Forum Discussion

Skipster311-1's avatar
Skipster311-1
Iron Contributor
Aug 19, 2021

Restrict PowerShell on end user devices

Hello all

All devices are running the latest version on Windows 10. We have deployed defender for endpoint, Intune, and sccm. Can defender for endpoint tell me what the current powershell execution policy is on every device ? can i also use it to set the execution policy in mass? I dont want to resort to GPO because many users work remotely because of covid.

Thank you 

  • pvanberlo's avatar
    pvanberlo
    Aug 19, 2021
    I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.

    You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
    • Skipster311-1's avatar
      Skipster311-1
      Iron Contributor
      does this require the powershell execution policy to be set to bypass? I want to configure all devices for "remote signed"
      • pvanberlo's avatar
        pvanberlo
        Steel Contributor
        Scripts that you run using Intune are executed locally on each device. Unless you pull in other resources like scripts or execute another remote script from the one you assign to a device, you shouldn’t have the need to change anything.

        Even if you do need to change the execution policy, you could do so from within the script that you assign to a device.

Resources