One of the thing that have been missing in Intune is PowerShell support to do custom scripting and with Microsoft Intune Management Extension is preview this will be possible. It was just announced by Microsoft at Ignite in Orlando and will be enabled in tenants later this year. It is in preview so this may be chancing over time.
There is so many possibilities when we can do PowerShell then it is only your fantasy that sets the limits.
So how does this work – when a Powershell script is assigned to a user or a device the Intune MDM channel will install a MSI with the Microsoft Intune Management Extension agent and the it will be self-updating by Intune.
Lets take a look at how it is working.
This is an example for a use case of Microsoft Intune Management Extension where we need to disable SMBv1 on our Windows 10 devices.
So it is a simple PowerShell Script that only runs a command
When we have our PowerShell script we can go into the Intune management portal and click on Device configuration the select PowerShell Scripts
Click Add Script
We have to give it a name and then we can upload our Powershell Script
Find the Powershell script and get it uploaded to Intune – Note: When the Powershell script is uploaded you cannot change it or see the content.
Then click on Settings
In the settings there is only two settings:
Run this scripts using the logged on credentials:
The default value is no, that means that the PowerShell is running in the context as system, so you have to be careful of what you are doing. If you change it to yes – then it will run in the users context an example on this can be to change regkeys in the users profil.
Enforce scripts signatur check:
The default is no, but if your script are signed and your company policies said that all PowerShell have to be signed then you have to change this to yes.
Then you just have to assign to users or devices group.
When the devices is sync with Intune the next time the Microsoft Intune Management Extension agent will be installed on the device. Intune will the keep this MSI installed update at all time.
When Microsoft Intune Management Extension is installed you can see all the files in: C:\Program Files (x86)\Microsoft Intune Management Extension
And logfiles will be at : C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
When we take a look at the IntuneManagementExtension.log you can see who you PowerShell script is running on the device and example is that the agentxecutor.exe is running the PowerShell script you have uploaded – note that it is not the name of the PowerShell script but a GUID.
C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe -powershell “C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts\44cd8da3-8f37-49e0-aa01-93c7179969d1_2943490d-ba3d-43b6-971e-d3f7324513df.ps1”
We can also see the content of the PowerShell when as been running on the device and if it has been running with Success or if it has failed.
In the AgentExecutor.log we can see all what the Agent are doing on the device
You can also see in the local event viewer to see what the PowerShell scripts are doing
In the Intune portal we can monitor the PowerShell scripts on a device or user level.
The Microsoft Intune Management Extension is a great way of overcome the missing functionality of MDM management.
Now we can install all software on a MDM managed Windows 10 with Intune. Think on Chocolatey that is a PowerShell packages manager.
Cloud First 
Everywhere I check the enabling will be “later this year”. Is there anywere to check?
Good article, still missing the Intune Management Extension on hybrid joined machines though, so of limited use, sigh….
On hybrid joined devices you can run powershell with GPO – so not the same need.