Set PowerShell Execution Policy using Intune and GPO

Set PowerShell Execution Policy using Intune GPO

In this article, we’ll demonstrate how to set PowerShell execution policy using Intune and Group Policy. Execution policies determine the conditions under which PowerShell loads script files for execution.

On Windows devices, Microsoft configures PowerShell to execute in the most secure mode by default, which is the restricted execution policy. There are four policies: Restricted, AllSigned, Remote Signed, and Unrestricted.

On a Windows computer, you can set an execution policy for the local computer, for the current user, or for a particular session. You can also use Microsoft Intune or a group policy setting to set execution policies for computers and users.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

In our previous tutorial, we explained how to upload and deploy PowerShell scripts using Intune. To effectively execute the PS scripts, the PowerShell execution policy must be configured. There is no execution policy requirement to retrieve Intune PowerShell scripts.

In enterprises, setting a remote execution policy in PowerShell for multiple Windows devices and users can be achieved via a GPO or Intune policy. You can employ these methods to harden PowerShell security and allow or restrict running scripts. This article discusses both methods.

What is the PowerShell Execution Policy?

The execution policies define the conditions under which PowerShell loads files for execution. According to Microsoft, PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

List of PowerShell execution policies

The table below lists all the execution policies and their descriptions. These execution policies are available on all Windows devices and are defined by Microsoft.

PowerShell Execution PolicyDescription
All SignedIt mandates that all scripts and configuration files, including those you write on your local computer, bear the signature of a reputable publisher. It prompts you to run scripts from publishers who have not yet been classified as trustworthy or untrustworthy.
BypassNo scripts are blocked from execution, and there are no warnings or prompts.
DefaultSets the default execution policy. On Windows clients, the default PS execution policy is ‘Restricted’ and on Windows servers, it’s ‘RemoteSigned’
RemoteSignedRunning a PS script with a RemoteSigned policy necessitates a digital signature from a trusted publisher on scripts and configuration files downloaded from the internet, including email and instant messaging applications.
RestrictedPermits individual commands but does not allow scripts.
UndefinedThere is no execution policy set in the current scope. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted for Windows clients and RemoteSigned for Windows Server.
UnrestrictedThe default execution policy is for non-Windows computers and cannot be changed. Unsigned scripts can run. There is a risk of running malicious scripts.

Script Execution policy scopes

You can set a script execution policy that is effective only in a particular scope. Following is the list of execution policy scopes available as per Microsoft:

  • MachinePolicy: Set by a group policy for all users of the computer.
  • UserPolicy: Set by a group policy for the current user of the computer.
  • Process: The Process scope only affects the current PowerShell session. The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the PowerShell session is closed, the variable and value are deleted.
  • CurrentUser: The execution policy affects only the current user. It’s stored in the HKEY_CURRENT_USER registry subkey.
  • LocalMachine: Set to default when setting an execution policy.

How can I check the PowerShell execution policy?

To get the effective execution policy for the current PowerShell session, use the Get-ExecutionPolicy cmdlet. Run the following command in PowerShell to get the effective script execution policy:

Get-ExecutionPolicy

To get all the execution policies that affect the current session and display them in precedence order:

Get-ExecutionPolicy -List

The output of the above command is posted below.

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine       Undefined
check the PowerShell execution policy
check the PowerShell execution policy

How to Change the PowerShell execution policy

When a user attempts to run a script, the following error may appear: “cannot be loaded because running scripts is disabled on this system.” If you’re getting this error, it’s because you need to change the execution policy and allow running the scripts.

You can manually change the PowerShell execution policy by running the below command.

Set-ExecutionPolicy -ExecutionPolicy <PolicyName>

Enter the below command to set execution policy powershell as bypass

Set-ExecutionPolicy -ExecutionPolicy ByPass

Enter the below command to set execution policy powershell as unrestricted

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

The below PS command sets the execution policy to RemoteSigned.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Change the PowerShell execution policy
Change the PowerShell execution policy

Configure PowerShell Execution policy with Intune

Perform the following steps to create an Intune policy to configure the PowerShell execution policy on Windows devices and users:

  • Sign in to the Microsoft Intune admin center.
  • Select Devices > Windows > Configuration Profiles.
  • Click on Create > New Policy to set up a new policy.

Make the following selections on the Create a Profile pane:

  • Platform: Windows 10 and later
  • Profile type: Settings Catalog

Select Create.

Create an Intune Policy to Configure PowerShell Execution Policy
Create an Intune Policy to Configure PowerShell Execution Policy

In the Basics tab, enter the following properties:

  • Name: Enter a descriptive name for the profile, which you or other IT admins can easily identify later. For example, a good profile name is “Configure PowerShell Execution Policy.”
  • Description: Enter a brief description of the profile. This setting is optional but recommended. The following description is entered in the screenshot below: “Use Intune to configure the PowerShell execution policy.”

Click Next.

Create a Policy in Intune to Configure PowerShell Execution Policy
Create a Policy in Intune to Configure PowerShell Execution Policy

In the Configuration Settings section, under Settings Catalog, click Add Settings. In the Settings picker window, type “Execution Policy” in the search box and click Search.

In the search results, you’ll find two settings:

  1. Execution Policy (Device): Select the setting to configure the execution policy for Windows devices.
  2. Execution Policy (User): Select the setting to configure the execution policy for Windows users.

In the below example, we have selected the setting, Execution Policy (Device), that will allow you to configure the PS script executions on Windows devices.

Close the Settings Picker window.

