Deploy a One-Time PowerShell Script via Intune to Run Disk Cleanup and Clear Windows Update Cache

Why this recipe matters

When a user reports their Windows device is running slowly, one of the most common root causes is critically low free disk space — especially when the Windows Update cache (C:\Windows\SoftwareDistribution) and catroot2 folder have grown large, or when temp files, update leftovers, and component store bloat have accumulated over months.

Rather than asking the end user to run Disk Cleanup manually (which many won't do correctly or at all), Intune admins can deploy a one-time PowerShell script that performs the cleanup silently in the SYSTEM context and runs at the next device check-in.

When to run this recipe

• A user reports slow performance and the device shows less than ~15% free disk space
• Windows Update failures or stuck downloads suggest a corrupted update cache
• You want to reclaim space across many devices without touching each one
• You need a quick remediation action that doesn't require a reboot or visit to the user's desk

What you'll have when you finish

• A reusable Intune PowerShell script (DiskCleanup-WUCacheReset.ps1) that stops Windows Update services, clears SoftwareDistribution and catroot2, restarts the services, and invokes cleanmgr /VERYLOWDISK
• A targeted assignment scoped to a single device (via a temporary security group) so only the intended machine runs the cleanup
• A triggered device sync so the script executes at the next check-in rather than waiting for the 1-hour Intune script polling cycle
• A clear audit trail in the Intune portal showing the script, its assignment, and per-device run results

Warnings and gotchas

• Intune scripts run only once per device per assignment. If the script fails, you must re-create it (or change the script ID) to re-run it — cleanmgr signals completion even if nothing was actually cleaned.
• cleanmgr /VERYLOWDISK is non-interactive and uses the default cleanup categories. It will not run if the disk is not actually low. For more aggressive cleanup, pre-populate the StateFlags registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\* and use cleanmgr /sagerun:1 instead.
• Deleting SoftwareDistribution cancels in-progress Windows Updates. Any partially downloaded updates will be re-downloaded on the next update scan. Don't run this during a critical patch cycle.
• Permissions required are specific. Creating the script requires DeviceManagementScripts.ReadWrite.All — DeviceManagementConfiguration.ReadWrite.All is NOT sufficient, despite what the Graph docs sometimes imply.
• Script assignments target groups, not individual devices. Create a dedicated security group (or use a dynamic-membership group) and delete it after execution to keep your tenant tidy.
• Do not set enforceSignatureCheck: true unless your org signs all deployed scripts — otherwise the script will never run.
• The script runs as SYSTEM by default. Do not put user-specific paths (e.g. $env:USERPROFILE) in it — they will resolve to the SYSTEM profile.