PowerShell scripts in Endpoint Manager

There are things in Endpoint Manager that are just easier to do with PowerShell scripts, this blog post describes where and how you can use these.

Windows app (Win32) Detection Rule

When creating Win32 apps you must specify a Detection Rule so that the application can be detected after installation, rule types are MSI, File, Registry, or a custom detection script. A custom detection script is a PowerShell script that must exit with an exit code of 0 (Installation detected) or anything other than 0 (Installation not detected). Next to the exit code, there must also be a STDOUT (Write-Host) output.

Below is an example of a custom detection script that checks for the installation of Sophos Anti-Virus by checking if a certain file is present: (HitmanPro is part of the Sophos installation)

if (Test-Path 'C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe') {
    Write-Host Sophos installation detected
    Exit 0
}
else {
    Write-Host Sophos installation not detected
    Exit 1
}

Device Scripts

In the Devices pane of Endpoint Manager there is a Scripts section in which you can add scripts for macOS and Windows 10 or later. When I first used this option, I thought that these scripts would run at an interval but… They don’t 🙂 Scripts that you upload and assign here only run once if successful and never again after that until you upload a changed version of the script. If the script fails, Endpoint Manager will retry three times, and then it stops until the agent checks in again or after a reboot.

Only use scripts here that you want to run only once, for anything else you should use Proactive Remediations (See below for more about that) or a Win32 app with a custom detection script that can make the Win32 app run again if it matches a certain condition.

Proactive Remediations

It’s somewhat hidden away in the Reports pane under Endpoint analytics, but Proactive Remediations is a nice feature that is only available for the following licenses:
– Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
– Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
– Windows 10/11 Virtual Desktop Access (VDA) per user

This feature is a two-step script package, the first step is the Detection script file. Just like the Custom detection rule as mentioned above, it works with an exit code and a STDOUT (Write-Host) detection. An example of simple Proactive Remediation could be that you always want a c:\scripts folder on each system. The Detection script file would be one like this:

if (Test-Path 'C:\Scripts') {
    Write-Host Scripts folder found
    Exit 0
}
else {
    Write-Host Scripts folder not found
    Exit 1
}

The second step is the Remediation script, the action that solves the issue found in the Detection script. In this case, that would be the creation of the c:\scripts folder. The Remediation script would be one like this:

New-Item -ItemType Directory -Path C:\Scripts

The next time the Detection script runs, it would find the c:\scripts folder and it will exit with a 0 code and a “Scripts folder found” STDOUT.

The nice thing about a Proactive Remediation script is that you can configure the interval, by default it will run on assigned devices every day. But you can change it to a frequency of Once with a Time and date, Hourly with a repeat of x hours, or Daily with a repeat of x days and a start time.

Another thing that I really like about Proactive Remediation packages, is that you can see the contents of the Detection and Remediation scripts. This is something that is not there when using Device scripts or detection scripts in a Win32 app 🙁

One thought on “PowerShell scripts in Endpoint Manager

  1. Pingback: PowerShell is fun :) Using PowerShell scripts in Endpoint Manager Compliance Policies

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.