Managing services on Windows clients is a classic task in system administration. But what if you want to control a service in Intune? Unfortunately, there's no direct setting in the Intune UI to define service startup types or start/stop services. But there’s a workaround—and that’s where custom PowerShell scripts and proactive remediations come in.

In my case, I needed to ensure that the Smart Card Removal Policy service (SCPolicySvc) was always set to Automatic and running. This is crucial for security because the service locks the PC when a smart card is removed.

Let me walk you through how I solved this problem step-by-step, using a platform script in Intune.

Table of Contents

Why I Needed This

I was working on a smart card implementation and noticed inconsistent behavior on some endpoints. The Smart Card Removal Policy service was either set to Manual or Disabled, which made the feature unreliable.

To enforce this setting across all managed Windows devices, I wrote a PowerShell script and deployed it using Intune as a platform script.

Managing Services with PowerShell

Before jumping into Intune, it's important to understand how to work with services using PowerShell locally. This is the same method we’ll later use in our Intune script.

Finding the Service Name

To list all services and find the one you're looking for:

Get-Service | Sort-Object DisplayName | Out-GridView

Or to search for a specific keyword:

Get-Service | Where-Object { $_.DisplayName -like '*smart card*' }

This will help you identify the Service Name (not the display name), which is what PowerShell and Intune need.

Setting the Startup Type

To configure the startup type, use the Set-Service cmdlet:

Set-Service -Name "<ServiceName>" -StartupType Automatic

Valid -StartupType values are:

  • Automatic
  • Manual
  • Disabled

You can also start or stop the service with:

Start-Service -Name "<ServiceName>"
Stop-Service -Name "<ServiceName>"

This forms the basis of what we’ll do with Intune.

The PowerShell Script

Here’s the script I used. It sets the startup type to Automatic and starts the service if it’s not running:

$ScriptName = "WIN-S-D-ServiceAutostart_SmartCardRemovalPolicy"
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\$ScriptName.log" -Force

# Define service name
$ServiceName = "SCPolicySvc" # https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service

# Check if the service exists before modifying it
if (Get-Service -Name $ServiceName -ErrorAction SilentlyContinue) {
    try {
        Set-Service -Name $ServiceName -StartupType Automatic -ErrorAction Stop
        Write-Output "Successfully set $ServiceName to Automatic startup."

        # Start service if not running
        if ($Service.Status -ne 'Running') {
            Start-Service -Name $ServiceName -ErrorAction Stop
            Write-Output "Successfully started $ServiceName."
        } else {
            Write-Output "$ServiceName is already running."
        }

    } catch {
        Write-Error "Error while configuring $ServiceName : $_"
    }
} else {
    Write-Warning "Service $ServiceName not found."
}

Stop-Transcript
Script @GitHub

The script performs three important tasks:

  1. Logs execution using Start-Transcript to provide a trace for troubleshooting
  2. Sets the service startup type to Automatic if it exists
  3. Starts the service if it is not already running

This ensures the target service is always in the desired state on the endpoint.

Also, you’ll notice that I always add a Microsoft Learn reference as a comment next to the service name. This makes it easy for others (or future me!) to understand what the service is for and quickly find official documentation.

Deploy the Script via Intune

To deploy this PowerShell script in Intune, follow these steps:

  • Go to Intune Admin Center > Devices > Windows > Scripts / Platform scripts
Intune, create new platform script
  • Click Add
  • Provide a name (e.g., Set Smart Card Service to Auto)
  • Upload your script file and make sure the script is NOT runing as the current user. Since servioces need admin/system permissions.
Intune, Platform script Name and Description
Intune, Platform script upload and settings
  • Assign it to a group
  • Done ✅ (and wait for a bit until it's applied 😉)

Monitor the Service State with Proactive Remediations

If you want to go a step further and enforce this over time, consider using Proactive Remediations:

  1. Go to Intune Admin Center > Devices > Windows > Remediation
  2. Create a new package with the two scripts from GitHub (below) and the same settings I've showed you in the platform script.

You can find a package for the same service on with the same logic but ready to be used as a remediation package on my GitHub:

Service Startup Behavior Remediation @GitHub

What You Can’t Do in Intune (Yet)

There is currently no direct Intune setting to manage Windows services like startup type or service status. That’s why using scripts is the most flexible and effective workaround.

Let’s hope Microsoft adds native support for service configuration in the future. Until then, we script.

Wrapping Up

Managing any service in Intune comes down to using PowerShell and the tools Intune gives us—like script deployment and proactive remediations. In my use case, keeping the SCPolicySvc service running ensures the Smart Card Removal Policy works as expected and keeps devices secure.

This approach can be adapted to any Windows service you want to control. Just replace the service name in the script.

Leave a Reply

Your email address will not be published. Required fields are marked *

Florian Salzmann
Leading Expert at UMB AG

Stay in the Loop with My Newsletter!

Sponsor

Robopack