Intune PowerShell - Enforce script signature check

EnterpriseArchitect 5,136 Reputation points
2023-11-29T01:41:23.4466667+00:00

Could someone explain the PowerShell script Enforce script signature check in the Intune Portal?

https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/powershell

User's image

There isn't any documentation or instructional piece available on the process or the signed script sample.

I would be very grateful for any assistance.

Thanks,

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,380 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,455 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,802 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,720 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,308 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Rich Matheisen 45,831 Reputation points
    2023-11-29T02:28:25.7933333+00:00

    https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

    • Enforce script signature check: Select Yes (default) if the script must be signed by a trusted publisher. Select No if there isn't a requirement for the script to be signed.

    Not knowing anything about Intune, I'd guess it's doing the same thing as setting the PowerShell execution policy to "AllSigned" but doing it in a way that works for devices other than Windows. In other words, it's only going to allow you to use signed scripts and doing the enforcement in Intune rather than on the device.

    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.3

    0 comments No comments

  2. Crystal-MSFT 46,086 Reputation points Microsoft Vendor
    2023-11-29T02:38:39.75+00:00

    @EnterpriseArchitect, Thanks for posting in Q&A. The "Enforce script signature check" setting in the Intune Portal is used to determine whether a PowerShell script must be signed by a trusted publisher before it can be executed on a device. When the "Enforce script signature check" setting is enabled, scripts need to be signed, and the certificate is added to the Trusted Publishers certificate store of the device. If you are using third-party scripts that are signed, make sure the certificate is in the Trusted Publishers certificate store. As with any certificate, the certificate authority must be trusted by the device.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. JatinMakhija 971 Reputation points
    2023-11-29T16:37:13.7566667+00:00

    To enable this option and execute PowerShell scripts successfully, ensure the following:

    1. Use a Code Signing Certificate to Sign your PS Script.
    2. Ensure that the root of the Code Signing Certificate is Installed on the target Windows device in the Trusted Root Certificate Authorities store.

    Usually, when you utilize third-party CAs like Comodo or DigiCert to sign your PowerShell script, the root certificate is already present on your Windows device. In such cases, there's no need to deploy it, eliminating one additional step.

    Unless you have this setup in place, you can choose Enforce script signature check - No to make sure your custom scripts are deploying and executing successfully on the target devices via intune.

    To access the Trusted Root Certification Authorities folder in Windows, press Windows + R, type certlm.msc in the Run box, and press Enter.

    User's image

    ---If the response is helpful, please click "Accept Answer" and upvote it.---


  4. Andrew parle 0 Reputation points
    2024-04-30T16:42:38.88+00:00

    2x._{}.true

    0 comments No comments