Restrict Unsigned powershell scripts

Sukesh Chandran 21 Reputation points
2021-02-03T14:32:52.15+00:00

How to restrict users and admins from running unsigned powershell scripts ? CSP/ADMX?
Devices are AAD joined and being enrolled with Autopilot. Someone please advice the better options.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
415 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,776 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,452 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,176 Reputation points Microsoft Employee
    2021-02-03T16:03:12.643+00:00

    You cannot directly enforce the PowerShell execution policy today using a CSP and the ADMX for this is currently blocked for use via an MDM.

    The block is being removed and the ADMX will be surfaced in Intune soon though. Both of these should be available by summer for all supported versions of Windows (although that's not a guaranteed timeline or commitment).

    For now, the best you can do is setting the appropriate registry value I believe although I haven't actually tried this (or if I have, I don't remember).

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Crystal-MSFT 44,151 Reputation points Microsoft Vendor
    2021-02-04T01:25:21.327+00:00

    @Sukesh Chandran , Agree with Jason, based on my research, the execution policies can only allow the script signed by a trusted publisher to be run. We can change the the execution policy for the LocalMachine scope by setting the string value ExecutionPolicy as AllSigned under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell. we can see more details in the following link:
    https://winaero.com/change-powershell-execution-policy-windows-10/
    Note: Non-Microsoft link,just for the reference:


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments