PowerShell

Active Directory and on-premises automation

The ActiveDirectory module (RSAT) provides Get-ADUser, Get-ADComputer, Get-ADGroup, and set/move/disable equivalents. Bulk operations — disabling stale accounts, syncing attribute sets, generating OU membership reports — are standard daily-use cases.

Microsoft Graph API integration

The Microsoft.Graph module wraps Graph API endpoints as PowerShell cmdlets. Use it to query Intune device inventory, Entra ID users, group memberships, Teams, SharePoint, and Exchange Online without the admin portals.

Intune and endpoint management

Get-MgDeviceManagementManagedDevice and related Graph cmdlets export compliance state, OS version, last check-in, and primary user for every enrolled device. Proactive Remediation script pairs (detect + remediate) run on Intune-managed endpoints on a configurable schedule.

Patch and vulnerability reporting

Query the Windows Update Agent via COM API, WSUS database, or WUfB Reports in Log Analytics. Generate per-device patch lag reports, identify devices missing critical KBs, and produce HTML dashboards for weekly review.

Security baseline validation

Scripts like Invoke-WindowsHardening apply CIS Level 1/2 controls and generate a pre/post compliance delta report. Run as an Intune Proactive Remediation to continuously validate that baseline settings have not drifted from policy.

Infrastructure provisioning and lab work

Hyper-V management (New-VM, Checkpoint-VM), WinRM configuration for remoting, unattend.xml-driven OS deployments, and repeatable lab baseline scripts reduce setup time from hours to minutes and make environments reproducible.

Use -WhatIf and -Confirm before destructive actions

Any cmdlet that modifies, removes, or moves objects should be tested with -WhatIf first to preview what would change. Build -WhatIf support into your own functions using [CmdletBinding(SupportsShouldProcess)] so callers can do the same. Never run bulk set/remove operations against production without a -WhatIf pass first.

Validate input at script boundaries

Use [Parameter(Mandatory)] with [ValidateNotNullOrEmpty()] and type constraints on all inputs. Fail fast with a meaningful error if inputs are outside expected range — before touching any real objects. Untrusted input (CSV files, API responses) should always be sanitised before being passed to cmdlets that accept pipeline input.

Never hardcode credentials

Credentials in script files get committed to version control, stored in scheduled task history, and logged in transcripts. Use Get-StoredCredential (CredentialManager module), certificate-based app registrations, managed identities, or Windows Credential Manager via [System.Net.NetworkCredential]. For service accounts, use gMSAs where available.

Scope to least privilege

Graph API app registrations should request only the permission scopes the script actually uses — never Directory.ReadWrite.All when User.Read.All is sufficient. AD scripts should run as a service account with delegation scoped to the specific OU or attribute. Audit permission scopes quarterly as scripts evolve.

Test against a non-production target

For Intune scripts, use a test Entra ID group with non-critical devices before assigning to production groups. For AD scripts, run against a test OU. For Exchange scripts, run against a mailbox you own. The cost of a test environment is always less than the cost of a production rollback.

Version control and peer review

Production scripts belong in source control (Git). Changes to scheduled scripts should go through a pull request review — the same bar you apply to application code. Comment the WHY of non-obvious logic, not the WHAT. Include a changelog block in the script header with author, date, and summary of each change.

RSAT and the AD module

Install on Windows 10/11 via Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0. On Windows Server, Install-WindowsFeature RSAT-AD-PowerShell. The module loads automatically when you call an AD cmdlet — no explicit Import-Module required on domain-joined machines.

Querying AD objects efficiently

Use -Filter instead of -LDAPFilter for simpler queries; use -LDAPFilter for complex multi-attribute filters. Always specify -Properties to retrieve only the attributes you need — Get-ADUser -Properties * is expensive on large directories. Use Get-ADOrganizationalUnit with -SearchBase to scope queries to a specific container.

Bulk account operations

Get-ADUser -Filter {Enabled -eq $true} | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} | Disable-ADAccount is the standard pattern for stale account cleanup. Always pipe to a report first, review the list, then run the disable pass with confirmation or a -WhatIf sweep.

PowerShell remoting (WinRM)

Enable-PSRemoting on target machines. Use Enter-PSSession for interactive remote sessions and Invoke-Command -ComputerName for scriptblock execution across one or many machines. Use -Credential with a service account — never pass plain-text credentials. For cross-domain or workgroup machines, configure TrustedHosts and use HTTPS transport.

CIM sessions for WMI queries

New-CimSession creates a persistent connection to a remote machine for WMI/CIM queries. Use Get-CimInstance -CimSession $session -ClassName Win32_OperatingSystem instead of deprecated Get-WmiObject. CIM sessions use WinRM by default (DCOM with -SessionOption as fallback for older machines).

Group Policy reporting from PowerShell

Get-GPResultantSetOfPolicy -ReportType HTML generates an RSoP report for a user/computer combination without requiring a logon. Get-GPO -All | Get-GPOReport -ReportType XML exports all GPO settings for offline analysis or version-controlled backup. Combine with Backup-GPO for disaster recovery.

Device inventory and compliance export

Get-MgDeviceManagementManagedDevice -All -Filter "operatingSystem eq 'Windows'" | Select-Object DeviceName,ComplianceState,OsVersion,LastSyncDateTime | Export-Csv gives you the core fleet inventory. Add UserPrincipalName via the primaryUsers relationship for a per-user view. See Export-IntuneDeviceReport in the script library.

