Forum Discussion
Skipster311-1
Aug 19, 2021Iron Contributor
Restrict PowerShell on end user devices
Hello all
All devices are running the latest version on Windows 10. We have deployed defender for endpoint, Intune, and sccm. Can defender for endpoint tell me what the current powershell execution policy is on every device ? can i also use it to set the execution policy in mass? I dont want to resort to GPO because many users work remotely because of covid.
Thank you
- I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.
You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
- pvanberloSteel ContributorWhy not run a script using Intune? You can target any script directly to devices.
https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension- Skipster311-1Iron Contributordoes this require the powershell execution policy to be set to bypass? I want to configure all devices for "remote signed"
- pvanberloSteel ContributorScripts that you run using Intune are executed locally on each device. Unless you pull in other resources like scripts or execute another remote script from the one you assign to a device, you shouldn’t have the need to change anything.
Even if you do need to change the execution policy, you could do so from within the script that you assign to a device.