Deploying scripts using ConfigMgr
Check out how to deploy scripts to your devices through ConfigMgr
At the time of writing this, ConfigMgr 2211 has a bug where you cannot add scripts. So the following screenshots are from CM2203, and I’ll update them when the bug is resolved - Twitter post
Deploying custom scripts in ConfigMgr isn’t necessarily the most difficult thing, but the first time you do something it can maybe be daunting. In this post, we’ll go through how to add and run a custom PowerShell script on your devices using ConfigMgr
Using ConfigMgr to run PowerShell scripts against your devices allows you to easily automate tasks that may otherwise take considerable amounts of time and effort to do manually.
ConfigMgr will show allow you to manage these scripts through the use of roles and security scopes as well as monitor the execution of your scripts against your devices.
Prerequisites
- PowerShell 3.0 or later
- ConfigMgr client 1706 or later
- Using scripts requires you to be a member of the appropriate ConfigMgr security role
- Importing and Authoring scripts require the Create** permission for SMS Scripts
- Approval and Denying of scripts requires the Approve permission for SMS Scripts
- Running scripts requires the Run Script permission for Collections
It is possible to allow users to approve their own scripts. This is not best practice and should only be used in a lab environment, I’ll cover how to achieve this later.
Actually do something cool!
Now that that’s all out of the way, Let’s import a script and deploy it to our clients.
In this short gif, we can see how quickly you can import a script into ConfigMgr and have it approved for deployment.
How to do it, step by step
In this example, we will be using a script written by Adam Cook which “searches the registry for installed software, matching the supplied DisplayName value in the -DisplayName parameter with that of the DisplayName in the registry. If one match is found, it uninstalls the software using the UninstallString.”
Create Script
Firstly, we want to navigate to the Software Library view > Scripts then right-click and click Create Script
On the Create Script screen, we will
- Provide a Script Name (How it will be named in ConfigMgr, this does not need to be the name of the script)
- A description of the purpose of the script
- The script language (we’ll stick with PowerShell for now)
- Import the script. After this, We will be prompted to specify any script parameters that ConfigMgr has detected in our script.
- Here, all we are concerned with is DisplayName. Architecture and HivesToSearch are set by default but can be changed if needed.
As mentioned previously, there is a bug in 2211 that stops you from creating scripts within ConfigMgr. Because of that, these screenshots are taken from CM2203 which means the option for Script Timeout Seconds is not visible, but in CM2211 you can use this option to specify a timeout value to monitor script execution status, between 60 and 1800 seconds.
Summary, Progress and Details just confirm all the information you entered previously, as well as whether or not creating your script was successful. Provided it completes successfully we can move on.
Approve or Deny Script
Script approval is where we will circle back to talking about approving your scripts. By default this is disabled in ConfigMgr, You must ensure that someone in your organization has the Approve permission for SMS Scripts or disable the option that stops you from approving them yourself.
As you can see here, I cannot currently approve my script so the Approve/Deny button is greyed out. To allow self-approval, Navigate to Administration > Site Configuration > Sites > Hierarchy Settings and untick Script authors require additional script approver
Now, after navigating back to the Software Library and Scripts, I can approve my own script.
The Approve or Deny Script wizard shows us the same screens as shown during the Create Script process, but we’re just reviewing this time to ensure everything entered checks out.
You can then decide whether or not to Approve or Deny, and leave a nice wee message with it.
Run Script
When it comes to running our newly created script, we can either run it against a collection, a selection of devices or a single device. For now, let’s look at a collection!
Let’s navigate to Assets and Compliance > Device Collections > right-click on the device collection you wish to run this script against and select Run Script
Select the script which you wish to run, in this case, Uninstall-Software and Confirm the script parameters on the next screen
You will then be presented with the Script Status window, which will show you the results of the script being run against the devices in the selected collection.
And if we watch a client device with Google Chrome installed, we can see in script.log that the script runs, we see Chrome be uninstalled and the results sent back to CM.
Just like that, you’ve removed Chrome from all your devices!
Gotchas
I encountered an issue on my client when watching scripts.log, I could see the following error presented.
After some reading I found this in the Microsoft documentation
From this, I modified the Script Parameters and reapproved my script
What’s next?
There will be part 2 of this, showing you how to do the same thing but using Intune instead of ConfigMgr.
Want to see something else added? Open an issue.