The ConfigMgr Product Team released TP1706 late last night (6/23), and much to my surprise, they added some native functionality for running scripts on endpoints on demand. There have always been third-party ways of getting this done, but it is exciting to see Microsoft finally offer this functionality natively. Lets dive in on how the feature works today and where it needs some work.
Lets pretend for a moment that your security department discovers a keylogger present in a certain version of an obscure executable on a workstation. They clean the infection but are demanding you immediately tell them if other workstations in a collection have the same executable version. Oh and they want this now. In the past, the fastest way to accomplish this with ConfigMgr was probably to create a CI that runs a script, then wait for the results to filter in over the next few hours. Not anymore!
As of Technical Preview 1706, you will notice a new section in the Software Library section titled Scripts. As of now, you can Add scripts (there doesn’t appear to be remove logic at this time), require they be approved, then once approved, run them on any device collection. Lets walk through how that looks. First things first, head over to the Scripts node and click Create Script. You will then be greeted by a prompt asking for you to give the script a name and a large editor box to write/paste your script into. Since there is no intellisense at this time, I imagine most people will write in the ISE/VSCode and paste it over.
So after we’ve put in our super complex code that will tell us which version of the nefarious notepad.exe is installed, we must then right-click the script and Approve it. This adds an appreciated extra check and balance to this process to hopefully reduce the risk of bad code making it out to prod.
Once it’s approved, hop over to Device Collections, right-click the collection you want to run the script on (All Systems, of course :)). Select your script, click next, and before you know it the endpoints that are currently online in the All Systems collection will be running the script. In my one endpoint lab it was astonishingly fast; within 90 seconds I saw the PowerShell script kick off in task manager on the workstation.
So we’ve executed our script, but how do we know if it worked or what happened? Well Microsoft added a new node to the Monitoring section titled Script Status. We can see in this node that the script returned the version number of notepad.exe that is running on the endpoint.
It also appears as a job under Client Operations.
I can see this being insanely useful and can see myself building an arsenal of scripts for our help desk to use during troubleshooting endpoint issues. It is definitely still a V1 release and they have a ways to go, but its got a ton of promise. A couple of things I would like to see added are:
- Allow it to run on single devices instead of needing to be run on a collection. If I want to fix one PC, I don’t want to make a single device collection to do it.
- To go along with 1, make applicable RBA controls to limit users to only being able to run scripts on single devices. I want to empower the helpdesk to use this to fix devices, but don’t want them rebooting a large collection of devices accidentally.
- Some intellisense would be nice so you can type out easy scripts directly into the console instead of having to copy paste from the ISE.
- PowerShell cmdlets to import/approve/start scripts.
Regardless, its off to a great start and can’t wait for it to make it into the product for real. Great work guys!