Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Restrict PowerShell on end user devices

Iron Contributor

Hello all

All devices are running the latest version on Windows 10. We have deployed defender for endpoint, Intune, and sccm. Can defender for endpoint tell me what the current powershell execution policy is on every device ? can i also use it to set the execution policy in mass? I dont want to resort to GPO because many users work remotely because of covid.

Thank you 

8 Replies
Why not run a script using Intune? You can target any script directly to devices.

https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
does this require the powershell execution policy to be set to bypass? I want to configure all devices for "remote signed"
Scripts that you run using Intune are executed locally on each device. Unless you pull in other resources like scripts or execute another remote script from the one you assign to a device, you shouldn’t have the need to change anything.

Even if you do need to change the execution policy, you could do so from within the script that you assign to a device.
Understood, however if we create a script that is not digitally signed and we deploy the script to devices using intune, if the powershell execution policy on the device is set for RemoteSigned, then from my understanding the script will not run. Again im trying to move away from "bypass" as the execution policy
Disregard my previous advice. For the scripts I've been running up to now using this option, which are not very complex, they simply work using the scripts option in Intune. If you need to change the execution policy it's a bit of a chicken-egg issue, you can't change the policy using a script thats blocked to unblock that script.

You could try to package the script as a Win32 app in Intune, and set the install command to run PowerShell, with something like "powershell.exe -ExecutionPolicy <SomePolicy> -File .\YourScript.ps1". This would run PowerShell with that specific execution policy for that session only, and not modify it globally for the whole system.
Right, and im sure the scripts you are running are not digitally signed. If powershell needs to be setup for "bypass" to allow Intune to run scripts, then to me this presents a security concern, because bypass allows low priv users to run scripts that are not digitally signed
best response confirmed by Skipster311-1 (Iron Contributor)
Solution
I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.

You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
You also helped me with my powershell scripts, i just now noticed that, lol. Well thanks again for all your help
1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
Solution
I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.

You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".

View solution in original post