Configure PowerShell Execution policy with Intune
Configure PowerShell Execution policy with Intune

Turn on Script Execution (User): This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.

First, enable Turn on Script Execution (User). Click the drop-down next to Execution Policy (Device) and select Allow all scripts. This will allow the execution of all the scripts on the device. Click Next.

Configure PowerShell Execution policy with Intune
Configure PowerShell Execution policy with Intune

On the Scope Tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.

In the Assignments tab, specify the Entra ID groups to assign the policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.

Intune Policy Assignments
Intune Policy Assignments

Finally, on the Review+Create tab, take a look at all the settings you’ve configured for the PowerShell script execution with Intune. Click Create.

After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.

Create Intune Policy for Scripts Execution
Create Intune Policy for Scripts Execution

To receive the above policy settings from Intune, the Windows devices must be enrolled in Microsoft Intune, and most importantly, they must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies. To speed up the policy assignments, you can force sync Intune policies using different methods on your Windows computers to download the latest policies from Microsoft Intune.

Monitor Execution Policy in Intune

While the policy settings are being applied to Windows devices, you can monitor the devices and users that have successfully received the PowerShell script execution policy settings in Intune.

In the Intune admin center, select the policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices and users who successfully received the policy settings.

To view the device names that have successfully received the policy settings, click on View Report.

In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.

Monitor PowerShell script execution policy in Intune
Monitor PowerShell script execution policy in Intune

Intune: Verify Script Execution Policy

In this section, we will determine whether the execution policy has been applied as per the Intune policy to our target devices. Remember that the policy that we configured is set to run all the scripts on the devices. Let’s verify the same on the target devices.

Sign in to the Windows device that has successfully received the PowerShell script execution settings via Intune. Launch the PowerShell as an administrator and run the following commands:

First, run the below PS command to find the execution policy.

Get-ExecutionPolicy

In the output, we see the execution policy is configured as Unrestricted.

Next, run the below PS command to get a list of all the execution policies along with their scopes.

Get-ExecutionPolicy -list
Verify the Execution Policy on Windows Device
Verify the Execution Policy on Windows Device

If you have set the script execution policy to Unrestricted (run all scripts) for Windows users in Intune, run the PS commands below to confirm that it has been applied successfully.

First, run the below PS command to find the execution policy. The execution policy is set to unrestricted.

Get-ExecutionPolicy

Next, run the below PS command to get a list of all the execution policies along with their scopes.

Get-ExecutionPolicy -list
Check the PS Execution Policy for Windows Users
Check the PS Execution Policy for Windows Users

Set PowerShell Execution Policy using GPO

Windows administrators can use Group Policy to manage execution policies on Active Directory domain-joined devices. You can use the Turn on Script Execution Group Policy setting to manage the execution policy of computers in your enterprise.

When you enable the Turn on Script Execution policy, you must select the execution policy. The table below lists all the options that are available when you configure the turn-on script execution policy via GPO.

Group PolicyExecution Policy
Allow all scriptsUnrestricted
Allow local scripts and remote signed scriptsRemoteSigned
Allow only signed scriptsAllSigned

Note

If you disable Turn on Script Execution, scripts do not run. This is equivalent to the restricted execution policy. If you enable Turn on Script Execution, you can select an execution policy.

When you deploy a new group policy, you either do it at the domain level or at the organizational unit level. We suggest creating a new group policy object, linking it to a test OU that contains the pilot computers, and then deploying it to a larger group of computers.

To create a GPO, you can either log in to a domain controller or a member server installed with GPMC. You can also install the GPMC on Windows 11 and configure the group policies.

So here is how you can set the PowerShell execution policy using GPO:

Step 1: Launch the Server Manager from the start and click Tools > Group Policy Management console. In the Group Policy Management console, expand the domain, right-click Group Policy Objects, and select New.

Step 2: Enter the name for the new group policy. For example, you can specify the GPO name as “Set PowerShell Execution Policy” and click OK. The new GPO is created and is visible under the list of Group Policy Objects in the console.

Set PowerShell Execution Policy using GPO
Set PowerShell Execution Policy using GPO

Step 3: Right-click the GPO that you just created and select Edit. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell. Here, look for the policy ‘Turn on Script Execution,’ right-click this policy, and select Edit.

Set PowerShell Execution Policy using GPO
Set PowerShell Execution Policy using GPO

Step 4: Enable the Turn on Script Execution policy and configure the execution policy based on the business requirement. For example, in the screenshot below, the GPO configures the script execution to “Allow all scripts.”

Click Apply and OK. Close the Group Policy Management Editor.

Set PowerShell Execution Policy using GPO
Set PowerShell Execution Policy using GPO

Step 5: After the above group policy object is configured, you need to link the GPO to an OU. You can also link it to the domain, but this is not recommended because the GPO will apply to all computers in the domain. So, the best way is to select a test OU, link your GPO, and test the policy settings.

Step 6: On the client computers, run the group policy update. You can use multiple ways to perform the group policy update on remote computers. On a test client machine, you can manually perform the group policy update by running the gpupdate /force command.

Step 7: Once the group policies are refreshed on the client computers, log in to one of the Windows computers. Launch the PowerShell and run the command Get-ExecutionPolicy.

In the screenshot below, we see that before applying the GPO, the script execution was set to restricted. After applying the PowerShell execution group policy, the script execution is set to unrestricted. This confirms that a GPO can be used to configure the script execution policy on Windows computers.

Set PowerShell Execution Policy using Group Policy
Set PowerShell Execution Policy using Group Policy
Need more help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.