Set the PowerShell Execution Policy using an Intune Configuration Profile
Updated: Feb 2
SUMMARY: |
Using Intune, you can set the PowerShell execution policy on your enrolled Windows devices. Having this ability is crucial not only for security purposes but also in enabling you to deploy PowerShell scripts via Intune. Remember, the default policy on Windows client devices is Restricted meaning no scripts can be executed. |
Using the steps below, you can set the PowerShell execution policy to one of the following options:
Allow only signed scripts (Allsigned)
Allow local and remote signed scripts (RemoteSigned)
Allow all scripts (Unrestricted)
Click here to learn more about PowerShell's execution policies.
Steps to Create the Configuration Profile
Launch the Intune portal.
Select Devices in the left-hand menu blade.
Select Windows > Configuration Profiles.
Select + Create > + New Policy.
Platform: Windows 10 and later
Profile type: Settings Catalog
Select Create.
Select +Add settings.
Click into the search bar, type script execution, and hit enter.
Select Administrative Templates\Windows Components\Windows PowerShell.
In the results section, select Turn on Script Execution.
Close the Settings picker by clicking the X in the top right corner.
Select the toggle next to Turn on Script Execution to enable it.
Select the drop-down arrow next to Execution Policy (Device) to select the desired policy.
Select Next and finalize the deployment.
TIP: |
I recommend selecting Allow only signed scripts which is equivalent to the Allsigned PowerShell Execution policy. This policy will protect devices from untrusted script publishers while enabling you to deploy your signed, trusted scripts. Please review the articles linked below to learn how to sign your PowerShell scripts and how to use Intune to deploy your public certificate to devices' Trusted Publisher certificate store: - How to sign a PowerShell Script - How to Add a Certificate to the Trusted Publisher Store Using Intune |
Cover Picture provided by Storyset.
Comments