PowerShell Execution Policy via Group Policy or Intune
Last updated: May 14, 2026
Recommended enterprise approach for allowing PowerShell scripts without lowering security more than needed
Summary: Yes, we can push PowerShell execution policy through either Group Policy or Intune. For most environments, I would not set everything to Bypass permanently. I would set the enterprise standard to RemoteSigned and only use Bypass at the process level when a specific deployment script needs it.
Recommended default: RemoteSigned
Temporary deployment override: Bypass using the Process scope only
Avoid: Unrestricted or Bypass as a permanent device-wide policy unless there is a very specific business reason
1. Best Policy Choice
Best practical setting: RemoteSigned
RemoteSigned
This allows locally created scripts to run, while requiring scripts downloaded from the internet to be signed by a trusted publisher. That gives us a good balance between operational flexibility and security control.
2. Push Through Group Policy
In Group Policy Management, configure the setting below:
Computer Configuration
Administrative Templates
Windows Components
Windows PowerShell
Turn on Script Execution
Set the policy to:
Enabled
Then select:
Allow local scripts and remote signed scripts
This maps to:
RemoteSigned
The other available choices are useful to understand, but I would not use them as the default unless there is a strong reason:
Group Policy option | PowerShell policy | Recommendation |
|---|---|---|
Allow only signed scripts | AllSigned | Good for locked-down environments, but can create more operational overhead. |
Allow local scripts and remote signed scripts | RemoteSigned | Best balanced enterprise option. |
Allow all scripts | Unrestricted | Avoid as a permanent policy where possible. |
3. Push Through Intune
In Intune, use the Settings Catalog and configure the Windows PowerShell script execution policy.
Devices
Configuration
Create policy
Platform: Windows 10 and later
Profile type: Settings catalog
Search for:
PowerShell
Use the setting:
Windows PowerShell
Turn on Script Execution
Configure it as follows:
Turn on Script Execution = Enabled
Execution Policy = Allow local scripts and remote signed scripts
That gives us the same practical result as setting the policy to RemoteSigned.
4. When to Use Bypass
Bypass should be used carefully. I would not set Bypass as the normal machine-wide policy. It is better used as a temporary process-level override for a specific deployment or remediation script.
For example, inside a one-time Intune script:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
Or when launching a script directly:
powershell.exe -ExecutionPolicy Bypass -File .\script.ps1
This only affects the current PowerShell process and does not permanently lower the endpoint policy.
5. How to Verify the Effective Policy
On a machine, run:
Get-ExecutionPolicy -List
If the policy is being enforced correctly through Group Policy or Intune, you should see the setting applied at the MachinePolicy level, similar to this:
Scope | ExecutionPolicy |
|---|---|
MachinePolicy | RemoteSigned |
UserPolicy | Undefined |
Process | Undefined |
CurrentUser | Undefined |
LocalMachine | Undefined |
6. Recommended Cyrisma Standard
My recommended standard would be:
Default enterprise policy: RemoteSigned
Temporary deployment override: Bypass -Scope Process
Avoid as a permanent policy: Unrestricted or Bypass
This gives us the ability to run the scripts we need for endpoint management and automation, while still keeping reasonable controls in place for scripts that originate outside the machine.
7. Example Remediation Script
If we are not enforcing this through Settings Catalog or Group Policy, the following can be used as a simple remediation script:
try {
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
Write-Output "PowerShell execution policy set to RemoteSigned for LocalMachine."
}
catch {
Write-Error "Failed to set execution policy: $($_.Exception.Message)"
exit 1
}
However, if this is being enforced through Group Policy or Intune Settings Catalog, that is the better approach because it gives us consistent policy enforcement and easier auditability.
References
Microsoft, about_Execution_Policies: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies
Microsoft, Get-ExecutionPolicy: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-executionpolicy
Microsoft, Policy CSP ADMX PowerShell Execution Policy: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy
Confidence level: High
PowerShell Execution Policy Guidance