Windows Agent device policy

Use the Windows Agent device policy to run PowerShell scripts on managed Windows desktops and tablets. You can point to script files uploaded to Endpoint Management as an enterprise app and to other servers that host scripts. For information about adding enterprise apps, see Add apps.

After deploying and running the script, you can configure automated actions based on the results of the script. For instance, you run a script that monitors a registry key returns a result. Based on the result returned, an automated action runs that grants or denies access to an app, marks the device as out of compliance, or has other effects.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Windows Desktop and Tablet settings

Device Policies configuration screen

Device Policies configuration screen

  • Config name: Type a descriptive name for your configuration.

  • Task type: Select PowerShell.

  • Select script location: Select Uploaded script for scripts that you have uploaded to Endpoint Management or select Script location URL for scripts hosted externally.

    • Select script: If you chose Uploaded script, select the script to run.

    • Enter script location URL: If you chose Script location URL, enter the location of the script to run. This URL must deliver the script as a payload. Endpoint Management doesn’t support URLs that deliver scripts as a JavaScript download.

  • Run Schedule: Select Run Once to run the selected script one time or select Run Frequently to run the script on a selected schedule.

    • Scheduling Frequency(hr): Type the number of hours between script runs.

To check on the status of a script, navigate to Manage > Devices in your console. Select the device on which you want to check the script status and click Edit. Under Properties, you can check the status of your scripts by clicking Download under the Windows Agent heading.

Deploy a PowerShell script to trigger an automated action

  1. Create a PowerShell script to monitor a registry key. The following PowerShell script checks to see if the firewall is enabled.

    $body = @{}
    $firewallEnabled = Get-ItemPropertyValue HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -Name EnableFirewall
    if($firewallEnabled -eq 1){
    $body["firewallEnabled"]="true"
    } else {
    $body["firewallEnabled"]="false"
    }
    $body | ConvertTo-Json -Depth 10
    

    This script returns a value of either

    {
        "firewallEnabled":  "true"
    }
    

    or

    {
        "firewallEnabled":  "false"
    }
    
  2. Upload the script to the Endpoint Management console as an enterprise app or host the script at an accessible URL.
  3. Configure the Windows Agent device policy as described in this article. Ensure that the script is scheduled to run immediately.

    Sample Windows Agent device policy

  4. After the script runs, determine the script status.
    1. Navigate to Manage > Devices in your console.
    2. Select the device to check its script status and then click Edit.
    3. Click Download under the Windows Agent heading.

    Windows Agent download status

  5. Configure an automated action based on the status received. For more information on configuring automated actions, see Create an automated action based on a Windows Agent device policy result. That section shows the specific automated actions created for the example script and Windows Agent device policy.