Tenant attach: Run Scripts (preview) from the admin center

Applies to: Configuration Manager (current branch)

Important

  • This information relates to a preview feature which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Bring the power of the Configuration Manager on-premises Run Scripts feature to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud against an individual Configuration Manager managed device in real time. This gives all the traditional benefits of PowerShell scripts that have already been defined and approved by the Configuration Manager admin to this new environment.

Screenshot of script list in the admin center

Prerequisites

Running Scripts from the admin center requires the following items:

  • All of the prerequisites for Tenant attach: ConfigMgr client details
  • A minimum of Configuration Manager version 2006 with KB4580678 - Tenant attach rollup for Configuration Manager current branch, version 2006 installed.
    • All sites in the hierarchy must meet the minimum Configuration Manager version requirement.
  • Configuration Manager clients must be running the latest version client.
  • To run PowerShell scripts, the client must be running PowerShell version 3.0 or later.
    • If a script you run contains functionality from a later version of PowerShell, the client on which you run the script must be running that later version of PowerShell.
  • At least one script that is already created and approved in Configuration Manager.
    • Scripts that have parameters aren't supported at this time and won't be visible in the Microsoft Endpoint Manager admin center.
    • Only scripts that are already created and approved appear in the admin center. For more information on approving scripts, see Approve or deny a script.

Permissions

The user account needs the following permissions:

  • The Read permission for the device's Collection in Configuration Manager.
  • The Read Resource permission for the device's Collection in Configuration Manager.
  • The Admin User role for the Configuration Manager Microservice application in Azure AD.
    • Add the role in Azure AD from Enterprise applications > Configuration Manager Microservice > Users and groups > Add user. Groups are supported if you have Azure AD premium.
  • To use scripts, you must be a member of the appropriate Configuration Manager security role. For more information, see Security scopes for run scripts.
  • To run scripts, the account must have Run Script permissions for Collections.

Run a script

  1. In a browser, navigate to https://endpoint.microsoft.com.

  2. Select Devices then All Devices.

  3. Select a device that is synced from Configuration Manager via tenant attach.

  4. Select Scripts.

    Scripts that were recently run that directly targeted the device will already be listed. The list includes scripts run from the admin center, SDK, or the Configuration Manager console. Scripts initiated from the on-premises console, against collections containing the device won't be shown, unless the scripts were also initiated specifically for the single device.

    Running the script from the admin center

  5. Choose Run script.

    Scripts that are available to the admin based on the scopes assigned in Configuration Manager will be listed.

  6. Select Run to run the script.

  7. You'll be notified your script has started. You don't have to wait for the script to finish before sending another to the device.

  8. Select Refresh on the main page to update the list with latest script state, and last run time.

  9. When the script completes, you can select the script to display the results in the Output pane. You can copy the text of the script output. Select Re-run script if you want the script to run again.

    Script output in the admin center

Next steps

Install an application from the admin center

Learn more about PowerShell script security