Set PowerShell Execution Policy using Intune and GPO

Understand the PowerShell Execution Policy and how to configure it using Intune and Group Policy. Our detailed tutorial will help you manage and deploy PowerShell scripts safely.


In this article, we’ll demonstrate how to set PowerShell execution policy using Intune and Group Policy. Execution policies determine the conditions under which PowerShell loads script files for execution.


On Windows devices, Microsoft configures PowerShell to execute in the most secure mode by default, which is the restricted execution policy. There are four policies: Restricted, AllSigned, Remote Signed, and Unrestricted.


On a Windows computer, you can set an execution policy for the local computer, for the current user, or for a particular session. You can also use Microsoft Intune or a group policy setting to set execution policies for computers and users.

https://amodsus.com/threads/ufavepa.8004/

https://amodsus.com/threads/ichihime-essay.10002/

https://amodsus.com/threads/resume-administrator.1582/

https://betforum.org/threads/1xbet-scam.64/

https://betforum.org/threads/russian-bookmakers.1180/

https://betforum.org/threads/betm%C4%B0na-g%C4%B0r%C4%B0%C5%9E.3439/

In our previous tutorial, we explained how to upload and deploy PowerShell scripts using Intune. To effectively execute the PS scripts, the PowerShell execution policy must be configured. There is no execution policy requirement to retrieve Intune PowerShell scripts.


In enterprises, setting a remote execution policy in PowerShell for multiple Windows devices and users can be achieved via a GPO or Intune policy. You can employ these methods to harden PowerShell security and allow or restrict running scripts. This article discusses both methods.


What is the PowerShell Execution Policy?

The execution policies define the conditions under which PowerShell loads files for execution. According to Microsoft, PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.


List of PowerShell execution policies

The table below lists all the execution policies and their descriptions. These execution policies are available on all Windows devices and are defined by Microsoft.

https://equestrianbbs.com/thread-6751.html

https://thecashdeal.trade/community/thread-2258.html

https://qualityprogamer.de/forum/showthread.php?tid=19887

https://pimpforums.xyz/newreply.php?tid=412

https://foro.muelendhir.com/showthread.php?tid=3983

https://sportsreptile.site/thread-9579.html

All Signed

It mandates that all scripts and configuration files, including those you write on your local computer, bear the signature of a reputable publisher. It prompts you to run scripts from publishers who have not yet been classified as trustworthy or untrustworthy.


Bypass

No scripts are blocked from execution, and there are no warnings or prompts.


Default

Sets the default execution policy. On Windows clients, the default PS execution policy is ‘Restricted’ and on Windows servers, it’s ‘RemoteSigned’

RemoteSigned

https://diskutim.com/showthread.php?tid=10342

https://hondaikmciledug.co.id/HRIS/showthread.php?tid=6598

https://thecashdeal.trade/community/thread-650.html

https://www.edukasiceria.com/discussion/viewtopic.php?t=4930

https://www.edukasiceria.com/discussion/viewtopic.php?t=2283

Running a PS script with a RemoteSigned policy necessitates a digital signature from a trusted publisher on scripts and configuration files downloaded from the internet, including email and instant messaging applications.


Restricted Permits individual commands but does not allow scripts.


Undefined

There is no execution policy set in the current scope. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted for Windows clients and RemoteSigned for Windows Server.

https://www.edukasiceria.com/discussion/viewtopic.php?t=13535

https://www.edukasiceria.com/discussion/viewtopic.php?t=2588

https://www.edukasiceria.com/discussion/viewtopic.php?t=2678

Unrestricted

The default execution policy is for non-Windows computers and cannot be changed. Unsigned scripts can run. There is a risk of running malicious scripts.


Script Execution policy scopes

You can set a script execution policy that is effective only in a particular scope. Following is the list of execution policy scopes available as per Microsoft:


MachinePolicy: Set by a group policy for all users of the computer.

UserPolicy: Set by a group policy for the current user of the computer.

Process: The Process scope only affects the current PowerShell session. The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the PowerShell session is closed, the variable and value are deleted.

https://forum.veriagi.com/viewtopic.php?pid=491620

https://forum.veriagi.com/viewtopic.php?pid=460614

https://forum.veriagi.com/viewtopic.php?pid=465299

https://forum.veriagi.com/viewtopic.php?pid=468222

https://forum.veriagi.com/viewtopic.php?pid=467197

CurrentUser: The execution policy affects only the current user. It’s stored in the HKEY_CURRENT_USER registry subkey.

