Forum Discussion
Solved
Restrict PowerShell on end user devices
Hello all All devices are running the latest version on Windows 10. We have deployed defender for endpoint, Intune, and sccm. Can defender for endpoint tell me what the current powershell execution ...
- I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.
You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
Right, and im sure the scripts you are running are not digitally signed. If powershell needs to be setup for "bypass" to allow Intune to run scripts, then to me this presents a security concern, because bypass allows low priv users to run scripts that are not digitally signed
I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.
You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
- You also helped me with my powershell scripts, i just now noticed that, lol. Well thanks again for all your help