Create and run scripts with the new feature “Run Powershell scripts from the ConfigMgr console” on current branch 1706

In my last post I talked about how we could activate the new feature “Run Powershell script from the ConfigMgr” on current branch 1706 and in this post I would like to talk about on how to get started using this wonderful feature once you have activated it.

This feature really shows that the ConfigMgr product team over at Microsoft really listens to its community and that they do everything they can to improve the product. Tho this feature is a bit rough around the edges it shows great potential and i can’t wait to see how it will evolve over time and as always if you have any suggestions for improvements to ConfigMgr let the product team know over at https://configurationmanager.uservoice.com/

 

Create a script

 

First of all we need to create a script and that’s done by going to Software library > Scripts  and then just right click and “Create script” or click on “Create script” over at the top left corner of the screen.

 

1

 

First thing we need to do is to give the script a name and then we can choose if we want to import a script or just write it our self in the script box below and once we are done just follow through with the wizard Next > Next > Close”

 

2

3 4

 

When the script has been created our next step is to approve or deny the script with the status “Waiting for approval

Note, By default a script creator can’t approve their own script and this is a security feature that’s been added in ConfigMgr since running powershell scripts could have huge security implication. However this setting can be turned off under Hierarchy settings. Look for  “Do not allow script authors to approve their own scripts.” in blog post for how to turn on/off

 

After you clicked on “Approve/Deny” just follow through with the wizard. First you have the chance to look at the script but you will not be able to modify it and the next step is to approve or deny it and add a comment if you want.

 

5 6 7 8 9

 

Now to the fun part of actually running the script. At the moment you are not able to run the script directly on a device but instead you need to run it against a Device collection. Go to Device collections and right click on the collection you want to run the script against. In the wizard that pops up select the script you want to run and then follow through with the wizard.

 

10 11 12

 

If you go in to “Monitoring > Client Operations” you will find that a new operation has been started

 

13

 

Then if then a few moments after you go in to “Monitoring > Script Status” you should be able to see you script and status here 
15

 

 

Tips for troubleshooting

 

First of all i recommend that you have the GUID column added under the script status console window

 

16

 

The client downloads the script to be able to run it and it gets located here C:\Windows\CCM\ScriptStore

The name of the script contains the GUID for the script that we can find in the ConfigMgr Console and just compare that to the name of the script to make sure that the script did download.

 

17

 

 

Over at the Client you will also find a log file for the script C:\Windows\ccm\logs\Scipts.log

 

19

 

Inside the log file you will see information like this

 

20

 

Final words

 

Something that’s also worth mentioning is that you need to have the permission Runscript assigned if you want to run scripts.

From MS docs https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-deploy-scripts

  • To run scripts – Your account must have Run Script permissions for Collections in the Compliance Settings Manager security role.

 

This to me sounds like it should be there by default but it isn’t. The only Built in role that has that permissions by default is the Full administrator role.

 

21

23

 

 

So what you need to do is to either set full administrator to the user who want’s to run the script or create a custom security role and add the Run script permissions.

 

22

 

That’s all for now and I wish y’all happy scripting !

 

Feel free to leave any comments and questions below,

 

You can also find me over at www.timmyit.com and don’t forget to follow me on twitter https://twitter.com/TimmyITdotcom

 

Until next time, Cheers !

//Timmy

 


Comments (6):

  1. Madhu says:

    I think we can use this option rather than CI in configuration Manager.through scripts we can alomost handle everything and deploy that script to collection on which machines we want to re mediate.

    • Timmy Andersson Timmy Andersson says:

      Yes this method gives us more options in the way we want to use powershell on the clients. But it doesn’t replace CI and script remediation because they are used in different scenarios.
      Run script gives us (almost) real time execution towards a client and the script only runs once. While CI’s are reoccurring and not instantly evaluated from the time you deploy it.

      However I also have blog post on how to trigger an CI evaluation on a collection with the help of powershell here: https://timmyit.com/2016/09/27/qa-trigger-baseline-evaluation-on-a-device-collection/

      I’ll probably do a post on what the difference are and when to use what.

      • djammmmer says:

        You know with the new parameter capabilities in 1707… i’m thinking you could write a PS script that takes a parameter of the CI ID, and calls evaluate / remediate on it. Then you can use that as a realtime script to trigger the evaluation or remediation of any CI realtime (because you can feed it a parameter when you run it.)

        • Timmy Andersson Timmy Andersson says:

          That was exactly what I was thinking too David, they say great minds think alike 😉 a question that i haven’t been able to find any answer to yet is how is does the run script function pushes the script to a client if that’s single threaded (Takes one client at the time) or multi-threaded? And Is there a way to measure the time it takes to run a script towards an entire collection ?

  2. Kyle says:

    I have created a few scripts that all say exit code 0 but nothing happens on the client.
    Examples Scripts:

    shutdown.exe -r -t 0
    Restart-Computer $env:COMPUTERNAME

    Both show a exit code 0 but nothing happens.

    • Timmy Andersson Timmy Andersson says:

      Does the scripts.log on the client say anything? Or eventvwr?
      Also, what OS are you running on the client ?

Leave a Reply