Share via

Intune PowerShell - Enforce script signature check

EnterpriseArchitect 6,301 Reputation points
2023-11-29T01:41:23.4466667+00:00

Could someone explain the PowerShell script Enforce script signature check in the Intune Portal?

https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/powershell

User's image

There isn't any documentation or instructional piece available on the process or the signed script sample.

I would be very grateful for any assistance.

Thanks,

Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Other
Microsoft Security | Microsoft Graph

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 54,201 Reputation points Microsoft External Staff
    2023-11-29T02:38:39.75+00:00

    @EnterpriseArchitect, Thanks for posting in Q&A. The "Enforce script signature check" setting in the Intune Portal is used to determine whether a PowerShell script must be signed by a trusted publisher before it can be executed on a device. When the "Enforce script signature check" setting is enabled, scripts need to be signed, and the certificate is added to the Trusted Publishers certificate store of the device. If you are using third-party scripts that are signed, make sure the certificate is in the Trusted Publishers certificate store. As with any certificate, the certificate authority must be trusted by the device.

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments
  2. Rich Matheisen 48,026 Reputation points
    2023-11-29T02:28:25.7933333+00:00

    https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

    • Enforce script signature check: Select Yes (default) if the script must be signed by a trusted publisher. Select No if there isn't a requirement for the script to be signed.

    Not knowing anything about Intune, I'd guess it's doing the same thing as setting the PowerShell execution policy to "AllSigned" but doing it in a way that works for devices other than Windows. In other words, it's only going to allow you to use signed scripts and doing the enforcement in Intune rather than on the device.

    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.3

    0 comments
  3. Jatin Makhija 1,181 Reputation points
    2023-11-29T16:37:13.7566667+00:00

    To enable this option and execute PowerShell scripts successfully, ensure the following:

    1. Use a Code Signing Certificate to Sign your PS Script.
    2. Ensure that the root of the Code Signing Certificate is Installed on the target Windows device in the Trusted Root Certificate Authorities store.

    Usually, when you utilize third-party CAs like Comodo or DigiCert to sign your PowerShell script, the root certificate is already present on your Windows device. In such cases, there's no need to deploy it, eliminating one additional step.

    Unless you have this setup in place, you can choose Enforce script signature check - No to make sure your custom scripts are deploying and executing successfully on the target devices via intune.

    To access the Trusted Root Certification Authorities folder in Windows, press Windows + R, type certlm.msc in the Run box, and press Enter.

    User's image

    ---If the response is helpful, please click "Accept Answer" and upvote it.---

  4. Andrew parle 0 Reputation points
    2024-04-30T16:42:38.88+00:00

    2x._{}.true

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.