Microsoft Intune: Advanced Management with PowerShell Script

Microsoft Intune

Cloud centralized management is one of the trend topic inside Microsoft, because the world is mobile, is always connected and also because the old rules are superseded, like the idea to work only into local office or use only company device.


Since Microsoft Intune has moved inside Azure portal we saw many new features introduced but also many cuts that have limited some functionalities; this because the model type has changed from Agent based to Native with a big integration for MDM platform inside Operating System (I’m talking about Windows 10).


One of the pain point in Intune is the low management of Windows 10 for many settings, that now are available only via GPO. The limitations of MDM are too much and this is the reason why many companies prefer to use the double VPN-GPO (more complex) instead MDM. Via GPO we can deploy software, printers, change settings, map drive and much more; via MDM it’s possible deploy software (not all), manage updates (limited), deploy settings (limited) and few more.


In order to reduce this gap, during last Microsoft Ignite, we received the solution.


Introducing PowerShell Script

The PowerShell Script is a new way to run advanced command and tasks, not allowed in the past. This new item is present inside Device Compliance area – figure 1.


Figure 1 – PowerShell Script


The proprieties inside each rule are very simple:


  • Run the script when user is logged
  • Enforce script signature (if the requirement is use signed certificate)


Figure 2 – Item Proprieties


Script Example

This is an example to install Adobe Acrobat Reader:


$ResultADR = Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | where {$_.DisplayName -like "Adobe Reader DC*"}
$TempPath = "Z:\"
$appFile = "AcroRdrDC1500720033_MUI.exe"
If ($ResultADR -eq $null) {
    (Start-Process -FilePath $TempPath$appFile -ArgumentList "/sAll /rs /rps /msi /norestart /quiet ALLUSERS=1 EULA_ACCEPT=YES" -Wait -Passthru).ExitCode


The script check if the software is already installed and in case, run the setup.


The condition is to have a remote share that can be used from client but if your user are always outside, it’s also possible add a wget cmdlet to download locally the application.


The script running with SYSTEM permission and this means that there aren’t too much risks if the end-user is User and not local Administrator.

Management from Client

To manage the PowerShell script, behind the scenes, on the client is deployed a little daemon (Microsoft Intune Management Extension) that configure a Windows Service and a Task Scheduler. By default the check running every restart but if you change the TS timing it’s possible increase the check more frequently.


To verify the result, are available some logs that Administrator can open inside folder C:\ProgramData\Microsoft\IntuneManagementExtension\Logs, to understand if the scripts are good or if some errors are presents.


Figure 3 – Log Analysis


A great friend to analyze the log is CMTrace, that offers the log parsing in detail with a comprensive response in case of errors.



The introduction of PowerShell Script is the response to manage remote client and is the potential key to reduce the big gap with GPO. Good but not awesome because to change value it’s necessary write the right registry key to edit. By the way, this is the first step and maybe in the future we will see better integration to manage advanced settings.