Quick and simple tip on how to get a Logon script like experience with Intune. On Azure AD joined devices, there’s currently no option to create Logon/Logoff or Startup/Shutdown script like we can with GPOs. I had a customer that needed a solution to start a command file as admin everytime the user signed on to the device.

There’s a workaround – Use Scheduled Tasks to create tasks that runs on Log On, and runs with Administrator rights / Local System if needed. It’s a very simple Powershell script, that created a scheduled task:

• Create the scheduled task
• Runs at Logon
• Runs with Local SYSTEM account
• Runs a command specified (in this example it runs a .cmd file that requires administrative rights. The .cmd file is already present on the devices – a software vender has placed it here)

Full script is located here:

https://github.com/larsstaalm/Scripts/blob/master/CreateSchedulesTaskLogonScript.ps1

# Specify the command and argument
$action = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument '/c C:\Temp\start.cmd'

# Set the trigger to be at any user logon
$trigger =  New-ScheduledTaskTrigger -AtLogOn

$STPrin = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount

# Create the scheduled task
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "StartCMD" -Description "Start the CMD as admin" -Principal $STPrin

Configuring it in Intune

To make it run on the devices, go to Microsoft 365 Device Management portal (https://devicemanagement.portal.azure.com).

Go to Device Configuration and select Powershell scripts:

Give the script a name.

Browse and find the .ps1 file.

Click Settings and make sure “Run this script using logged on credentials” is set to No.

Click OK and then Create.

Now we need to assign the script to an Azure AD group containing the devices or the users on which the script should run.

The script will be created on next client sync, and is located in the Task Schedule root folder:

If we at a later point need to change or delete the scheduled task, it can be done easily with a simple powershell command.

## Delete the scheduled Task
Unregister-ScheduledTask -TaskName StartCMD -Confirm:$False

Put that in a .ps1 file, and create a Powershell script in Intune as we did above. Unassign the initial script, and run this instead.

Changing the Scheduled Tasks / Advanced scenarios

While it’s is possible to change the script and upload a new script, existing devices that have already run the script, will not run it again, even if we change the script.

There’s multiple options here, two of them – which are kinda related:

https://powers-hell.com/2018/04/16/how-to-force-intune-configuration-scripts-to-re-run/

or

https://www.iphase.dk/force-reload-intune-powershell-scripts