In this post you learn how to run MDT Task sequences, for either Computer refresh or Inplace-upgrades, from Microsoft Intune. Using task sequences gives you much better control of the Windows 10 servicing compared to regular features updates. And, as you probably figured out from the title already, there are more posts coming.:)
Credits goes to Peter Delch Dahl ( @PeterSelchDahl ) and Oliver Kieselbach ( @okieselb ) for excellent info on PowerShell script support in Intune.
Setup MDT for Microsoft Intune
Since Intune doesn't support applications larger the 2 GB, you have to use a regular Azure blob storage to store the OS deployment content, and then call that content from your deployment (assignment) in Microsoft Intune. To run MDT task sequences via Microsoft Intune, you need the following
- A MDT media item with a Windows 10 image, drivers, task sequences etc..
- An Intune subscription.
- A little bit of PowerShell.
Step 1 – Create an MDT offline media item
Rather than trying to run deployments directly from Intune/Azure, I wanted to make sure all content needed was downloaded to the client first, and then run the deployment locally. To make this work I'm using a little known trick in MDT to generate an offline media, and copy it to the C:\ folder on the computer targeted for the OS deployment. If you copy the deploy folder from a MDT media item to the C:\ drive, you can actually start the litetouch.vbs script directly from this folder, meaning start the OS deployment locally. By using a download and execute method, you also have additional options for reducing network impact, such as using BITS for the download.
Here are the high-level steps to create an offline media item in MDT. For more details see the docs: http://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt
1. On any Windows machine, install MDT 8450 and Windows ADK 10 v1709.
2. Using Deployment Workbench, create a MDT deployment share
3. Import your Windows 10 image, and any driver you need
4. Create two task sequences, one Standard Client task sequence used for computer refresh scenarios, and one Inplace-upgrade task sequence.
5. In the Advanced Configuration node, create an MDT media item, and make very sure Not to create it inside the normal deployment share, create the folder somewhere else.
6. Configure the MDT media item to not ask any questions during OS Deployment. If you need an example, I've uploaded the Bootstrap.ini and CustomSettings.ini files I used when developing this solution. This files goes into the media item folder, not the parent deployment share.
http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/SilentMediaBootstrap.ini
http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/SilentMediaCustomSettings.ini
A MDT media item for Windows 10 deployments.
Step 2 – Upload the MDT offline media item for Microsoft Intune (to Azure)
To store the MDT offline media item in Azure, you should archive it to a single large file (faster to download). In my case I simply used 7-Zip to create an archive of the MDT offline media item.
1. Using 7-Zip, create an archive of the Deploy folder in your MDT media item. In my case I named the archive Windows10v1709.7z, and I gave the archive a password to make it at least a little bit difficult to read the content. In addition to the password, I also set compression level to Ultra, and solid block size to solid.
Creating an archive using 7-Zip.
The Deploy folder in my MDT media item archive into the Windows10v1709.7z file.
2. In the Azure Portal, or PowerShell, create a Microsoft Azure Storage Account (Blob Storage). If you are new into Azure Storage, check the docs here:
About Azure storage accounts
http://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#create-a-storage-account
3. In your Azure storage account, create a new container, and set the public access level to Private.
4. Upload the MDT media item archive, and the 7z.exe/7z.dll files to the container.
5. Create a new Shared Access Signature (SAS), and don't forget to set valid Start and expiry date/time. Again, if you are new into Azure storage, check the docs for shared access signatures here:
Using shared access signatures (SAS)
http://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
Generating a Shared Access Signature.
6. Get the "real" download link for your uploaded file, by combining the URL for your file with the shared access signature.
7. Modify the below script with the info from your Azure environment, and then import the script into Microsoft Intune PowerShell script feature.
$Path = $env:TEMP
$7zPassword = "P@ssw0rd"
$Container = "https://<your container>"
$SAS = "<your shared access signature>"
# Option #1 - Download content via HTTPS
#Invoke-WebRequest "$Container/7z.exe$SAS" -OutFile $Path\7z.exe
#Invoke-WebRequest "$Container/7z.dll$SAS" -OutFile $Path\7z.dll
#Invoke-WebRequest "$Container/Windows10v1709.7z$SAS" -OutFile $Path\Windows10v1709.7z
# # Option #2 - Download content via BITS (typically faster, unless throttled, and more resiliant on poor networks)
Import-Module BitsTransfer
Start-BitsTransfer "$Container/7z.exe$SAS" -Destination $Path\7z.exe
Start-BitsTransfer "$Container/7z.dll$SAS" -Destination $Path\7z.dll
Start-BitsTransfer "$Container/Windows10v1709.7z$SAS" -Destination $Path\Windows10v1709.7z
#Extract the MDT Media Item to C:\
& $Path\7z.exe x -y -oC:\ "-p$7zpassword" $Path\Windows10v1709.7z | Out-Null
Remove-Item $Path\Windows10v1709.7z
# Run LiteTouch.vbs, replace the task sequence ID with yours
Start-Process -FilePath 'cscript.exe' -ArgumentList "C:\Deploy\Scripts\LiteTouch.vbs", "/TaskSequenceID:W10-X64-015", "/SkipTaskSequence:YES" -Verb RunAs
8. Assign the script to a group of computers in Microsoft Intune, configure it to run as System. Then wait an hour or so. Done 🙂
Note: When assigning PowerShell scripts to run as System, the %temp% folder is C:\Windows\Temp.

