在 Intune 中的 Windows 10 设备上使用 PowerShell 脚本Use PowerShell scripts on Windows 10 devices in Intune

使用 Microsoft Intune 管理扩展在 Intune 中上传 PowerShell 脚本,以在 Windows 10 设备上运行。Use the Microsoft Intune management extension to upload PowerShell scripts in Intune to run on Windows 10 devices. 管理扩展增强了 Windows 设备管理 (MDM),以便更轻松地采用新式管理。The management extension enhances Windows device management (MDM), and makes it easier to move to modern management.

此功能适用于:This feature applies to:

  • Windows 10 及更高版本(Windows 10 家庭版除外)Windows 10 and later (excluding Windows 10 Home)

备注

只要满足 Intune 管理扩展先决条件,如果 PowerShell 脚本或 Win32 应用分配给用户或设备,Intune 管理扩展就会自动安装。Once the Intune management extension prerequisites are met, the Intune management extension is installed automatically when a PowerShell script or Win32 app is assigned to the user or device. 有关详细信息,请参阅 Intune 管理扩展先决条件For more information, see Intune Management Extensions prerequisites.

迁移到新式管理Move to modern management

最终用户的计算系统正在向数字化转型。End-user computing is going through a digital transformation. 经典、传统的 IT 侧重于单个设备平台、企业拥有的设备、在办公室办公的用户,以及不同的手动、反应式 IT 过程。Classic, traditional IT focuses on a single device platform, business-owned devices, users that work from the office, and different manual, reactive IT processes. 新式工作区使用多个用户拥有和企业拥有的平台,允许用户随时随地工作,并提供自动化、积极主动的 IT 过程。The modern workplace uses many platforms that are user and business owned, allows users to work from anywhere, and provides automated and proactive IT processes.

Microsoft Intune 等 MDM 服务可以管理运行 Windows 10 的移动和桌面设备。MDM services, such as Microsoft Intune, can manage mobile and desktop devices running Windows 10. Windows 10 内置管理客户端可与 Intune 进行通信,以运行企业管理任务。The built-in Windows 10 management client communicates with Intune to run enterprise management tasks. 你可能需要执行一些任务,例如高级设备配置和故障排除。There are some tasks that you might need, such as advanced device configuration and troubleshooting. 对于 Win32 应用管理,可以在 Windows 10 设备上使用 Win32 应用管理功能。For Win32 app management, you can use the Win32 app management feature on your Windows 10 devices.

Intune 管理扩展对 Windows 10 MDM 内置功能进行了补充。The Intune management extension supplements the in-box Windows 10 MDM features. 可创建在 Windows 10 设备上运行的 PowerShell 脚本。You can create PowerShell scripts to run on Windows 10 devices. 例如,创建执行高级设备配置的 PowerShell 脚本。For example, create a PowerShell script that does advanced device configurations. 然后,将脚本上传到 Intune,将脚本分配到 Azure Active Directory (AD) 组并运行该脚本。Then, upload the script to Intune, assign the script to an Azure Active Directory (AD) group, and run the script. 然后,可全程监视脚本运行状态。You can then monitor the run status of the script from start to finish.

必备条件Prerequisites

Intune 管理扩展具有以下先决条件。The Intune management extension has the following prerequisites. 满足先决条件后,在向用户或设备分配 PowerShell 脚本或 Win32 应用时,系统将自动安装 Intune 管理扩展。Once the prerequisites are met, the Intune management extension installs automatically when a PowerShell script or Win32 app is assigned to the user or device.

  • 运行 Windows 10 版本 1607 或更高版本的设备。Devices running Windows 10 version 1607 or later. 如果设备是通过批量自动注册进行注册的,设备必须运行 Windows 10 版本 1709 或更高版本。If the device is enrolled using bulk auto-enrollment, devices must run Windows 10 version 1709 or later. Windows 10 上的 S 模式不支持 Intune 管理扩展,因为该模式禁止运行非存储应用。The Intune management extension isn't supported on Windows 10 in S mode, as S mode doesn't allow running non-store apps.

  • 加入 Azure Active Directory (AD) 的设备,其中包括:Devices joined to Azure Active Directory (AD), including:

    提示

    确保设备已加入 Azure AD。Be sure devices are joined to Azure AD. 仅在 Azure AD 中注册的设备不会收到你的脚本。Devices that are only registered in Azure AD won't receive your scripts.

