Create and run scripts with the new feature “Run Powershell scripts from the ConfigMgr console” on current branch 1706

In my last post I talked about how we could activate the new feature “Run Powershell script from the ConfigMgr” on current branch 1706 and in this post I would like to talk about on how to get started using this wonderful feature once you have activated it.

This feature really shows that the ConfigMgr product team over at Microsoft really listens to its community and that they do everything they can to improve the product. Tho this feature is a bit rough around the edges it shows great potential and i can’t wait to see how it will evolve over time and as always if you have any suggestions for improvements to ConfigMgr let the product team know over at https://configurationmanager.uservoice.com/

 

Create a script

 

First of all we need to create a script and that’s done by going to Software library > Scripts  and then just right click and “Create script” or click on “Create script” over at the top left corner of the screen.

 

1

 

First thing we need to do is to give the script a name and then we can choose if we want to import a script or just write it our self in the script box below and once we are done just follow through with the wizard Next > Next > Close”

 

2

3 4

 

When the script has been created our next step is to approve or deny the script with the status “Waiting for approval

Note, By default a script creator can’t approve their own script and this is a security feature that’s been added in ConfigMgr since running powershell scripts could have huge security implication. However this setting can be turned off under Hierarchy settings. Look for  “Do not allow script authors to approve their own scripts.” in blog post for how to turn on/off

 

After you clicked on “Approve/Deny” just follow through with the wizard. First you have the chance to look at the script but you will not be able to modify it and the next step is to approve or deny it and add a comment if you want.

 

5 6 7 8 9

 

Now to the fun part of actually running the script. At the moment you are not able to run the script directly on a device but instead you need to run it against a Device collection. Go to Device collections and right click on the collection you want to run the script against. In the wizard that pops up select the script you want to run and then follow through with the wizard.

 

10 11 12

 

If you go in to “Monitoring > Client Operations” you will find that a new operation has been started

 

13

 

Then if then a few moments after you go in to “Monitoring > Script Status” you should be able to see you script and status here 
15

 

 

Tips for troubleshooting

 

First of all i recommend that you have the GUID column added under the script status console window

 

16

 

The client downloads the script to be able to run it and it gets located here C:\Windows\CCM\ScriptStore

The name of the script contains the GUID for the script that we can find in the ConfigMgr Console and just compare that to the name of the script to make sure that the script did download.

 

17

 

 

Over at the Client you will also find a log file for the script C:\Windows\ccm\logs\Scipts.log

 

19

 

Inside the log file you will see information like this

 

20

 

Final words

 

Something that’s also worth mentioning is that you need to have the permission Runscript assigned if you want to run scripts.

From MS docs https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-deploy-scripts

  • To run scripts – Your account must have Run Script permissions for Collections in the Compliance Settings Manager security role.

 

This to me sounds like it should be there by default but it isn’t. The only Built in role that has that permissions by default is the Full administrator role.

 

21

23

 

 

So what you need to do is to either set full administrator to the user who want’s to run the script or create a custom security role and add the Run script permissions.

 

22

 

That’s all for now and I wish y’all happy scripting !

 

Feel free to leave any comments and questions below,

 

You can also find me over at www.timmyit.com and don’t forget to follow me on twitter https://twitter.com/TimmyITdotcom

 

Until next time, Cheers !

//Timmy

 

About the Author:

Timmy Andersson

9 Comments

  1. Madhu August 4, 2017 at 12:42 - Reply

    I think we can use this option rather than CI in configuration Manager.through scripts we can alomost handle everything and deploy that script to collection on which machines we want to re mediate.

    • Timmy Andersson
      Timmy Andersson August 4, 2017 at 12:58 - Reply

      Yes this method gives us more options in the way we want to use powershell on the clients. But it doesn’t replace CI and script remediation because they are used in different scenarios.
      Run script gives us (almost) real time execution towards a client and the script only runs once. While CI’s are reoccurring and not instantly evaluated from the time you deploy it.

      However I also have blog post on how to trigger an CI evaluation on a collection with the help of powershell here: https://timmyit.com/2016/09/27/qa-trigger-baseline-evaluation-on-a-device-collection/

      I’ll probably do a post on what the difference are and when to use what.

  2. Kyle August 7, 2017 at 14:51 - Reply

    I have created a few scripts that all say exit code 0 but nothing happens on the client.
    Examples Scripts:

    shutdown.exe -r -t 0
    Restart-Computer $env:COMPUTERNAME

    Both show a exit code 0 but nothing happens.

    • Timmy Andersson
      Timmy Andersson August 8, 2017 at 11:30 - Reply

      Does the scripts.log on the client say anything? Or eventvwr?
      Also, what OS are you running on the client ?

  3. Marcus K. September 1, 2017 at 12:02 - Reply

    you can use instead …

    $computername= “.”
    $win32OS = get-wmiobject win32_operatingsystem -computername $computername -EnableAllPrivileges
    $win32OS.reboot()

  4. traceur gps September 6, 2017 at 11:35 - Reply

    j’avais le plaisir de visiter le blog. bonne continuation

  5. Madhu November 7, 2017 at 16:27 - Reply

    It seems we can display the msgbox by using scripts Feature.

    Ex : if(Test-Path -Path C:\Temp\TestScripts.txt -ErrorAction SilentlyContinue)

    {

    [System.Windows.MessageBox]::Show(‘hurray!!! Scripts option is working :)’)

    }
    else
    {
    New-Item C:\Temp\ -Name TestScripts.txt -ItemType File -Force -ErrorAction SilentlyContinue
    }

    In my case [System.Windows.MessageBox]::Show(‘hurray!!! Scripts option is working :)’) this is not executing if file present.

  6. Madhu November 7, 2017 at 16:28 - Reply

    Small typo “: It seems we can’t display the msgbox by using scripts Feature.

  7. Luis December 4, 2017 at 16:28 - Reply

    Anyone else experiencing issues with the script status window being empty? Tried a few times to rerun the script to my collection which is successful but the script status still says “no items found”

Leave A Comment