Checking the files coming down via the PowerShell script when assigned as System.
Monitoring
From the Azure/Intune portal, you can go to the Device Configuration blade, select PowerShell scripts, select the script you want to monitor, select Monitor, and then look at the device status and user status reports.
Note: Due to default script timeouts (10 minutes) in Microsoft Intune, long running script is going to show a failure in the monitoring node, even when successful.

The MDT task sequence started via Microsoft Intune.
Troubleshooting Tips
If the script never run, make sure the machine is joined in to Azure AD, and that you are running Windows 10 v1607 or later. Running PowerShell scripts from Microsoft Intune requires the Microsoft Intune Management Extension, and that is only supported on Azure AD joined devices. To find out if a machine is Azure AD joined, run the dsregcmd.exe /status command.

Running the dsregcmd.exe /status on a Windows 10 v1607 machine.
In Settings, you should also see that the Microsoft Intune Management Extension is installed, but please note that can take a little while. You can check the installation status in the event viewer, in the Applications and Services Logs / Microsoft / Windows / DeviceManagement-Enterprise-Diagnostics-Provider / Admin node.

The Event Viewer showing a successful install of the Microsoft Intune Management Extension.
And, you will of course also see it in Programs and Features in Windows 10.

Microsoft Intune Management Extension installed.
You can review the logs for more information. In the C:\ProgramData\Microsoft\IntuneManagementExtension\Logs folder, check the following log files:
- IntuneManagementExtension.log
- AgentExecutor.log

The C:\ProgramData\Microsoft\IntuneManagementExtension\Logs folder.
The script itself is downloaded to the C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts folder, and then run.

The location for the PowerShell script.
For more troubleshooting tips, check the below blog post by Oliver Kieselbach ( @okieselb ).
Deep dive Microsoft Intune Management Extension – PowerShell Scripts
Written by Johan Arwidmark
Hey Great Blog post, i wonder if you can help. I am getting PowerShell errors when trying to download the file from blob. I am using PS to run the script locally as admin. i am getting this error — start-bitstransfer :http status 403: the client does not have sufficient access rights to the requested server object.— i am logged into my vm as a user.
Sounds like permission issues with the Azure blob itself. I haven't revisited this in a while, it could be that security has changed for blob access.
Hey great article, but i am having a few issues, my content\deploy folder has no OS, i have updated the deployment share. Have i missed something ? i am trying to use a custom install.wim which is 13gb.
It should be there after updating the media item.
How does the refresh option work if the drive is formatted?
With a Computer Refresh, it wipes the disk instead of formatting the disk. Backup folders etc. are still kept.
Nice. What would be the typical egress costs in the above example?
For a standard image with no applications it's about 40 cents per deployment. However, if you are using the PowerShell extension to MDT, you can enable P2P via BranchCache, and then you only have to pay for the first download. All following downloads will get the content from the first computer.
Much better than expected, thanks will try this out.