  • 在 Intune 中注册的设备,其中包括:Devices enrolled in Intune, including:

    • 在组策略 (GPO) 中注册的设备。Devices enrolled in a group policy (GPO). 相关指南请参阅通过组策略自动注册 Windows 10 设备See Enroll a Windows 10 device automatically using Group Policy for guidance.

    • 在 Intune 中手动注册的设备,即在下述情况下注册的设备:Devices manually enrolled in Intune, which is when:

      • Azure AD 中已启用自动注册到 IntuneAuto-enrollment to Intune is enabled in Azure AD. 最终用户使用本地用户帐户登录设备,将设备手动加入 Azure AD,然后使用其 Azure AD 帐户登录设备。The end user signs in to the device using a local user account, manually joins the device to Azure AD, and then signs in to the device using their Azure AD account.

      要么OR

      • 用户使用其 Azure AD 帐户登录设备,然后在 Intune 中进行注册。User signs in to the device using their Azure AD account, and then enrolls in Intune.
    • 使用 Configuration Manager 和 Intune 的共同托管设备。Co-managed devices that use Configuration Manager and Intune. 安装 Win32 应用时,请确保将“应用”工作负载设置为“试点 Intune”或“Intune”。When installing Win32 apps, make sure the Apps workload is set to Pilot Intune or Intune. 即使将“应用”工作负载设置为“Configuration Manager”,也会运行 PowerShell 脚本。PowerShell scripts will be run even if the Apps workload is set to Configuration Manager. 将 PowerShell 脚本面向设备时,Intune 管理扩展将部署到设备。The Intune management extension will be deployed to a device when you target a PowerShell script to the device. 但是,如上所述,设备必须是已加入 Azure AD 或混合 Azure AD 的设备,并且必须运行 Windows 10 版本 1607 或更高版本。However, as noted above, the device must be an Azure AD or Hybrid Azure AD joined device and must be running Windows 10 version 1607 or later. 若要获取指南,请参阅下列文章:See the following articles for guidance:

备注

要了解如何使用 Window 10 虚拟机,请参阅将 Windows 10 虚拟机与 Intune 配合使用For information about using Window 10 VMs, see Using Windows 10 virtual machines with Intune.

创建脚本策略并分配该策略Create a script policy and assign it

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “PowerShell 脚本” > “添加”。Select Devices > PowerShell scripts > Add.

    在 Microsoft Intune 中添加和使用 PowerShell 脚本

  3. 在“基本信息”中,输入以下属性并选择“下一步” :In Basics, enter the following properties, and select Next:

    • 名称:输入 PowerShell 脚本的名称。Name: Enter a name for the PowerShell script.
    • 描述:输入 PowerShell 脚本的说明。Description: Enter a description for the PowerShell script. 此设置是可选的,但建议进行。This setting is optional, but recommended.
  4. 在“脚本设置”中,输入以下属性并选择“下一步” :In Script settings, enter the following properties, and select Next:

    • 脚本位置:浏览 PowerShell 脚本。Script location: Browse to the PowerShell script. 脚本必须小于 200 KB (ASCII)。The script must be less than 200 KB (ASCII).

    • 使用登录凭据运行此脚本:选择“是”,可以使用设备上的用户凭据运行脚本。Run this script using the logged on credentials: Select Yes to run the script with the user's credentials on the device. 选择“否”(默认值),在系统上下文中运行该脚本。Choose No (default) to run the script in the system context. 许多管理员选择“是”。Many administrators choose Yes. 如果脚本必须在系统上下文中运行,请选择“否”。If the script is required to run in the system context, choose No.

    • 强制执行脚本签名检查:如果脚本必须由受信任的发布者签名,请选择“是”。Enforce script signature check: Select Yes if the script must be signed by a trusted publisher. 如果不需要对脚本进行签名,请选择“否”(默认)。Select No (default) if there isn't a requirement for the script to be signed.

    • 在 64 位 PowerShell 主机中运行脚本:选择“是”,可以在 64 位客户端体系结构上的 64 位 PowerShell (PS) 主机中运行脚本。Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell (PS) host on a 64-bit client architecture. 选择“否”(默认),在 32 位 PowerShell 主机中运行脚本。Select No (default) runs the script in a 32-bit PowerShell host.

