Set PowerShell Execution Policy using Intune and GPO
In this article, we’ll demonstrate how to set PowerShell execution policy using Intune and Group Policy. Execution policies determine the conditions under which PowerShell loads script files for execution.
On Windows devices, Microsoft configures PowerShell to execute in the most secure mode by default, which is the restricted execution policy. There are four policies: Restricted, AllSigned, Remote Signed, and Unrestricted.
On a Windows computer, you can set an execution policy for the local computer, for the current user, or for a particular session. You can also use Microsoft Intune or a group policy setting to set execution policies for computers and users.
In our previous tutorial, we explained how to upload and deploy PowerShell scripts using Intune. To effectively execute the PS scripts, the PowerShell execution policy must be configured. There is no execution policy requirement to retrieve Intune PowerShell scripts.
In enterprises, setting a remote execution policy in PowerShell for multiple Windows devices and users can be achieved via a GPO or Intune policy. You can employ these methods to harden PowerShell security and allow or restrict running scripts. This article discusses both methods.
What is the PowerShell Execution Policy?
The execution policies define the conditions under which PowerShell loads files for execution. According to Microsoft, PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.
List of PowerShell execution policies
The table below lists all the execution policies and their descriptions. These execution policies are available on all Windows devices and are defined by Microsoft.
PowerShell Execution Policy | Description |
---|---|
All Signed | It mandates that all scripts and configuration files, including those you write on your local computer, bear the signature of a reputable publisher. It prompts you to run scripts from publishers who have not yet been classified as trustworthy or untrustworthy. |
Bypass | No scripts are blocked from execution, and there are no warnings or prompts. |
Default | Sets the default execution policy. On Windows clients, the default PS execution policy is ‘Restricted’ and on Windows servers, it’s ‘RemoteSigned’ |
RemoteSigned | Running a PS script with a RemoteSigned policy necessitates a digital signature from a trusted publisher on scripts and configuration files downloaded from the internet, including email and instant messaging applications. |
Restricted | Permits individual commands but does not allow scripts. |
Undefined | There is no execution policy set in the current scope. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted for Windows clients and RemoteSigned for Windows Server. |
Unrestricted | The default execution policy is for non-Windows computers and cannot be changed. Unsigned scripts can run. There is a risk of running malicious scripts. |
Script Execution policy scopes
You can set a script execution policy that is effective only in a particular scope. Following is the list of execution policy scopes available as per Microsoft:
- MachinePolicy: Set by a group policy for all users of the computer.
- UserPolicy: Set by a group policy for the current user of the computer.
- Process: The Process scope only affects the current PowerShell session. The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the PowerShell session is closed, the variable and value are deleted.
- CurrentUser: The execution policy affects only the current user. It’s stored in the HKEY_CURRENT_USER registry subkey.
- LocalMachine: Set to default when setting an execution policy.
How can I check the PowerShell execution policy?
To get the effective execution policy for the current PowerShell session, use the Get-ExecutionPolicy cmdlet. Run the following command in PowerShell to get the effective script execution policy:
Get-ExecutionPolicy
To get all the execution policies that affect the current session and display them in precedence order:
Get-ExecutionPolicy -List
The output of the above command is posted below.
Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine Undefined
How to Change the PowerShell execution policy
When a user attempts to run a script, the following error may appear: “cannot be loaded because running scripts is disabled on this system.” If you’re getting this error, it’s because you need to change the execution policy and allow running the scripts.
You can manually change the PowerShell execution policy by running the below command.
Set-ExecutionPolicy -ExecutionPolicy <PolicyName>
Enter the below command to set execution policy powershell as bypass
Set-ExecutionPolicy -ExecutionPolicy ByPass
Enter the below command to set execution policy powershell as unrestricted
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
The below PS command sets the execution policy to RemoteSigned.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Configure PowerShell Execution policy with Intune
Perform the following steps to create an Intune policy to configure the PowerShell execution policy on Windows devices and users:
- Sign in to the Microsoft Intune admin center.
- Select Devices > Windows > Configuration Profiles.
- Click on Create > New Policy to set up a new policy.
Make the following selections on the Create a Profile pane:
- Platform: Windows 10 and later
- Profile type: Settings Catalog
Select Create.
In the Basics tab, enter the following properties:
- Name: Enter a descriptive name for the profile, which you or other IT admins can easily identify later. For example, a good profile name is “Configure PowerShell Execution Policy.”
- Description: Enter a brief description of the profile. This setting is optional but recommended. The following description is entered in the screenshot below: “Use Intune to configure the PowerShell execution policy.”
Click Next.
In the Configuration Settings section, under Settings Catalog, click Add Settings. In the Settings picker window, type “Execution Policy” in the search box and click Search.
In the search results, you’ll find two settings:
- Execution Policy (Device): Select the setting to configure the execution policy for Windows devices.
