Set Powershell Execution Policy using Intune and GPO

The PowerShell Execution Policy is a security feature on Windows devices that controls the execution of scripts. It helps prevent the loading and execution of any malicious scripts on your device.

The execution policy for your local device and current user is stored in the registry. For a specific session of PowerShell, it is stored in memory and is lost when the PowerShell session is closed.

The default execution policy for Windows client computers is set to Restricted, which is the most secure setting. In this mode, a user can run individual commands but cannot execute any PowerShell scripts (.ps1, .psm1, .ps1xml files). On non-windows computers, the PowerShell execution policy cannot be changed, and it’s set to Unrestricted.

You can easily configure the PowerShell execution policy on your local computer manually by using the Set-ExecutionPolicy cmdlet and setting it to a value that allows the execution of scripts. There are different modes it can be set to, as follows:

  • AllSigned
  • Bypass
  • Default
  • RemoteSigned
  • Restricted
  • Undefined
  • Unrestricted

To know more about each mode Execution policy, please refer to the Microsoft documentation: PowerShell execution policies.

Please note that not all modes of execution policy are available to be configured via Intune. When you use Intune to configure Powershell execution policy, you can set it to any of the below modes:

  • Allow only signed scripts:
    • This is equivalent to the AllSigned mode, in which only scripts signed by a trusted publisher are permitted to run.
  • Allow local scripts and remote-signed scripts:
    • This setting allows any locally created script to be run. However, scripts originating from the internet must be signed by a trusted publisher to run. This configuration is equivalent to the RemoteSigned mode.
  • Allow all scripts:
    • This setting will allow all scripts to be run. This is equivalent to Unrestricted mode.

In recent blog posts, we discussed “How to deploy a Powershell script using Intune” and “Retrieve Powershell scripts deployed via Intune.” This blog post will demonstrate setting PowerShell execution policy via Intune and Group Policies. Let’s explore further.

Steps to Configure Powershell Execution Policy using Intune

Using the following steps, you can configure the PowerShell Execution policy on all Intune-managed Windows 10 and Windows 11 devices. For demonstration purposes, we will set the Execution Policy mode to “Allow all scripts,” which is equivalent to the “Unrestricted” mode.

Please note that the “Unrestricted” mode of the execution policy is not recommended, as it allows the execution of any PowerShell script, whether it’s signed by a trusted publisher or not. The best and most secure option is to set it to “Allow only signed scripts” (AllSigned mode).

Steps to Configure Powershell Execution Policy using Intune
Steps to Configure Powershell Execution Policy using Intune
  • Select Platform as Windows 10 and later
  • Profile type as Settings Catalog
  • Click on the Create button.
Steps to Configure Powershell Execution Policy using Intune
Steps to Configure Powershell Execution Policy using Intune

Basics Tab

Enter the Name and Description of the profile. For Example:

  • Name: Enter the name of the policy to Identify it on the Intune admin center. For Example: Set Powershell Execution Policy.
  • Description: Describe the policy. For Example, This policy will set an “Unrestricted” execution policy on all target Windows devices.

Click on Next to proceed.

Configuration Settings

  • Click on “+ Add settings.”
  • In the Settings picker, search for “execution policy“.
  • Click on Administrative Templates\Windows Components\Windows Powershell category.
  • Check the box for “Execution Policy (Device)” and exit the settings picker.

This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The “Allow only signed scripts” policy setting allows scripts to execute only if they are signed by a trusted publisher.

The “Allow local scripts and remote signed scripts” policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher. The “Allow all scripts” policy setting allows all scripts to run.

If you disable this policy setting, no scripts are allowed to run. Note: This policy setting exists under both “Computer Configuration” and “User Configuration” in the Local Group Policy Editor. The “Computer Configuration” has precedence over “User Configuration.” If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is “No scripts allowed.”

About the “Turn on Script Execution” policy setting.
Steps to Configure Powershell Execution Policy using Intune: Configuration settings tab
Steps to Configure Powershell Execution Policy using Intune: Configuration settings tab
Steps to Configure Powershell Execution Policy using Intune: Configuration settings tab
Steps to Configure Powershell Execution Policy using Intune: Configuration settings tab

Scope tags

Click on Next.

Assignments tab

Click Add groups and select an Entra security group containing Windows devices.

Steps to Configure Powershell Execution Policy using Intune: Assignments tab
Steps to Configure Powershell Execution Policy using Intune: Assignments tab

Review + create

Review the policy summary on the Review + Create tab and click Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

Monitoring Powershell Execution Policy Configuration Change via Intune

To monitor the deployment progress of a Device configuration profile, follow the below steps:

  • Sign in to the Microsoft Intune admin center.
  • Click on “Devices” and then click on “Configuration“.
  • Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
  • Click on “View report” to access more detailed information.

End-user Experience

After the target Windows devices have synchronized the Powershell Execution policy setting via Intune. You can check and confirm the PowerShell execution policy using the below steps:

  • Login on one of the target Windows 10/11 devices.
  • Click on Start, search for Powershell, and launch the Powershell console.
  • Type the command: Get-executionpolicy Press Enter. It will show as Unrestricted as we have configured it to “Allow all Scripts” via the device configuration profile.

Powershell Execution Policy Registry Location

The PowerShell execution policy configuration mode is stored in the Windows registry. To check and confirm it, follow the steps below:

  • Press the Windows + R key to open the Run dialog box.
  • Type regedit and press Enter to open the Registry Editor.
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell and check the Execution policy entry on the right-hand side. It will confirm the PowerShell execution policy configured on your device.
Powershell Execution Policy Registry Location

Set Powershell Execution Policy using Group Policy (GPO)

On Active Directory joined devices, you can configure the PowerShell Execution policy by creating a Group Policy Object from a domain controller. You can log in to a domain controller, another member server, or a client PC where you have installed the Group Policy Management Console and follow the steps below:

  • Press the Windows key + R to open the Run dialog box.
  • Type gpmc.msc to open the Group policy management console.
  • Navigate to the Group Policy Objects, right-click on it, and select New.
  • Provide a Name of the GPO, For example: “Set Powershell Execution Policy“.
Set Powershell Execution Policy using Group Policy (GPO)
  • Right-click on the newly created Group policy and select Edit.
  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and on the right-hand side, locate the policy “Turn on Script Execution“.
  • Double-click on it and Enable this policy. Select the Execution Policy using the drop-down as per your requirement. For Example, If you go with Allow all scripts, it will set the PowerShell execution policy mode to Unrestricted. Click on OK to save the changes.
Set Powershell Execution Policy using Group Policy (GPO)
  • After creating the GPO, don’t forget to link it to an Organizational Unit (OU) containing Active Directory joined computers. This ensures that the Group Policy Object is applied to the intended computers.

Update Group Policies on Windows Computers

The default Group Policy background refresh interval for Windows client computers, such as those running Windows 10/11, is set to 90 minutes, with a randomized offset time of up to 30 minutes.

To expedite the update process manually on a device, or remotely if necessary, you can force a Group Policy update. Alternatively, to apply the Group Policy on all target devices earlier without manual intervention, you can modify the default refresh interval for all computers using a group policy setting called Set Group Policy refresh interval for computers.

Leave a Comment