      设置为“是”或“否”时,请对新策略行为和现有策略行为使用下表 :When setting to Yes or No, use the following table for new and existing policy behavior:

      在 64 位 PS 主机中运行脚本Run script in 64-bit PS host 客户端体系结构Client architecture 新的 PS 脚本New PS script 现有的策略 PS 脚本Existing policy PS script
      No 32 位32-bit 支持 32 位 PS 主机32-bit PS host supported 仅在 32 位 PS 主机中运行,该主机适用于 32 位和 64 位体系结构。Runs only in 32-bit PS host, which works on 32-bit and 64-bit architectures.
      Yes 64 位64-bit 在适用于 64 位体系结构的 64 位 PS 主机中运行脚本。Runs script in 64-bit PS host for 64-bit architectures. 在 32 位上运行时,脚本在 32 位 PS 主机中运行。When ran on 32-bit, the script runs in a 32-bit PS host. 在 32 位 PS 主机中运行脚本。Runs script in 32-bit PS host. 如果此设置更改为 64 位,则脚本将在 64 位 PS 主机中打开(它不会运行),并报告结果。If this setting changes to 64-bit, the script opens (it doesn't run) in a 64-bit PS host, and reports the results. 在 32 位上运行时,脚本在 32 位 PS 主机中运行。When ran on 32-bit, the script runs in 32-bit PS host.
  5. 选择“作用域标记”。Select Scope tags. 作用域标记是可选的。Scope tags are optional. 有关详细信息,请参阅对分布式 IT 使用基于角色的访问控制 (RBAC) 和作用域标记Use role-based access control (RBAC) and scope tags for distributed IT has more information.

    添加作用域标记:To add a scope tag:

    1. 选择“选择作用域标记”,然后从列表中选择现有作用域标记,然后选择“选择” 。Choose Select scope tags > select an existing scope tag from the list > Select.

    2. 完成后,选择“下一步”。When finished, select Next.

  6. 选择“分配” > 选择要包含的组 。Select Assignments > Select groups to include. 随即显示 Azure AD 组的现有列表。An existing list of Azure AD groups is shown.

    1. 选择一个或多个组,其中的用户的设备会接收该脚本。Select one or more groups that include the users whose devices receive the script. 选择“选择”。Choose Select. 你选择的组将显示在列表中,并将收到策略。The groups you chose are shown in the list, and will receive your policy.

      备注

      Intune 中的 PowerShell 脚本可定向于 Azure AD 设备安全组或 Azure AD 用户安全组。PowerShell scripts in Intune can be targeted to Azure AD device security groups or Azure AD user security groups.

    2. 选择“下一步”。Select Next.

      将 PowerShell 脚本分配或部署到 Microsoft Intune 中的设备组

  7. 在“查看 + 添加”中,将显示你配置的设置的摘要。In Review + add, a summary is shown of the settings you configured. 选择“添加”以保存脚本。Select Add to save the script. 选择“添加”后,策略将部署到你选择的组。When you select Add, the policy is deployed to the groups you chose.

重要注意事项Important considerations

  • 将脚本设置为用户上下文且最终用户拥有管理员权限时,默认情况下将在管理员权限下运行 PowerShell 脚本。When scripts are set to user context and the end user has administrator rights, by default, the PowerShell script runs under the administrator privilege.

  • 最终用户无需登录设备即可执行 PowerShell 脚本。End users aren't required to sign in to the device to execute PowerShell scripts.

  • Intune 管理扩展代理每小时且每次重启后都会与 Intune 核对一次,以确定是否有任何新脚本或更改。The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. 将策略分配给 Azure AD 组后,PowerShell 脚本将运行,还将报告运行结果。After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported. 脚本执行后,除非脚本或策略发生更改,否则不会再次执行。Once the script executes, it doesn't execute again unless there's a change in the script or policy. 如果脚本失败,Intune 管理扩展代理会尝试在接下来的连续 3 次 Intune 管理扩展代理签入中重试脚本三次。If the script fails, the Intune management extension agent will attempt to retry the script three times for the next 3 consecutive Intune management extension agent check-ins.

  • 对于共享设备,将为每位登录的新用户运行 PowerShell 脚本。For shared devices, the PowerShell script will run for every new user that signs in.

无法运行脚本示例Failure to run script example

上午 8 点8 AM

  • 签入Check in
  • 运行脚本 ConfigScript01Run script ConfigScript01
  • 脚本失败Script fails

上午 9 点9AM

  • 签入Check in
  • 运行脚本 ConfigScript01Run script ConfigScript01
  • 脚本失败(重试次数 = 1)Script fails (retry count = 1)

上午 10 点10 AM

  • 签入Check in
  • 运行脚本 ConfigScript01Run script ConfigScript01
  • 脚本失败(重试次数 = 2)Script fails (retry count = 2)

上午 11 点11 AM

  • 签入Check in
  • 运行脚本 ConfigScript01Run script ConfigScript01
  • 脚本失败(重试次数 = 3)Script fails (retry count = 3)

中午 12 点12 PM

  • 签入Check in
  • 没有额外尝试运行 ConfigScript01 脚本。No additional attempts are made to run ConfigScript01script.
  • 接下来,如果没有对脚本进行其他任何更改,则不会额外尝试运行脚本。Going forward, if no additional changes are made to the script, no additional attempts will be made to run the script.

