? Can you check if the Intune Management Extension is installed on the target devices? Without this extension, the script will not run.

  4. Greg M

    Yes, the script is not running on the target devices, but I’m not seeing any devices being assigned to the target group that I created even though there are two computers in the group. It’s like the assignment group is not assigning the devices. The management extension is not installed, but I’m sure this is due to the fact that no machines have been assigned to the policy.

    1. How do you deploy the script? As System? How are the computers enrolled, manually or auto enroll? Only auto enroll will trigger to install the management extension. Do you get some error events in: event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

  5. Greg M

    I am deploying as system. The computers are enrolled manually so that is probably why it’s not triggering the install of the management extension. The other issue is I’ve been trying to find a powershell script that will work to just remove previous Java SE versions that are old and I’ve been having some trouble finding a powershell script that will work to accomplish this. I don’t know powershell myself so I’m going to need to find something that will work. I do have a .bat file that works perfectly, it uninstalls the old and installs the new version of Java, but I can’t get the .exe package that I create to work inside of Intune.

    1. That’s indeed the reason why it not trigger. A nice note for the blogpost about this. I will update the blogpost this week :).

      About the installation and uninstallation. I can help you maybe, but this will cost some time to figure it out and test the script. If you want, I will try it this week.

      Btw, you can use the WIN32 feature in Intune to try to install the new version of Jave and maybe you have to make also a WIN32 application of the old one to remove it from your devices. PSscript isn’t needed anymore.

      Let me know..

  6. Greg M

    I did try to install using the WIN32 feature in Intune, but I could not get it to work. I have a VBScript that works perfectly. I’m just having some issues getting that packaged in Intune to work. From what I read I would need to package as a .exe in Intune to get it to work. I tried that though that the .exe file never pushed out to my test machines. If you have a chance to work on a script that would be great. I’ve found a lot of scripts out there that supposedly work, but I have not had any luck with them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: