powershell脚本未通过Intune部署，将随着成功的变化而回来

发布于 2025-01-29 21:18:58 字数 1340 浏览 3 评论 0原文

但是，我一直在尝试将此PowerShell脚本部署到我的一个测试单元之一，这涉及通过更改Windows 11中的任务栏布局，通过更改某些注册表键的值。当它确实通过Intune部署时，它会以成功的方式恢复，但是没有进行更改。手动完成该脚本也很成功。我缺少一些东西，但我无法弄清楚。


$registryPath1 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search"

$registryPath2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

$registryPath3 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

$name1 = "SearchboxTaskbarMode"

$name2 = "ShowTaskViewButton"

$name3 = "TaskbarAl"

$value1 = "0"
$value2 = "0"
$value3 = "0"

IF(!(Test-Path $registrypath1))

  {

    New-Item -Path $registryPath1 -Force | Out-Null

    Set-ItemProperty -Path $registryPath1 -Name $name1 -Value $value1 `

     }

 ELSE {

    Set-ItemProperty -Path $registryPath1 -Name $name1 -Value $value1 `

     }


IF(!(Test-Path $registryPath2))

  {

    New-Item -Path $registryPath2 -Force | Out-Null

    Set-ItemProperty -Path $registryPath2 -Name $name2 -Value $value2 `

     }

 ELSE {

    Set-ItemProperty -Path $registryPath2 -Name $name2 -Value $value2 `

     }

     IF(!(Test-Path $registryPath3))

  {

    New-Item -Path $registryPath3 -Force | Out-Null

    Set-ItemProperty -Path $registryPath3 -Name $name3 -Value $value3 `

     }

 ELSE {

    Set-ItemProperty -Path $registryPath3 -Name $name3 -Value $value3 `

     }`

原文

I have been trying to deploy this PowerShell script to one of my test units however, which involves changing the taskbar layout in Windows 11 through changing the value of certain registry keys. When it does deploy through Intune, it comes back through as successful, however no changes were made. The script also is successful when done manually. There is something that I am missing but I can't figure it out.


$registryPath1 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search"

$registryPath2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

$registryPath3 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

$name1 = "SearchboxTaskbarMode"

$name2 = "ShowTaskViewButton"

$name3 = "TaskbarAl"

$value1 = "0"
$value2 = "0"
$value3 = "0"

IF(!(Test-Path $registrypath1))

  {

    New-Item -Path $registryPath1 -Force | Out-Null

    Set-ItemProperty -Path $registryPath1 -Name $name1 -Value $value1 `

     }

 ELSE {

    Set-ItemProperty -Path $registryPath1 -Name $name1 -Value $value1 `

     }


IF(!(Test-Path $registryPath2))

  {

    New-Item -Path $registryPath2 -Force | Out-Null

    Set-ItemProperty -Path $registryPath2 -Name $name2 -Value $value2 `

     }

 ELSE {

    Set-ItemProperty -Path $registryPath2 -Name $name2 -Value $value2 `

     }

     IF(!(Test-Path $registryPath3))

  {

    New-Item -Path $registryPath3 -Force | Out-Null

    Set-ItemProperty -Path $registryPath3 -Name $name3 -Value $value3 `

     }

 ELSE {

    Set-ItemProperty -Path $registryPath3 -Name $name3 -Value $value3 `

     }`

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

养猫人 2025-02-05 21:18:59

我不确定您的脚本正在发生什么，但这是我们成功使用的脚本的示例，用于将注册表更改应用于Intune注册的Windows Box。该脚本通过设置注册表密钥来实现“禁用'允许基本身份验证'对WINRM服务的安全性更改。我们在Windows Endpoint Manager Admin Center（设备|策略|脚本|添加脚本）中使用类似的脚本。

该脚本通过创建两个新的注册表路径（我们发现在环境中不存在），然后添加所需的注册表密钥来起作用。以前，我们在创建路径时使用了-force，并且没有检查存在时，但是我们发现 - 福克斯会掉落并重新创建路径，并删除该节点中应用的任何其他更改。 Get-Itemproperty命令允许您在AgensExecutor.log文件中更轻松地确认您的更改已实现 - 输出已记录到此文件。

