Forum Discussion
Solved
Restrict PowerShell on end user devices
Hello all All devices are running the latest version on Windows 10. We have deployed defender for endpoint, Intune, and sccm. Can defender for endpoint tell me what the current powershell execution ...
- I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.
You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
Understood, however if we create a script that is not digitally signed and we deploy the script to devices using intune, if the powershell execution policy on the device is set for RemoteSigned, then from my understanding the script will not run. Again im trying to move away from "bypass" as the execution policy
Disregard my previous advice. For the scripts I've been running up to now using this option, which are not very complex, they simply work using the scripts option in Intune. If you need to change the execution policy it's a bit of a chicken-egg issue, you can't change the policy using a script thats blocked to unblock that script.
You could try to package the script as a Win32 app in Intune, and set the install command to run PowerShell, with something like "powershell.exe -ExecutionPolicy <SomePolicy> -File .\YourScript.ps1". This would run PowerShell with that specific execution policy for that session only, and not modify it globally for the whole system.
You could try to package the script as a Win32 app in Intune, and set the install command to run PowerShell, with something like "powershell.exe -ExecutionPolicy <SomePolicy> -File .\YourScript.ps1". This would run PowerShell with that specific execution policy for that session only, and not modify it globally for the whole system.
- Right, and im sure the scripts you are running are not digitally signed. If powershell needs to be setup for "bypass" to allow Intune to run scripts, then to me this presents a security concern, because bypass allows low priv users to run scripts that are not digitally signed
- I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.
You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".- You also helped me with my powershell scripts, i just now noticed that, lol. Well thanks again for all your help