LocalMachine: Set to default when setting an execution policy.


How can I check the PowerShell execution policy?

To get the effective execution policy for the current PowerShell session, use the Get-ExecutionPolicy cmdlet. Run the following command in PowerShell to get the effective script execution policy:


To get all the execution policies that affect the current session and display them in precedence order:

https://www.bovinedecarne.ro/forum/viewtopic.php?t=12350

https://www.bovinedecarne.ro/forum/viewtopic.php?t=17500

https://www.bovinedecarne.ro/forum/viewtopic.php?t=13863

https://www.bovinedecarne.ro/forum/viewtopic.php?t=20285

https://www.bovinedecarne.ro/forum/viewtopic.php?t=12119

Get-ExecutionPolicy -List

The output of the above command is posted below.


How to Change the PowerShell execution policy

When a user attempts to run a script, the following error may appear: “cannot be loaded because running scripts is disabled on this system.” If you’re getting this error, it’s because you need to change the execution policy and allow running the scripts.


You can manually change the PowerShell execution policy by running the below command.


https://flotte-plotter-otter.de/viewtopic.php?t=18902

https://flotte-plotter-otter.de/viewtopic.php?t=10259

https://flotte-plotter-otter.de/viewtopic.php?t=19546

https://flotte-plotter-otter.de/viewtopic.php?t=9625

https://flotte-plotter-otter.de/viewtopic.php?t=16959

Set-ExecutionPolicy -ExecutionPolicy <PolicyName>

Enter the below command to set execution policy powershell as bypass


Set-ExecutionPolicy -ExecutionPolicy ByPass

Enter the below command to set execution policy powershell as unrestricted


Set-ExecutionPolicy -ExecutionPolicy Unrestricted

The below PS command sets the execution policy to RemoteSigned.


Set-ExecutionPolicy -ExecutionPolicy RemoteSigned


Configure PowerShell Execution policy with Intune

Perform the following steps to create an Intune policy to configure the PowerShell execution policy on Windows devices and users:

https://jake2701.net.au/phpBB3/viewtopic.php?t=8562

https://jake2701.net.au/phpBB3/viewtopic.php?t=2522

https://jake2701.net.au/phpBB3/viewtopic.php?t=8426

https://jake2701.net.au/phpBB3/viewtopic.php?t=42971

https://jake2701.net.au/phpBB3/viewtopic.php?t=6748

Configure PowerShell Execution policy with Intune

Perform the following steps to create an Intune policy to configure the PowerShell execution policy on Windows devices and users:


Sign in to the Microsoft Intune admin center.

Select Devices > Windows > Configuration Profiles.

Click on Create > New Policy to set up a new policy.


Make the following selections on the Create a Profile pane:


Platform: Windows 10 and later

Profile type: Settings Catalog

Select Create.

http://forum.centr5.ru/viewtopic.php?f=6&p=1546182

http://forum.centr5.ru/viewtopic.php?f=18&t=397942

http://forum.centr5.ru/viewtopic.php?f=29&t=362006

http://forum.centr5.ru/viewtopic.php?f=29&t=395155

http://forum.centr5.ru/viewtopic.php?f=12&t=431083

In the Basics tab, enter the following properties:


Name: Enter a descriptive name for the profile, which you or other IT admins can easily identify later. For example, a good profile name is “Configure PowerShell Execution Policy.”

Description: Enter a brief description of the profile. This setting is optional but recommended. The following description is entered in the screenshot below: “Use Intune to configure the PowerShell execution policy.”

Click Next.


In the Configuration Settings section, under Settings Catalog, click Add Settings. In the Settings picker window, type “Execution Policy” in the search box and click Search.


In the search results, you’ll find two settings:

https://heathenboard.com/viewtopic.php?t=93230

https://heathenboard.com/viewtopic.php?t=66157

https://heathenboard.com/viewtopic.php?t=78826

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=59677

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=60012

Execution Policy (Device): Select the setting to configure the execution policy for Windows devices.

Execution Policy (User): Select the setting to configure the execution policy for Windows users.

In the below example, we have selected the setting, Execution Policy (Device), that will allow you to configure the PS script executions on Windows devices.


Close the Settings Picker window.


Turn on Script Execution (User): This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=57542

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=18958

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=70325

http://www.vlamb.com/forum.php?mod=viewthread&tid=19293

http://www.vlamb.com/forum.php?mod=viewthread&tid=19207

First, enable Turn on Script Execution (User). Click the drop-down next to Execution Policy (Device) and select Allow all scripts. This will allow the execution of all the scripts on the device. Click Next.


