How Can I Restrict Unsigned PowerShell Scripts for Non-Admin Users Using Intune?

If you want thorough control, consider setting your scripts to AllSigned via GPO or Configuration Policy. With AllSigned, every script needs to be signed by a trusted certificate before it can run, whether written locally or downloaded. Also, thinking about an AppLocker policy can handle multiple security needs simultaneously. Just remember, if you have a hybrid setup, GPO management might be far easier than relying on Intune.

Execution policies in PowerShell aren't really a big wall for security; they're more like a safety net. Any user can easily change their execution policy, so it's not foolproof. Instead, you should look into using AppLocker or Windows Defender Application Control (WDAC) to enforce that only signed PowerShell scripts can run. This way, you can set up a more secure environment with stricter controls.

For broader deployment, check out group policy options in Intune. Setting the execution policy to RemoteSigned provides a good level of security for everyone. But honestly, managing Intune by yourself can be really overwhelming. Make sure you have multiple admins to help manage it effectively.

Honestly, trying to enforce these policies can feel like a pointless task. Certain commands can't be blocked, and people can still execute entire scripts through methods like invoke-expression. Just keep in mind, signature checks don't cover everything.

Just a heads up, if you copy and paste code into a new window and run it, you might bypass the script restrictions because they typically apply to saved ps1 files instead of direct commands. That's the key difference with RemoteSigned policies.