This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 26%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hi
In Endpoint security we have an attack surface reduction policy setup.
We noticed that this policy was preventing our PowerShell scripts from running from SCCM.
We made an exclusion here:
This allowed SCCM to execute scripts one the exception was made.
The issue however is, this will allow the end user to execute PowerShell scripts as well since their is an exclusion.
Is there anyway to let SCCM be excluded but still prevent users from running PowerShell scripts?
Thanks
What setting exactly in your ASR policy do you have configured that you believe is blocking PowerShell script execution (as there are no built-in rules that do this)?
Ihere is a screenshot of the configuration
I am not sure which one would block SCCM scripts. However when I exclude the powershell path, the SCCM script works fine.
II have tried to exclude the exact path to the script with no luck.
Ultimately, ASR rules cannot be filtered by user. My guess here is that the obfuscation rule is blocking their execution though. Can you test flipping that?
You are correct the obfuscation rule is the one blocking SCCM Scripts.
With that confirmation, can we exempt SCCM but have other scripts blocked?
Yes, more or less. You can exclude %windir%\CCM\ScriptStore from the policy. Users don't have permissions to this folder so I wouldn't consider this a tangible risk.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 13%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
@berketjune2012 Thanks for posting in our Q&A.
we can use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. On the Scope Groups page, select the groups containing the users that you want to prevent running PowerShell scripts.
Please refer to: https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I have a group to which this policy is assigned to. It works fine and blocks powershell.
The issue is, because its blocked, SCCM can not exectur powershell scripts when we need to push something out to the endpoints.
How can we create an exception for SCCM but still have it blocked for the end user?
Can we exclude the service account SCCM uses?
@berketjune2012 I think we can try your proposal, exclude the service account SCCM uses, and see if it works.
ConfigMgr doesn't have or use any service accounts and that's not how policies work in Intune.