监视运行状态Monitor run status

可在 Azure 门户中监视用户和设备的 PowerShell 脚本运行状态。You can monitor the run status of PowerShell scripts for users and devices in the Azure portal.

在“PowerShell 脚本”中,选择要监视的脚本并选择“监视”,然后选择以下报表之一 :In PowerShell scripts, select the script to monitor, choose Monitor, and then choose one of the following reports:

  • 设备状态Device status
  • 用户状态User status

Intune 管理扩展日志Intune management extension logs

客户端计算机上的代理日志通常位于 \ProgramData\Microsoft\IntuneManagementExtension\LogsAgent logs on the client machine are typically in \ProgramData\Microsoft\IntuneManagementExtension\Logs. 可以使用 CMTrace.exe 查看这些日志文件。You can use CMTrace.exe to view these log files.

Microsoft Intune 中的屏幕截图或 cmtrace 代理日志示例

删除脚本Delete a script

在“PowerShell 脚本”中,右键单击该脚本,然后选择“删除” 。In PowerShell scripts, right-click the script, and select Delete.

常见问题和解决方法Common issues and resolutions

问题:未下载 Intune 管理扩展Issue: Intune management extension doesn't download

可能的解决方法Possible resolutions:

  • 设备未加入 Azure AD。The device isn't joined to Azure AD. 请确保设备满足本文中的先决条件Be sure the devices meet the prerequisites (in this article).
  • 未向用户或设备所属的组分配任何 PowerShell 脚本或 Win32 应用。There are no PowerShell scripts or Win32 apps assigned to the groups that the user or device belongs.
  • 由于未访问 Internet 和未访问 Windows 推送通知服务 (WNS) 等原因,无法向 Intune 服务嵌入设备。The device can't check-in with the Intune service, due to no internet access, no access to Windows Push Notification Services (WNS), and so on.
  • 设备处于 S 模式下。The device is in S mode. S 模式下运行的设备不支持 Intune 管理扩展。The Intune management extension isn't supported on devices running in S mode.

要查看是否会自动注册设备,可执行以下操作:To see if the device is auto-enrolled, you can:

  1. 转至“设置” > “帐户” > “访问工作或学校”。Go to Settings > Accounts > Access work or school.
  2. 选择已加入的帐户 >“信息”。Select the joined account > Info.
  3. 在“高级诊断报告”下,选择“创建报表”。Under Advanced Diagnostic Report, select Create Report.
  4. 在 Web 浏览器中,打开 MDMDiagReportOpen the MDMDiagReport in a web browser.
  5. 搜索 MDMDeviceWithAAD 属性。Search for the MDMDeviceWithAAD property. 如果存在此属性,则设备已自动注册。If the property exists, the device is auto-enrolled. 如果没有此属性,则未自动注册设备。If this property doesn't exist, then the device isn't auto-enrolled.

启用 Windows 10 自动注册分步介绍了如何在 Intune 中配置自动注册功能。Enable Windows 10 automatic enrollment includes the steps to configure automatic enrollment in Intune.

问题:PowerShell 脚本未运行Issue: PowerShell scripts do not run

可能的解决方法Possible resolutions:

  • PowerShell 脚本不会在每次登录时运行。The PowerShell scripts don't run at every sign-in. 它们在下述情况下运行:They run:

    • 在向设备分配脚本时When the script is assigned to a device

    • 如果更改了脚本,请将其上传,再将其分配给用户或设备If you change the script, upload it, and assign the script to a user or device

      提示

      Microsoft Intune 管理扩展是一项在设备上运行的服务,如同服务应用 (services.msc) 中列出中的任何其他服务一样。The Microsoft Intune Management Extension is a service that runs on the device, just like any other service listed in the Services app (services.msc). 设备重启后,此服务可能也会重启,并检查是否随附 Intune 服务分配了任何 PowerShell 脚本。After a device reboots, this service may also restart, and check for any assigned PowerShell scripts with the Intune service. 如果 Microsoft Intune 管理扩展服务设置为“手动”,则设备重启后可能不会重启此服务。If the Microsoft Intune Management Extension service is set to Manual, then the service may not restart after the device reboots.