Stale device cleanup workflow

Get-StaleDevices cross-references Intune, Entra ID, and on-premises AD for devices that have not checked in within a configurable threshold. The script outputs a CSV with recommended actions (retire, delete, hybrid-join reconcile) rather than acting directly — review before any destructive step.

Proactive Remediation script pairs

Detection scripts return exit code 0 (compliant) or 1 (non-compliant). Remediation scripts run when detection returns 1. Use $env:COMPUTERNAME and $env:USERNAME for context. Write output to stdout — it appears in the Intune portal under device proactive remediation status. Keep each script under 200KB and avoid downloading additional files from within a remediation script.

App installation state queries

GET /deviceAppManagement/managedDevices/{id}/deviceAppStates returns per-app install state for a device. Run across your fleet to identify devices where a required app is in Pending or Failed state — the portal surfaces this per device but not as a fleet-wide exportable report.

Targeting with Entra ID dynamic groups

Dynamic group membership rules use deviceOSVersion, deviceModel, displayName, and enrollmentProfileName attributes — all settable via PowerShell. Use Get-MgGroup -Filter "displayName eq 'Ring0-Pilot'" | Get-MgGroupMember to verify group membership before using the group as an Intune assignment target.

Graph API vs. Intune module methods

The Microsoft.Graph module wraps Graph REST endpoints. For fine-grained control — custom $select/$expand/$filter, beta API endpoints, or operations the module does not yet expose — use Invoke-MgGraphRequest -Method GET -Uri "/v1.0/deviceManagement/managedDevices?$select=id,deviceName,complianceState&$filter=complianceState eq 'noncompliant'".

Windows Update Agent (COM API)

The Microsoft.Update.Session COM object exposes the local Windows Update client without requiring admin rights for read operations. $Searcher.Search("IsInstalled=0 and IsHidden=0") returns all missing updates with Title, KBID, and MsrcSeverity properties. Use in Get-PatchComplianceReport for per-device missing update lists.

WSUS database queries

WSUS stores update and client data in a SQL Server (or WID) database. Invoke-Sqlcmd against the SUSDB lets you build custom reports beyond what the WSUS console exposes — e.g., all computers that have not reported in 30 days, or all updates approved but not installed across the fleet. Requires db_datareader on SUSDB.

WUfB Reports via Log Analytics

Windows Update for Business Reports populates UCClient, UCDeviceAlert, and UCUpdateAlert tables in a Log Analytics workspace. Query via Invoke-AzOperationalInsightsQuery (Az.OperationalInsights module) or the REST API. Useful for fleet-wide deferral compliance across Intune-managed and hybrid-joined devices.

Graph-based update compliance

GET /deviceManagement/managedDevices?$select=deviceName,osVersion,complianceState,lastSyncDateTime returns OS version and compliance state per Intune device. Cross-reference osVersion against the minimum OS version in your compliance policy to identify devices on end-of-support or non-compliant builds.

Exporting to HTML dashboards

ConvertTo-Html with -PreContent and -PostContent generates styled HTML reports from PowerShell output. Embed CSS inline for portability. Schedule via Task Scheduler or Azure Automation to drop a dated report file to a network share or SharePoint document library each week.

Scheduled email delivery

Send-MgUserMail (Graph API) or Send-MailMessage (SMTP, deprecated in PS7) delivers reports to a distribution list on a schedule. Prefer Graph API for M365 tenants — it uses OAuth and does not require SMTP AUTH, which is increasingly blocked. Attach the CSV as a base64-encoded blob in the message body.

Try / Catch / Finally structure

Wrap every operation that can fail in a try block. Set $ErrorActionPreference = "Stop" at the top of the script to ensure non-terminating errors (e.g., cmdlet warnings) are promoted to terminating exceptions that Catch can intercept. In the Catch block, log $_.Exception.Message with context — not just "an error occurred."

Start-Transcript for unattended scripts

Call Start-Transcript -Path "$LogPath\$(Get-Date -Format yyyyMMdd-HHmmss)-scriptname.log" -Append at the start of every scheduled script. Stop-Transcript in the Finally block ensures the log closes even if the script exits unexpectedly. Transcripts capture all output — useful for debugging after the fact without needing to reproduce the run.

Write-EventLog for Windows event integration

New-EventLog -LogName Application -Source "AdminSignal-Scripts" once (at setup time), then Write-EventLog -LogName Application -Source "AdminSignal-Scripts" -EventId 1000 -EntryType Error -Message $errorDetail writes structured events that IT monitoring and SIEM tools can alert on — without requiring file share access to the transcript.

$ErrorActionPreference and -ErrorAction

Set $ErrorActionPreference = "Stop" globally to catch all errors. Override per-cmdlet with -ErrorAction SilentlyContinue when you intentionally want to ignore a specific failure (e.g., Test-Path returning false). Never set SilentlyContinue globally — it masks real failures. Use -ErrorVariable to capture errors without stopping execution for non-critical steps.

Structured output over Write-Host

Write-Host writes to the host and cannot be captured or redirected. Use Write-Output for data, Write-Verbose for diagnostic detail (shown with -Verbose), Write-Warning for non-fatal issues, and Write-Error for failures. Scripts that return structured objects (not formatted strings) can be piped and composed by callers.

Exit codes for scheduled tasks and pipelines

Task Scheduler and CI/CD pipelines read the script exit code to determine success or failure. Use Exit 0 for success and Exit 1 (or a non-zero code) in your Catch block for failures — this triggers task scheduler failure notification or pipeline step failure. PowerShell scripts invoked via powershell.exe return $LASTEXITCODE to the caller; pwsh.exe (PS7) does the same.