Intune for Linux: Root-context scripts never execute

[dtjn]

We’ve observed that shell scripts assigned to Linux devices via Intune and configured to run in root context do not execute, even though:

The script is correctly assigned to a group
The script is marked to run as root
The device is properly enrolled and syncing

However, in practice:

The script never runs
No logs are generated
No changes are applied
Intune portal indicates failure without any comments, or on the device nothing happens, even if the script only contains one line to write a simple log file for testing purposes. Only user-context scripts appear to execute reliably.

This behavior has been confirmed across multiple devices running Ubuntu 24.04 with the latest Intune agent (1.2508.17).

Expected Behavior
Scripts assigned to device groups and configured to run as root should.

Is root-context script execution for Linux devices officially supported, you mention e.g. using this for the example script to deploy chrome: https://github.com/microsoft/shell-intune-samples/tree/master/Linux/Apps/Google%20Chrome. I tried to deploy this without any changes according to readme, but this shows the same behaviour.

Environment

OS: Ubuntu 24.04
Intune Agent: 1.2508.17
Device is enrolled and compliant

[slinrain]

As I know for run script from sudo:
user need login to intune-portal and intune portal ask user password (over polkit) and only then script will run.

According documentation (step 5)
"Root: The script always runs (with or without users logged in) at the device level. The first time the script executes, the end user might have to consent. After they consent, it should continue to execute on its schedule."

If user not agreed: You can't run scripts as root.

[dtjn]

Hi @slinrain,

"Root: The script always runs (with or without users logged in) at the device level. The first time the script executes, the end user might have to consent. After they consent, it should continue to execute on its schedule."

thanks for your reply. I also read that documentation and wondered about that specific part.

I am trying to replicate this on a test-client and never got any form of consent notification/prompt or something.

Do you know how this consent dialogue would look like/where it should appear?

If a user denied the consent/or never received a request to consent int the first place is there any way to re-trigger that?

[slinrain]

Hi @slinrain,

"Root: The script always runs (with or without users logged in) at the device level. The first time the script executes, the end user might have to consent. After they consent, it should continue to execute on its schedule."

thanks for your reply. I also read that documentation and wondered about that specific part.

I am trying to replicate this on a test-client and never got any form of consent notification/prompt or something.

Do you know how this consent dialogue would look like/where it should appear?

If a user denied the consent/or never received a request to consent int the first place is there any way to re-trigger that?

Add group where present test user/host (I tested with user, I think with hostname should work the same)

run intune-portal on test host, wait a few minutes (in my case I need wait ~5 min) and click refresh

After that you will see the message for enter user password for root access

And check result

[slinrain]

Also after enter password you can invoke refresh using intune-agent just run in terminal from user (if run before it can't show window for enter password and show you some errors in log):
/opt/microsoft/intune/bin/intune-agent
It make refresh with some logs in output and you can investigate it. It is not very informative, but has some info.

[dtjn]

@slinrain thanks for your efforts, I tried to replicate this with your exact script/setup on a freshly installed test client but I never seem to get the polkit popup to provide the password.

I also rolled out a root context script to the whole org just for testing purposes and on some clients it executes.. so guess some users got the polkit request.

Not sure how to force this / make sure this always works as expected though.

Just a general question, do you have to provide the password for each script execution, once per script, or once total and all future root context scripts will not require it?

[slinrain]

Just a general question, do you have to provide the password for each script execution, once per script, or once total and all future root context scripts will not require it?

I don't know. I just tested this functionality, and it is not a solution for me.

Not sure how to force this / make sure this always works as expected though.
You can't force this from admin portal side.

From client side: Just run intune-portal from terminal (/opt/microsoft/intune/bin/intune-portal) and when you click refresh you will see in Terminal in log in realtime is a script was executed .

linux_customconfig_script - it's script what run from root in this case

linux_customcompliance_discoveryscript - script for custom compliance policy if you use it

[dtjn]

Yea sadly its just
2025-12-12 10:23:36 WARN checkin{activity_id="xxxx"}:run_internal{account_id="xxxx" device_id="xxxx"}: Failed to execute custom configuration script error=Remote script execution failed

for me for all root context scripts without triggering polkit.

[slinrain]

Try to run this script localy on test device. I think it should not has non-zero exitcode.
My simple test script also with the same error?
Let me know if you will find the root cause. Interesting :)

[dtjn]

Yes I was testing with your exact test script. The issue seems actually to be the missing polkit confirmation request found this thread while investigating https://www.reddit.com/r/Intune/comments/14yddiq/silent_installs_linux/ . When creating the rule file in /etc/polkit-1/rules.d/ with this content /* Applying configuration from Microsoft Intune Portal */ polkit.addRule(function(action, subject) { if (action.id == "com.microsoft.intune.actions.ConfigureDevice" && subject.isInGroup("users")) { return polkit.Result.YES; } }); The root scripts start to work immediately because this essentially gets rid of the need for the user confirmation... still unclear why I am not getting the confirmation request on my test client in the first place though.

[slinrain]

Do you have polkit action?

/usr/share/polkit-1/actions/com.microsoft.intune.policy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>Microsoft</vendor>
  <vendor_url>https://microsoft.com</vendor_url>
  <icon_name>intune</icon_name>

  <action id="com.microsoft.intune.actions.ConfigureDevice">
    <description gettext-domain="intune">Configuring your device</description>
    <message gettext-domain="intune">Authorization is required to apply configuration required by your organization.</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
</policyconfig>

It should be by default after installing intune-portal

[dtjn]

Yes that file is present and looks exactly like this.