The PowerShell Execution Policy is a security feature on Windows devices that controls script execution. It helps prevent malicious scripts from loading and executing on your device.
The execution policy for your local device and current user is stored in the registry. For a specific PowerShell session, it is stored in memory and is lost when the session is closed.
The default execution policy for Windows client computers is Restricted, which is the most secure setting. In this mode, a user can run individual commands but cannot execute any PowerShell scripts (.ps1, .psm1, .ps1xml files). On non-windows computers, the PowerShell execution policy cannot be changed, and it’s set to Unrestricted.
You can easily configure the PowerShell execution policy on your local computer manually by using the Set-ExecutionPolicy
cmdlet and setting it to a value that allows the execution of scripts. There are different modes it can be set to, as follows:
- AllSigned
- Bypass
- Default
- RemoteSigned
- Restricted
- Undefined
- Unrestricted
To learn more about each mode of execution policy, please refer to the Microsoft documentation: PowerShell execution policies.
Please note that not all modes of execution policy are available to be configured via Intune. When you use Intune to configure Powershell execution policy, you can set it to any of the below modes:
- Allow only signed scripts:
- This is equivalent to the AllSigned mode, in which only scripts signed by a trusted publisher are permitted to run.
- Allow local scripts and remote-signed scripts:
- This setting allows any locally created script to be run. However, scripts originating from the internet must be signed by a trusted publisher to run. This configuration is equivalent to the RemoteSigned mode.
- Allow all scripts:
- This setting will allow all scripts to be run. This is equivalent to Unrestricted mode.
In recent blog posts, we discussed How to deploy a Powershell script using Intune and Retrieve Powershell scripts deployed via Intune. This blog post will demonstrate how to set up the PowerShell execution policy via Intune and Group Policies. Let’s explore further.
Table of Contents
Steps to Configure Powershell Execution Policy using Intune
Using the following steps, you can configure the PowerShell Execution policy on all Intune-managed Windows 10 and Windows 11 devices. For demonstration purposes, we will set the Execution Policy mode to Allow all scripts, which is equivalent to the Unrestricted mode.
Please note that the Unrestricted mode of the execution policy is not recommended, as it allows the execution of any PowerShell script, whether signed by a trusted publisher or not. The best and most secure option is to set it to Allow only signed scripts (AllSigned mode).
- Sign in to the Intune admin center.
- Go to Devices > Configuration.
- Click on + Create > New Policy.
- Select Platform as Windows 10 and later
- Profile type as Settings Catalog
- Click on the Create button.
Basics Tab
Enter the Name and Description of the profile. For Example:
- Name: Enter the name of the policy to Identify it on the Intune admin center. For Example: Set Powershell Execution Policy.
- Description: Describe the policy. For example, this policy will set an Unrestricted execution policy for all target Windows devices.
Click on Next to proceed.
Configuration Settings
- Click on + Add settings.
- In the Settings picker, search for execution policy.
- Click on Administrative Templates\Windows Components\Windows Powershell category.
- Check the box for Execution Policy (Device) and exit the settings picker.
This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The Allow only signed scripts policy setting allows scripts to execute only if they are signed by a trusted publisher.
The Allow local scripts and remote signed scripts policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher. The Allow all scripts policy setting allows all scripts to run.
If you disable this policy setting, no scripts are allowed to run. Note: This policy setting exists under both Computer Configuration and User Configuration in the Local Group Policy Editor. The Computer Configuration has precedence over User Configuration. If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is No scripts allowed.
About the Turn on Script Execution policy setting.
- Execution Policy (Device) – Allow all scripts.
- Turn on Script Execution – Enabled.
Scope tags
Click on Next.
Assignments tab
Click Add groups and select an Entra security group containing Windows devices.
Review + create
Review the policy summary on the Review + Create tab and click Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitoring Powershell Execution Policy Configuration Change via Intune
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Intune admin center.
- Click on Devices and then click on Configuration.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
End-user Experience
After the target Windows devices have synchronized the Powershell Execution policy setting via Intune. You can check and confirm the PowerShell execution policy using the below steps:
- Login on one of the target Windows 10/11 devices.
- Click on Start, search for Powershell, and launch the Powershell console.
- Type the command:
Get-executionpolicy
Press Enter. It will show as Unrestricted as we have configured it to Allow all Scripts via the device configuration profile.
Powershell Execution Policy Registry Location
The PowerShell execution policy configuration mode is stored in the Windows registry. To check and confirm it, follow the steps below:
- Press the Windows + R key to open the Run dialog box.
- Type
regedit
Press Enter to open the Registry Editor. - Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell and check the Execution policy entry on the right-hand side. It will confirm the PowerShell execution policy configured on your device.
Set Powershell Execution Policy using Group Policy (GPO)
On Active Directory joined devices, you can configure the PowerShell Execution policy by creating a Group Policy Object from a domain controller. You can log in to a domain controller, another member server, or a client PC where you have installed the Group Policy Management Console and follow the steps below:
- Press the Windows key + R to open the Run dialog box.
- Type
gpmc.msc
to open the Group policy management console. - Navigate to the Group Policy Objects, right-click on it, and select New.
- Provide a Name of the GPO, For example: Set Powershell Execution Policy.
- Right-click on the newly created Group policy and select Edit.
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and on the right-hand side, locate the policy Turn on Script Execution.
- Double-click on it and Enable this policy. Use the drop-down menu to select the Execution Policy according to your requirements. For Example, if you go with Allow all scripts, it will set the PowerShell execution policy mode to Unrestricted. Click on OK to save the changes.
- After creating the GPO, don’t forget to link it to an Organizational Unit (OU) containing Active Directory joined computers. This ensures that the Group Policy Object is applied to the intended computers.
Update Group Policies on Windows Computers
The default Group Policy background refresh interval for Windows client computers, such as those running Windows 10/11, is set to 90 minutes, with a randomized offset time of up to 30 minutes.
If necessary, you can force a Group Policy update to expedite the update process manually on a device or remotely. Alternatively, to apply the Group Policy on all target devices earlier without manual intervention, you can modify the default refresh interval for all computers using a group policy setting called Set Group Policy refresh interval for computers.