  • 确保设备已加入 Azure ADBe sure devices are joined to Azure AD. 仅加入你的工作区或组织(在 Azure AD 中注册)的设备不会收到脚本。Devices that are only joined to your workplace or organization (registered in Azure AD) won't receive the scripts.

  • Intune 管理扩展客户端每小时检查一次 Intune 中的脚本或策略是否发生任何更改。The Intune management extension client checks once per hour for any changes in the script or policy in Intune.

  • 确认 Intune 管理扩展已下载到 %ProgramFiles(x86)%\Microsoft Intune Management ExtensionConfirm the Intune management extension is downloaded to %ProgramFiles(x86)%\Microsoft Intune Management Extension.

  • 未在 Surface Hub 或 Windows 10 的 S 模式下运行的脚本。Scripts don't run on Surface Hubs or Windows 10 in S mode.

  • 检查日志是否存在任何错误。Review the logs for any errors. 请参阅(本文中的)Intune 管理扩展日志See Intune management extension logs (in this article).

  • 对于可能的权限问题,确保将 PowerShell 脚本的属性设置为 Run this script using the logged on credentialsFor possible permission issues, be sure the properties of the PowerShell script are set to Run this script using the logged on credentials. 另外,确保已登录的用户具有适当的权限来运行脚本。Also check that the signed in user has the appropriate permissions to run the script.

  • 要隔离脚本问题,可以:To isolate scripting problems, you can:

    • 检查设备上的 PowerShell 执行配置。Review the PowerShell execution configuration on your devices. 相关指南请参阅PowerShell 执行策略See the PowerShell execution policy for guidance.

    • 使用 Intune 管理扩展运行示例脚本。Run a sample script using the Intune management extension. 例如,创建 C:\Scripts 目录,并为每个人提供完全控制权限。For example, create the C:\Scripts directory, and give everyone full control. 运行以下脚本:Run the following script:

      write-output "Script worked" | out-file c:\Scripts\output.txt
      

      如果成功,应创建 output.txt,其中应包括“脚本已运行”文本。If it succeeds, output.txt should be created, and should include the "Script worked" text.

    • 要在不使用 Intune 的情况下测试脚本执行,请在系统帐户中本地使用 psexec 工具来运行脚本:To test script execution without Intune, run the scripts in the System account using the psexec tool locally:

      psexec -i -s

    • 如果脚本报告它成功,但实际上没有成功,那么防病毒服务可能是沙盒 AgentExecutor。If the script reports that it succeeded, but it didn't actually succeed, then it's possible your antivirus service may be sandboxing AgentExecutor. 以下脚本始终在 Intune 中报告失败。The following script always reports a failure in Intune. 可以使用此脚本进行测试:As a test, you can use this script:

      Write-Error -Message "Forced Fail" -Category OperationStopped
      mkdir "c:\temp" 
      echo "Forced Fail" | out-file c:\temp\Fail.txt
      

      如果脚本报告成功,请查看 AgentExecutor.log 以确认错误输出。If the script reports a success, look at the AgentExecutor.log to confirm the error output. 如果脚本执行,则长度应为 >2。If the script executes, the length should be >2.

    • 若要捕获 .error 和 .output 文件,以下代码片段通过 AgentExecutor 将脚本执行到 PSx86 (C:\Windows\SysWOW64\WindowsPowerShell\v1.0)。To capture the .error and .output files, the following snippet executes the script through AgentExecutor to PSx86 (C:\Windows\SysWOW64\WindowsPowerShell\v1.0). 它会保留日志以供查看。It keeps the logs for your review. 请记住,Intune 管理扩展会在脚本执行后清除日志:Remember, the Intune Management Extension cleans up the logs after the script executes:

      $scriptPath = read-host "Enter the path to the script file to execute"
      $logFolder = read-host "Enter the path to a folder to output the logs to"
      $outputPath = $logFolder+"\output.output"
      $errorPath =  $logFolder+"\error.error"
      $timeoutPath =  $logFolder+"\timeout.timeout"
      $timeoutVal = 60000 
      $PSFolder = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"
      $AgentExec = "C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe"
      &$AgentExec -powershell  $scriptPath $outputPath $errorPath $timeoutPath $timeoutVal $PSFolder 0 0
      

后续步骤Next steps

配置文件的监视故障排除Monitor and troubleshoot your profiles.