In my last post I talked about how we could activate the new feature "Run Powershell script from the ConfigMgr" on current branch 1706 and in this post I would like to talk about on how to get started using this wonderful feature once you have activated it.

This feature really shows that the ConfigMgr product team over at Microsoft really listens to its community and that they do everything they can to improve the product. Tho this feature is a bit rough around the edges it shows great potential and i can't wait to see how it will evolve over time and as always if you have any suggestions for improvements to ConfigMgr let the product team know over at https://configurationmanager.uservoice.com/

Create a script

First of all we need to create a script and that's done by going to Software library > Scripts and then just right click and "Create script" or click on "Create script" over at the top left corner of the screen.

First thing we need to do is to give the script a name and then we can choose if we want to import a script or just write it our self in the script box below and once we are done just follow through with the wizard "Next > Next > Close"

When the script has been created our next step is to approve or deny the script with the status "Waiting for approval"

Note, By default a script creator can't approve their own script and this is a security feature that's been added in ConfigMgr since running powershell scripts could have huge security implication. However this setting can be turned off under Hierarchy settings. Look for “Do not allow script authors to approve their own scripts.” in blog post for how to turn on/off

After you clicked on "Approve/Deny" just follow through with the wizard. First you have the chance to look at the script but you will not be able to modify it and the next step is to approve or deny it and add a comment if you want.

Now to the fun part of actually running the script. At the moment you are not able to run the script directly on a device but instead you need to run it against a Device collection. Go to Device collections and right click on the collection you want to run the script against. In the wizard that pops up select the script you want to run and then follow through with the wizard.

If you go in to "Monitoring > Client Operations" you will find that a new operation has been started

Then if then a few moments after you go in to "Monitoring > Script Status" you should be able to see you script and status here



Tips for troubleshooting

First of all i recommend that you have the GUID column added under the script status console window

The client downloads the script to be able to run it and it gets located here C:\Windows\CCM\ScriptStore

The name of the script contains the GUID for the script that we can find in the ConfigMgr Console and just compare that to the name of the script to make sure that the script did download.

Over at the Client you will also find a log file for the script C:\Windows\ccm\logs\Scipts.log

Inside the log file you will see information like this

Final words

Something that's also worth mentioning is that you need to have the permission Runscript assigned if you want to run scripts.

From MS docs https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-deploy-scripts

"

To run scripts - Your account must have Run Script permissions for Collections in the Compliance Settings Manager security role.

"

This to me sounds like it should be there by default but it isn't. The only Built in role that has that permissions by default is the Full administrator role.

So what you need to do is to either set full administrator to the user who want's to run the script or create a custom security role and add the Run script permissions.

That's all for now and I wish y'all happy scripting !

Feel free to leave any comments and questions below,

You can also find me over at www.timmyit.com and don’t forget to follow me on twitter https://twitter.com/TimmyITdotcom

Until next time, Cheers !

//Timmy