In my last post I talked about how we could activate the new feature “Run Powershell script from the ConfigMgr” on current branch 1706 and in this post I would like to talk about on how to get started using this wonderful feature once you have activated it.
This feature really shows that the ConfigMgr product team over at Microsoft really listens to its community and that they do everything they can to improve the product. Tho this feature is a bit rough around the edges it shows great potential and i can’t wait to see how it will evolve over time and as always if you have any suggestions for improvements to ConfigMgr let the product team know over at https://configurationmanager.uservoice.com/
Create a script
First of all we need to create a script and that’s done by going to Software library > Scripts and then just right click and “Create script” or click on “Create script” over at the top left corner of the screen.
First thing we need to do is to give the script a name and then we can choose if we want to import a script or just write it our self in the script box below and once we are done just follow through with the wizard “Next > Next > Close”
When the script has been created our next step is to approve or deny the script with the status “Waiting for approval”
Note, By default a script creator can’t approve their own script and this is a security feature that’s been added in ConfigMgr since running powershell scripts could have huge security implication. However this setting can be turned off under Hierarchy settings. Look for “Do not allow script authors to approve their own scripts.” in blog post for how to turn on/off
After you clicked on “Approve/Deny” just follow through with the wizard. First you have the chance to look at the script but you will not be able to modify it and the next step is to approve or deny it and add a comment if you want.
Now to the fun part of actually running the script. At the moment you are not able to run the script directly on a device but instead you need to run it against a Device collection. Go to Device collections and right click on the collection you want to run the script against. In the wizard that pops up select the script you want to run and then follow through with the wizard.
If you go in to “Monitoring > Client Operations” you will find that a new operation has been started
Then if then a few moments after you go in to “Monitoring > Script Status” you should be able to see you script and status here
Tips for troubleshooting
First of all i recommend that you have the GUID column added under the script status console window
The client downloads the script to be able to run it and it gets located here C:\Windows\CCM\ScriptStore
The name of the script contains the GUID for the script that we can find in the ConfigMgr Console and just compare that to the name of the script to make sure that the script did download.
Over at the Client you will also find a log file for the script C:\Windows\ccm\logs\Scipts.log
Inside the log file you will see information like this
Final words
Something that’s also worth mentioning is that you need to have the permission Runscript assigned if you want to run scripts.
From MS docs https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-deploy-scripts
”
- To run scripts – Your account must have Run Script permissions for Collections in the Compliance Settings Manager security role.
”
This to me sounds like it should be there by default but it isn’t. The only Built in role that has that permissions by default is the Full administrator role.
So what you need to do is to either set full administrator to the user who want’s to run the script or create a custom security role and add the Run script permissions.
That’s all for now and I wish y’all happy scripting !
Feel free to leave any comments and questions below,
You can also find me over at www.timmyit.com and don’t forget to follow me on twitter https://twitter.com/TimmyITdotcom
Until next time, Cheers !
//Timmy
I think we can use this option rather than CI in configuration Manager.through scripts we can alomost handle everything and deploy that script to collection on which machines we want to re mediate.
Yes this method gives us more options in the way we want to use powershell on the clients. But it doesn’t replace CI and script remediation because they are used in different scenarios.
Run script gives us (almost) real time execution towards a client and the script only runs once. While CI’s are reoccurring and not instantly evaluated from the time you deploy it.
However I also have blog post on how to trigger an CI evaluation on a collection with the help of powershell here: https://timmyit.com/2016/09/27/qa-trigger-baseline-evaluation-on-a-device-collection/
I’ll probably do a post on what the difference are and when to use what.
I have created a few scripts that all say exit code 0 but nothing happens on the client.
Examples Scripts:
shutdown.exe -r -t 0
Restart-Computer $env:COMPUTERNAME
Both show a exit code 0 but nothing happens.
Does the scripts.log on the client say anything? Or eventvwr?
Also, what OS are you running on the client ?
you can use instead …
$computername= “.”
$win32OS = get-wmiobject win32_operatingsystem -computername $computername -EnableAllPrivileges
$win32OS.reboot()
j’avais le plaisir de visiter le blog. bonne continuation
It seems we can display the msgbox by using scripts Feature.
Ex : if(Test-Path -Path C:\Temp\TestScripts.txt -ErrorAction SilentlyContinue)
{
[System.Windows.MessageBox]::Show(‘hurray!!! Scripts option is working :)’)
}
else
{
New-Item C:\Temp\ -Name TestScripts.txt -ItemType File -Force -ErrorAction SilentlyContinue
}
In my case [System.Windows.MessageBox]::Show(‘hurray!!! Scripts option is working :)’) this is not executing if file present.
Small typo “: It seems we can’t display the msgbox by using scripts Feature.
Anyone else experiencing issues with the script status window being empty? Tried a few times to rerun the script to my collection which is successful but the script status still says “no items found”
[…] enable the feature). Also, if you are not familiar with how to use “Run Script”, take a look at this blog post wherewhere Timmy also explains everything step by […]
I am trying to create run script in SCCM 2016(ver 1706) and deploy it to a collection/Machine. Is there any module available to achieve the same using powershell.
Thanks for the great article.
Do we have any default report or SQL query to export the script deployment status.
Is there any way to automate this process so that the script continues running so long as it remains in this collection? Trying to use this method for a “self-healing” script that will Start-Service on any machines sitting in our “X service in a stopped state” collection.
Hello,
Is there a powershell code to automate deployment of Script created using the new Scripts feature in Config Manager 1710 to collections?
Is there a way we can automate targeting an existing script to collection or host machines. From the documentation, this seems to be an manual process.
Hey,
The Run script feature is a manual process to execute scripts in “real time”. Depending on your needs and the result you are after there are a few other ways of executing powershell scripts against machines. You can use Configuration Items and Baselines
https://timmyit.com/2016/09/05/guide-configuration-item-with-powershell-discovery-and-remediation-string-compliance/
Or create a Package under “Software Library -> Application Management -> Packages” and deploy that.
Hi tymmy can i use this :
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module -Name PSWindowsUpdate -force
Import-Module -Name PSWindowsUpdate -Force
Install-WindowsUpdate -Title “Cumulative” -AcceptAll -IgnoreReboot
Thanks
M