On the Scope Tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.


In the Assignments tab, specify the Entra ID groups to assign the policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.


Finally, on the Review+Create tab, take a look at all the settings you’ve configured for the PowerShell script execution with Intune. Click Create.

http://www.vlamb.com/forum.php?mod=viewthread&tid=19208

http://www.vlamb.com/forum.php?mod=viewthread&tid=19206

http://www.vlamb.com/forum.php?mod=viewthread&tid=19209

http://googleseomastermind.com/viewtopic.php?t=16083

http://googleseomastermind.com/viewtopic.php?t=17176

After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.


To receive the above policy settings from Intune, the Windows devices must be enrolled in Microsoft Intune, and most importantly, they must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies. To speed up the policy assignments, you can force sync Intune policies using different methods on your Windows computers to download the latest policies from Microsoft Intune.


Monitor Execution Policy in Intune

While the policy settings are being applied to Windows devices, you can monitor the devices and users that have successfully received the PowerShell script execution policy settings in Intune.

http://googleseomastermind.com/viewtopic.php?p=45299

http://www.googleseomastermind.com/viewtopic.php?p=64975

http://www.googleseomastermind.com/viewtopic.php?t=6098

https://forum.bedwantsinfo.nl/thread-107517.html

https://shopcms.vsupport.club/topic/3548-moguta-cms/

In the Intune admin center, select the policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices and users who successfully received the policy settings.


To view the device names that have successfully received the policy settings, click on View Report.


In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.

Comments

Post a Comment

Popular posts from this blog

8 Ways to Fix Windows Update Error 0x80070643

 Windows update error 0x80070643 stops you from installing the latest Windows updates. Learn why this error occurs and how can you resolve it with multiple solutions. In this post, I will show you how to fix the Windows Update error 0x80070643 that occurs when you attempt to install the latest updates on Windows 11/10 devices. The error 0x80070643 can be resolved using different methods, which will be covered in this guide. I ran across issue 0x80070643 on my Windows 11 PC when I was downloading the most recent updates. The update was stuck installing for a few minutes and finally resulted in error 0x80070643. https://stock.talktaiwan.org/index.php?topic=478832.0 https://stock.talktaiwan.org/index.php?topic=407059.0 https://stock.talktaiwan.org/index.php?topic=427920.0 http://forum.analysisclub.ru/index.php?topic=128627.0 http://forum.analysisclub.ru/index.php?topic=142620.0 http://forum.infinite-soul.org/viewtopic.php?f=64&t=9756 https://rostovbike.ru/thread-1012.html https://foru
Read more

8 Ways to Fix Windows 11 Upgrade Error 0x800F0830-0x20003

Multiple solutions to resolve 0x800F0830-0x20003 error that occurs during Windows 11 installation or upgrade in the SAFE_OS phase during INSTALL_UPDATES operation. If you are encountering the error 0x800f0830-0x20003 when upgrading to Windows 11, this tutorial covers the solutions to resolve this error. An error 0x800F0830-0x20003 prevents the upgrade process on Windows 10/11. This error occurs during the SAFE_OS phase during the INSTALL_UPDATES operation. If you don’t resolve this error, you’ll never be able to upgrade your Windows to the next version. Installing Windows 11 or upgrading it from Windows 10 is a smooth process, and you can use multiple methods to upgrade to Windows 11. However, you may encounter several errors during the upgrade, either due to hardware being incompatible, incompatible apps, or other reasons. We recommend referring to the Microsoft article on Windows 11 upgrade and installation error codes. https://forum.goddesszex.dev/showthread.php?tid=17913 https://fo
Read more

Enable/Disable End Task in Taskbar on Windows 11

You can now close all your apps from the taskbar on Windows 11 without having to use Task Manager. Learn how to enable or disable End Task in the taskbar on Windows 11 using multiple methods. The End Task in Taskbar feature on Windows 11 allows you to quickly terminate apps directly from the taskbar without having to use Task Manager. In this article, I will demonstrate multiple methods to enable or disable the taskbar end task option on Windows 11. Starting with Windows 11 version 23H2, you can enable and use the End Task option to terminate unresponsive applications directly from the Taskbar. You don’t need to open the task manager on Windows 11 to end the processes any more. Unfortunately, not many users are aware of this extremely helpful feature because it is hidden under the “For Developers” section. There are situations when you have no choice but to use Task Manager to forcefully end your unresponsive apps. In some cases, I noticed that even my task manager was frozen and faile
Read more