How to Set PowerShell Execution Policy Using Intune and Group Policy

First, install the Group Policy Management Console (GPMC) on your administrative workstation. This tool is essential for creating and managing Group Policy Objects.

Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

Alternatively, you can install RSAT tools through Settings:

1. Open Settings > Apps > Optional features
2. Click "Add an optional feature"
3. Search for "RSAT: Group Policy Management Tools"
4. Install the feature

Launch the Group Policy Management Console and create a new GPO specifically for PowerShell execution policy management.

gpmc.msc

Follow these steps in the GPMC:

1. Expand your domain in the left panel
2. Right-click on "Group Policy Objects"
3. Select "New" and name it "Set PowerShell Execution Policy"
4. Right-click the new GPO and select "Edit"

Navigate to the PowerShell policy settings:

1. Computer Configuration > Policies > Administrative Templates
2. Windows Components > Windows PowerShell
3. Double-click "Turn on Script Execution"

Configure the execution policy settings based on your organization's security requirements. The policy offers several options that map to PowerShell execution policy levels.

In the "Turn on Script Execution" dialog:

1. Select "Enabled"
2. Choose your execution policy from the dropdown:

For most enterprise environments, select "Allow local scripts and remote signed scripts" for balanced security.

# This is what the policy will effectively set
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

Click "Apply" then "OK" to save the configuration.

Link your GPO to the appropriate Organizational Unit (OU) to deploy the PowerShell execution policy to target computers.

Start with a test OU for validation:

1. In GPMC, right-click your test OU (e.g., "Test Computers")
2. Select "Link an Existing GPO"
3. Choose "Set PowerShell Execution Policy"
4. Click "OK"

Force policy application on test machines:

# Run on target computers
gpupdate /force

# Check policy application
gpresult /r | findstr "PowerShell"

Verify the execution policy is applied:

# Check current execution policy
Get-ExecutionPolicy

# Check all scopes to see policy hierarchy
Get-ExecutionPolicy -List

Expected output:

Scope          ExecutionPolicy
-----          ---------------
MachinePolicy  RemoteSigned
UserPolicy     Undefined
Process        Undefined
CurrentUser    Undefined
LocalMachine   Undefined

Access the Microsoft Endpoint Manager admin center to create an Intune configuration profile for PowerShell execution policy.

Navigate to https://endpoint.microsoft.com and sign in with your admin credentials.

1. Go to Devices > Configuration profiles
2. Click "Create profile"
3. Select Platform: "Windows 10 and later"
4. Profile type: "Templates" > "Administrative templates"
5. Name: "PowerShell Execution Policy - Intune"

Configure the policy settings:

1. Click "Configuration settings"
2. Search for "Turn on Script Execution"
3. Navigate to Computer Configuration > Windows Components > Windows PowerShell
4. Enable "Turn on Script Execution"
5. Select your desired execution policy (same options as GPO)

Assign your PowerShell execution policy configuration to specific device groups in your organization.

In the profile creation wizard:

1. Click "Assignments"
2. Under "Included groups", click "Add groups"
3. Select your target device groups (start with a pilot group)
4. Configure any exclusions if needed
5. Click "Next" to proceed

Create a test device group if you don't have one:

1. Go to Groups > All groups > New group
2. Group type: "Security"
3. Group name: "PowerShell-Policy-Pilot"
4. Membership type: "Assigned"
5. Add test devices as members

Complete the profile deployment:

1. Review your settings
2. Click "Create" to deploy the profile

As an alternative to configuration profiles, you can deploy PowerShell scripts directly through Intune to set execution policies.

Navigate to Devices > Scripts and remediations > Platform scripts:

1. Click "Add" > "Windows 10 and later"
2. Name: "Set PowerShell Execution Policy Script"
3. Description: "Sets RemoteSigned execution policy via script"

Create the PowerShell script:

# PowerShell script content
try {
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
    Write-Output "Execution policy set to RemoteSigned successfully"
    exit 0
} catch {
    Write-Error "Failed to set execution policy: $($_.Exception.Message)"
    exit 1
}

Configure script settings:

• Run this script using the logged on credentials: No
• Enforce script signature check: No
• Run script in 64-bit PowerShell: Yes

Assign to the same device groups as your configuration profile for testing.

Verify that your PowerShell execution policy is correctly applied across your test devices using both Group Policy and Intune methods.

On test devices, check policy application:

# Force Intune sync
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Check execution policy
Get-ExecutionPolicy -List

# Test script execution with a simple script
$testScript = @'
Write-Host "PowerShell execution policy test successful"
Get-Date
'@

$testScript | Out-File -FilePath "C:\temp\test.ps1" -Encoding UTF8
PowerShell.exe -File "C:\temp\test.ps1"

Verify policy precedence and conflicts:

# Check which policy source is active
Get-ExecutionPolicy -List | Format-Table -AutoSize

# Check Group Policy application
gpresult /h C:\temp\gpresult.html

# Check Intune policy application
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | Where-Object {$_.Message -like "*PowerShell*"}

Expected behavior: Group Policy (MachinePolicy scope) takes precedence over Intune policies when both are applied to the same device.

Implement monitoring and troubleshooting procedures to ensure your PowerShell execution policies are working correctly across your environment.

Monitor Group Policy application:

# Check GPO application on client
gpresult /r /scope:computer

# Generate detailed HTML report
gpresult /h C:\temp\gpo-report.html /scope:computer

# Check for Group Policy errors
Get-WinEvent -LogName "System" | Where-Object {$_.ProviderName -eq "Microsoft-Windows-GroupPolicy"}

Monitor Intune policy deployment:

1. In Endpoint Manager, go to Devices > Configuration profiles
2. Click your PowerShell policy profile
3. Review "Device status" and "User status" tabs
4. Check for any "Error" or "Conflict" statuses

Common troubleshooting commands:

# Force Group Policy refresh
gpupdate /force

# Restart Group Policy service
Restart-Service gpsvc

# Force Intune policy sync
Invoke-WmiMethod -Namespace root\cimv2\mdm\dmmap -Class MDM_EnterpriseModernAppManagement_AppManagement01 -MethodName UpdateScanMethod

# Check PowerShell event logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.LevelDisplayName -eq "Error"}

After successful testing, deploy your PowerShell execution policy configuration to your production environment using a phased approach.

For Group Policy deployment:

1. Unlink the GPO from test OUs
2. Link to production OUs in phases (start with less critical systems)
3. Monitor for 24-48 hours between phases
4. Document any issues and rollback procedures

For Intune deployment:

1. Remove pilot device groups from assignments
2. Add production device groups gradually
3. Monitor deployment status in Endpoint Manager
4. Set up automated reporting for policy compliance

Create a rollback plan:

# Emergency rollback script for local execution
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine -Force

# Verify rollback
Get-ExecutionPolicy -List

Set up ongoing monitoring:

# PowerShell script to check execution policy across multiple computers
$computers = Get-ADComputer -Filter * -SearchBase "OU=Production,DC=company,DC=com"

foreach ($computer in $computers) {
    try {
        $policy = Invoke-Command -ComputerName $computer.Name -ScriptBlock {Get-ExecutionPolicy} -ErrorAction Stop
        Write-Output "$($computer.Name): $policy"
    } catch {
        Write-Warning "Failed to check $($computer.Name): $($_.Exception.Message)"
    }
}