Intune + PowerShell Scripts-Nothing Happening

[YodaNT]

I'm currently trying to get a few Powershell scripts to run via Intune to Windows 11 Pro laptops. The Powershell scripts run fine when tested via local Powershell but Intune doesn't seem to do anything during a check-in or sync.

Intune doesn't show any errors but never runs the Powershell scripts under Windows-Scripts and Remediations-Platform Scripts .

The Powershell scripts are pretty straightforward and each script only adds 1 key to the Windows registry.

Has anyone run into this before and if so any suggestions?

 

[mac-win]

The first thing I would check would be the logs. In this case, Prajwal has a guide on where to find them and what to look for in them, when doing this kind of troubleshooting: https://www.prajwaldesai.com/microsoft-intune-management-extension-logs/

My guess is, either the script isn't getting there, or isn't getting run once it is there. Given that it runs locally, I'd rule out a syntax error on that, but maybe there is one. The logs will be able to show you what Intune is actually doing though. You can read the logs with a text editor like Notepad, but CMTrace or another log reader will highlight and format some things to make working with them a little easier.

 

[DerHabbo]

Are you my co-worker or something? Anyway in our case the suspicion is the scripts aren't running because of a scope issue, where were trying to target on a machine group basis but needed to target on a user group basis.

 

[YodaNT]

Are you my co-worker or something? Anyway in our case the suspicion is the scripts aren't running because of a scope issue, where were trying to target on a machine group basis but needed to target on a user group basis.

Haha! No!

We're trying to target on a group basis for only Windows 11 laptops in a specific group.

 

[YodaNT]

I've tried three different versions of the Powershell script and all run correctly when run on a Windows 11 device.

Here's what the logs show:

component="IntuneManagementExtension" context="" type="1" thread="1" file="">
<![LOG[DeleteRegistryKey() is failed with exception: System.ArgumentException: Cannot delete a subkey tree because the subkey does not exist.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey, Boolean throwOnMissingSubKey)
at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.RegistryHelper.DeleteRegistryKey(String key)]LOG]!><time="19:54:48.5877252" date="6-23-2025" component="IntuneManagementExtension" context="" type="3" thread="1" file="">

 

[DerHabbo]

Ah is this key you are trying to remove only present in the HKCU hive? The script is likely running as SYSTEM. If that's the case I usually set it up to poll SIDs for accounts that have signed in previously and do a foreach{ with the HKU hive. Probably an easier way to go about it though.

 

[YodaNT]

Ah is this key you are trying to remove only present in the HKCU hive? The script is likely running as SYSTEM. If that's the case I usually set it up to poll SIDs for accounts that have signed in previously and do a foreach{ with the HKU hive. Probably an easier way to go about it though.

Yep. I've even tried just adding a key and it kicks out the same error. I'm trying to push a Slack workspace ID entry to the registry.

 

[YodaNT]

I started with this in a Powershell script:

New-Item -Path HKCUSoftware\Policies\Slack -Name "DefaultSignInTeam" -Value "XXXXXX" -PropertyType "String"

Then I tried the below. Both generate the same errors in the log but run fine if run locally.

# Define the registry key path
$registryPath = "HKCUSoftware\Policies\Slack"
$propertyName = "DefaultSignInTeam"
$propertyValue = "XXXXXXXXX"

# Ensure the registry key exists
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}

# Set (or update) the registry value
Set-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue

 

[DerHabbo]

Well at least part of the problem is set-itemproperty. That assumes the subkey exists and already has a value assigned, which it doesn't cause you are creating the key, so you should be using new-itemproperty.
That should fix your missing subkey error message. I don't think it'll actually do what you want it to though. Because like I said it likely runs as SYSTEM, so you are injecting the subkey to S-1-5-18 as opposed to your end user's SID (HKCU is SYSTEM in this context). Since you are using set- you probably expect the subkey to exist in end user HKCU context.

I'm pretty sure there's a way easier way of doing this... I'm going to look at how we do Slack at work tomorrow.