Unable to deploy PowerShell scripts to a newly co-managed device with Intune

Copper Contributor

Hi there,


I am having issues deploying a PowerShell script through Intune to a device that has recently become co-managed with Configuration Manager. The CCM client was successfully installed and uses a CMG when off-network. The user logs into the device with a local admin account not a domain account.


This MS guide states that the Client Apps workload in ConfigMgr doesn't need to be switched to Intune for PowerShell scripts when running on Windows 10 clients newer than 1903. But in case, I have moved the Client Apps workload to Pilot Intune with a device collection containing my device. Intune acknowledges this and displays the correct Intune Managed Workloads on the device overview screen.


Even with this switched, I noticed the issue also impacts Win32 and LoB applications too. I cannot get any new applications to push down to the device anymore (since becoming co-managed) despite the workload supposedly being managed by Intune. The other workloads such as Device Configuration can be correctly controlled with Intune as tested with several configuration policies.


Running the same script manually on the device worked as expected. Pushing the script to a separate device that isn't co-managed, only AADJ, also worked as expected. I've also tried targeting the script to a user security group instead of a device based group to no avail.


I would appreciate any help on this.







2 Replies
Hi... Mmm looking at what you are telling us, do you have access to the IME and the agentexecutor log files? as you are mentioning you have switched the workloads, I am wondering if the IME got installed and if so if there are any logs in the programdata\microsoft\intune management extension
best response confirmed by PeterRising (MVP)

Hi @Rudy_Ooms_MVP , thanks for looking into this.


Some good news, the PS script pushed down to the device automatically this morning (including a Win32 app). For clarity though, IME was installed a few weeks ago and partially working on the day of the issue, since I was able to push down a configuration policy and see the settings take affect. Looking back at the logs for when a sync occurred all that stood out to me was a line that said:


[Win32App] Exception occurs in application poller thread, the exception = System.Exception: Failed to get device id...


But since nothing was changed over the weekend, I think the issue was just not giving the device enough time to recognise it's MDM for the Client Apps workload was now Intune, not ConfigMgr.