$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM"
If (!(Test-Path $Path)) {
  New-Item -Path $Path
}
$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service"
If (!(Test-Path $Path)) {
  New-Item -Path $Path
}
Set-Itemproperty -Path $Path -Name 'AllowBasic' -Type "Dword" -Value "0" -Force
Get-Itemproperty -Path $Path -Name 'AllowBasic'

在找出脚本在做什么方面，您是否在客户端设备上查看过“ C：\ programData \ Microsoft \ intunemanagementExtension \ logs”？

特别是，AgensExeCutor.log文件将包含Intune执行的PowerShell脚本的输出，并且PowerShell命令将在创建注册表条目时生成看起来像这样的文本。您还可以使用“输入输出PowerShell命令”从脚本写入消息。

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Name                           Property                                                                                
----                           --------                                                                                
WinRM                                                                                                                  
    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM
Name                           Property                                                                                
----                           --------                                                                                
Service
                                                                                                                
AllowBasic   : 0
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM
PSChildName  : Service
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

我们在Endpoint Manager中使用这些脚本设置：

Run this script using the logged on credentials: No
Enforce script signature check: No
Run script in 64 bit PowerShell Host: No

其他潜在的Gotchas：

在执行这些脚本时，似乎在线上存在混乱。我们的经验是，除了重新启动机器时，它们是未执行的。那是我们唯一一次在AgensExecutor.log中看到日志条目的唯一一次，表明脚本已运行，这是我们唯一一次看到注册表条目创建的时间。
如果您将脚本更改并重新上传为Endpoint Manager，则我们的经验确实可以将此更改推出到分配的包括组。但是，您需要重新启动测试组中的设备之一。
请耐心 - 在重新启动后，我们已经看到延迟最多10分钟，然后在AgensExecutor.log中看到脚本已运行的日志条目。

我们已经使用此方法将50多个Intune启动的Windows设备进行了十几个不同的更改。
希望这有帮助...

I'm not sure what is happening with your script, but here is an example of a script that we have been using successfully to apply registry changes to Intune-enrolled Windows boxes. This script implements the "Disable 'Allow Basic authentication' for WinRM Service" security change by setting a registry key. We use scripts like this in Windows Endpoint Manager Admin Center (Devices | Policy | Scripts | Add Script).

The script works by creating two new registry paths (that we found not to exist in our environment) and then adding the desired registry key. Previously we used -Force when creating the paths and did not check for existence, but we discovered that -Force drops and recreates the path, and that wipes out any other changes that have been applied within this node. The Get-Itemproperty command allows you to more easily confirm in the AgentExecutor.log file that your change has been implemented -- the output gets logged to this file.

$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM"
If (!(Test-Path $Path)) {
  New-Item -Path $Path
}
$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service"
If (!(Test-Path $Path)) {
  New-Item -Path $Path
}
Set-Itemproperty -Path $Path -Name 'AllowBasic' -Type "Dword" -Value "0" -Force
Get-Itemproperty -Path $Path -Name 'AllowBasic'

In terms of finding out what the script is doing, have you looked in "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs" on the client devices?

In particular, the AgentExecutor.log file will contain the output from powershell scripts executed by Intune, and the powershell commands will generate text that looks like this when it is creating registry entries. You can also write messages to this file from your script using the Write-Output Powershell command.

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Name                           Property                                                                                
----                           --------                                                                                
WinRM                                                                                                                  
    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM
Name                           Property                                                                                
----                           --------                                                                                
Service
                                                                                                                
AllowBasic   : 0
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM
PSChildName  : Service
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

We use these script settings in Endpoint manager:

Run this script using the logged on credentials: No
Enforce script signature check: No
Run script in 64 bit PowerShell Host: No

Other potential gotchas:

There appears to be confusion online about when these scripts are executed. Our experience is that they are not executed except when machines are rebooted. That is the only time we have seen log entries in AgentExecutor.log indicating the scripts have run, and it's the only time we have seen the registry entries get created.
If you change a script and re-upload it to Endpoint Manager, it is our experience that this change does get rolled out to assigned included groups. You will need to reboot one of the devices in the testing group, however.
Be patient - we have seen delays of up to 10 minutes after a reboot before we see log entries in AgentExecutor.log indicating the script has run.

We have used this method to roll out more than a dozen different changes to 50+ Intune-enrolled Windows devices.
Hope this helps...

回复收藏 0 原文

~没有更多了~