My last blog post of this year will also be about a new (pre-release) feature of Configuration Manager, version 1710. This post will be all about the ability to create and run scripts from the Configuration Manager administration console. To be correct, the ability to create and run scripts was added in Configuration Manager, version 1706, and Configuration Manager, version 1710, added the ability to use parameters with those scripts. It completed the functionality. My Christmas day present for the community is a walkthrough through this functionality and how it runs on the client device. After reading this post you should be able to understand how your script can create the output and how you can find the correct GUIDs to follow the activity on the client device.
Introduction
Starting with Configuration Manager, version 1706, it’s possible to run PowerShell scripts, via the Configuration Manager console, directly on client devices. Configuration Manager, version 1710, completed this functionality by adding the use of parameters. The ability to run PowerShell scripts on client devices is available in the Configuration Manager administration console, via the Run Scripts option. This makes it easier to automate tasks and, in general, the scripts are understood by a large population. It really simplifies building custom tools. Think about all the custom right-click actions that can now be integrated in this functionality. The biggest advantages of using the Run Script option, are the usage of the notification channel and getting good monitoring information. That means, quick results shown in the Configuration Manager administration console. In this post I’ll show the Run Script option by using a simple PowerShell script that will restart a service on the client device. That service is provided to the script via a script parameter.
Script
Now let’s have a look at the Run Script option in the Configuration Manager administration console. I’ll start by looking at a couple of important prerequisites, followed by how to create, approve and run scripts. I’ll end this section by following the script action to the client device.
Prerequisites
Before looking into the possibilities of the Run Script option, the following prerequisites should be in place to take full advantage of the available possibilities:
- The client device must be running PowerShell version 3.0, or later;
- The Configuration Manager clients must be running client version 1706, or later;
Create script
Let;s start by looking at the required steps to create a PowerShell script that can become available via the Run Script option. I’ll do that by using a simple script that can restart a service on a client device, based on the provided script parameter. Based on the result, of the script, a specific script output will be returned. The administrative user, creating the script, must have at least the Create permission for SMS Scripts object class.The following six steps walk through the creation of a PowerShell script (step 3 contains the used script):
Approve script
Before the just created PowerShell script becomes available via the Run Script option, it must be approved by another administrative user with at least the Approve permission for SMS Scripts object class. That will prevent unverified scripts from running on client devices, which should decrease the possibility of running faulty scripts on client devices. The following seven steps walk through the approval of a PowerShell script:
Run script
After approving the just created PowerShell script, it becomes available via the Run Script option. The administrative user, that will run the script, must have at least the Run permission for SMS Scripts object class and the script will be executed in SYSTEM context on the client device. The following six steps walk through running a PowerShell script:
Monitor script
Now let’s end this post by looking at the monitoring options for the initiated script. This can be done in real-time, as shown in the step 6, and this can be done by looking at the Script Status node in the Monitoring workspace. Below is on overview of the just triggered script and I’ve included the following highlighted numbers:
- Number 1 highlights the Show Status button that can be used
to get the script details, as shown in step 6 of the Run script
section; - Number 2 highlights the Client Task ID that can be used to
follow the script through the server log files (bgbserver.log) and the client
log files (ccmnotification.log and script.log), as shown below; - Number 3 highlights the Script Guid, as also shown in step
3 of the Run script section, that can be used to follow the script
activity in the client log files (script.log), as shown below; - Number 4 highlights the Script Output that can be used to
verify the results. It should refer to the scripted output, as shown in step 3
of the Create script section.
Let’s continue by following the initiated script through the log files. At least the three log files below are related to this action and together those log files provide a lot of information. As there is some overlap with the log files of last week, I won’t provide the generic information about the log files this time.
BgbServer.log: When initiating a script to run on a client device, this log file shows the information about pushing the script action to the client device, followed by information about the generation of the BGB task status report (.BTS) in the bgb.box inbox (see below). The processing of the BGB task status report can be followed through the bgbmgr.log. |
CcmNotificationAgent.log: When initiating a script to run on a client device, this log file shows the arrival of the script action on the client device (see below). |
Script.log: When initiating a script to run on a client device, this log file will show the details about the script that will be executed. That includes the earlier mentioned IDs and the command line that will be used. |
Let’s end this section by looking at the executed command line in more detail. Below is the highlighted version of the executed command line. That command line clearly shows that the script on the client device is signed, that it uses parameters and that it’s stored locally. The script is stored in C:\Windows\CCM\ScriptStore, which is a hidden folder on the client device. By default only the SYSTEM account has permissions on the script files in that folder.
Executing command line: “C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe” -NoProfile -ExecutionPolicy RemoteSigned -File “C:\Windows\CCM\ScriptStore\D5FF9FBE-D25B-45DB-9771-946076A9FFAD_EB1AA60AF73737F0B342AEED2C5ECB15A9956654BDA4D30263178B3A79E79DD4.ps1” -ServiceName “Group Policy Client”
More information
For more information about the Run Script option, please refer to this article about creating and running PowerShell scripts from the Configuration Manager console.
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Is it possible to add these scripts in to a task sequence?
Hi Peter,
Not at this moment.
Regards, Peter
Is it possible to interact with these scripts using PowerShell and the ConfigurationManager module, similar to the Get-CMPackage cmdlets? For example, I would like to be able to create, modify, and delete scripts automatically when they are updated in a git repository.
Hi Connor,
I haven’t tried that yet, but I would think that you should be able to work with PowerShell on the PowerShell scripts.
Regards, Peter
Is it possible to see which SCCM admin ran the script, for accountability purposes? Is there a log on the server or client that says this? I don’t see that information available via the SCCM console (1810). Thanks,
Hi Brandon,
I would expect that information to be available via reports.
Regards, Peter
Hi Peter,
Great article!
I wonder if it is possible to have the Powershell script to read input from a file on the (SCCM) server to use as input or from a custom table (on the server).
I want to use a script that requires certain parameters depending on the machine it will be executed on.
Hi Joost,
You can find the latest possibilities documented here: https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/create-deploy-scripts
Regards, Peter
Hi Peter,
I’m trying to run a powershell script using SCCM which collects data in relation user profile size on workstation computers. The script itself works and returns the results we are looking for, however, we are trying to write the output with the data collected from all of the computers that the script runs on to a single csv file. What I have found is it will only output the csv of the computer where I am wanting the csv to be placed. All other data from the other computers is missing (I have set the export-csv to a Win 10 machine that I use).
Here’s my code:
ComputerName = $env:computername
$profiles = Get-ChildItem C:\Users | ?{Test-path C:\Users\$_\NTUSER.DAT} | Select -ExpandProperty Name
foreach($profile in $profiles)
{
$largeprofile = Get-ChildItem C:\Users\$profile -Recurse -Force -ErrorAction SilentlyContinue | Measure-Object -Sum length | Select -ExpandProperty Sum
$size=[math]::Round(($largeprofile/1GB),2)
$size2=[string]::Format(“{0:0.00} GB”, $size)
if($largeprofile -lt 20)
{
Continue
}
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name Computer -Value $ComputerName
$object | Add-Member -MemberType NoteProperty -Name Name -Value $profile
$object | Add-Member -MemberType NoteProperty -Name “Size(GB)” -Value $size2
($object | fl | Out-String).Trim();Write-Output “`n”
foreach-object {$object} | Export-csv -Path “\\tgvv0095\c$\Store_UserProfile_Report.csv” -Force -NoTypeInformation -Append
}
Do you know of a way to spit out the csv to a share or folder somewhere that includes the output in the csv for all of the computers that the script is run on?
Hi David,
Could it be a permissions issue?
Regards, Peter