- Execution Policy (User): Select the setting to configure the execution policy for Windows users.
In the below example, we have selected the setting, Execution Policy (Device), that will allow you to configure the PS script executions on Windows devices.
Close the Settings Picker window.
Turn on Script Execution (User): This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.
First, enable Turn on Script Execution (User). Click the drop-down next to Execution Policy (Device) and select Allow all scripts. This will allow the execution of all the scripts on the device. Click Next.
On the Scope Tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments tab, specify the Entra ID groups to assign the policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.
Finally, on the Review+Create tab, take a look at all the settings you’ve configured for the PowerShell script execution with Intune. Click Create.
After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.
To receive the above policy settings from Intune, the Windows devices must be enrolled in Microsoft Intune, and most importantly, they must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies. To speed up the policy assignments, you can force sync Intune policies using different methods on your Windows computers to download the latest policies from Microsoft Intune.
Monitor Execution Policy in Intune
While the policy settings are being applied to Windows devices, you can monitor the devices and users that have successfully received the PowerShell script execution policy settings in Intune.
In the Intune admin center, select the policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices and users who successfully received the policy settings.
To view the device names that have successfully received the policy settings, click on View Report.
In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.
Intune: Verify Script Execution Policy
In this section, we will determine whether the execution policy has been applied as per the Intune policy to our target devices. Remember that the policy that we configured is set to run all the scripts on the devices. Let’s verify the same on the target devices.
Sign in to the Windows device that has successfully received the PowerShell script execution settings via Intune. Launch the PowerShell as an administrator and run the following commands:
First, run the below PS command to find the execution policy.
Get-ExecutionPolicy
In the output, we see the execution policy is configured as Unrestricted.
Next, run the below PS command to get a list of all the execution policies along with their scopes.
Get-ExecutionPolicy -list
If you have set the script execution policy to Unrestricted (run all scripts) for Windows users in Intune, run the PS commands below to confirm that it has been applied successfully.
First, run the below PS command to find the execution policy. The execution policy is set to unrestricted.
Get-ExecutionPolicy
Next, run the below PS command to get a list of all the execution policies along with their scopes.
Get-ExecutionPolicy -list
Set PowerShell Execution Policy using GPO
Windows administrators can use Group Policy to manage execution policies on Active Directory domain-joined devices. You can use the Turn on Script Execution Group Policy setting to manage the execution policy of computers in your enterprise.
When you enable the Turn on Script Execution policy, you must select the execution policy. The table below lists all the options that are available when you configure the turn-on script execution policy via GPO.
Group Policy | Execution Policy |
---|---|
Allow all scripts | Unrestricted |
Allow local scripts and remote signed scripts | RemoteSigned |
Allow only signed scripts | AllSigned |
Note
If you disable Turn on Script Execution, scripts do not run. This is equivalent to the restricted execution policy. If you enable Turn on Script Execution, you can select an execution policy.
When you deploy a new group policy, you either do it at the domain level or at the organizational unit level. We suggest creating a new group policy object, linking it to a test OU that contains the pilot computers, and then deploying it to a larger group of computers.
To create a GPO, you can either log in to a domain controller or a member server installed with GPMC. You can also install the GPMC on Windows 11 and configure the group policies.
So here is how you can set the PowerShell execution policy using GPO:
Step 1: Launch the Server Manager from the start and click Tools > Group Policy Management console. In the Group Policy Management console, expand the domain, right-click Group Policy Objects, and select New.
Step 2: Enter the name for the new group policy. For example, you can specify the GPO name as “Set PowerShell Execution Policy” and click OK. The new GPO is created and is visible under the list of Group Policy Objects in the console.
Step 3: Right-click the GPO that you just created and select Edit. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell. Here, look for the policy ‘Turn on Script Execution,’ right-click this policy, and select Edit.
Step 4: Enable the Turn on Script Execution policy and configure the execution policy based on the business requirement. For example, in the screenshot below, the GPO configures the script execution to “Allow all scripts.”
Click Apply and OK. Close the Group Policy Management Editor.
Step 5: After the above group policy object is configured, you need to link the GPO to an OU. You can also link it to the domain, but this is not recommended because the GPO will apply to all computers in the domain. So, the best way is to select a test OU, link your GPO, and test the policy settings.
Step 6: On the client computers, run the group policy update. You can use multiple ways to perform the group policy update on remote computers. On a test client machine, you can manually perform the group policy update by running the gpupdate /force command.
Step 7: Once the group policies are refreshed on the client computers, log in to one of the Windows computers. Launch the PowerShell and run the command Get-ExecutionPolicy.
In the screenshot below, we see that before applying the GPO, the script execution was set to restricted. After applying the PowerShell execution group policy, the script execution is set to unrestricted. This confirms that a GPO can be used to configure the script execution policy on Windows computers.
Need more help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.