Windows 365: PowerShell execution policy change during Cloud PC provisioning

🚨 The Signal: Windows 365 will enforce a 'RemoteSigned' PowerShell execution policy on Cloud PCs during provisioning. This enhances security by blocking unsigned downloaded scripts, while allowing trusted local and provisioning scripts to run, reducing malware risk.

The Impact

Admins running unsigned downloaded PowerShell scripts on Cloud PCs are affected, increasing the risk of script execution failures.

• Cloud PC admins: Unsigned downloaded scripts will be blocked, potentially disrupting automation.
• Security teams: Reduced risk from malicious unsigned scripts on Cloud PCs.
• IT operations: Existing Intune/GP policies for PowerShell execution may conflict, causing provisioning failures.

The Action

1. Review all PowerShell scripts downloaded and used on Cloud PCs for digital signatures.
2. Digitally sign any unsigned downloaded PowerShell scripts intended for use on Cloud PCs.
3. Verify Intune or Group Policy settings for PowerShell execution policy do not conflict with 'RemoteSigned' at LocalMachine scope.
4. If Intune/GP sets 'AllSigned', ensure all provisioning and CSE scripts are signed to prevent failures.

Domain: Intune · Impact: medium · Workload: Other · Essential Eight: Application Control · ISM: ISM-0843, ISM-1490, ISM-1544, ISM-1582, ISM-1656, ISM-1657, ISM-1658, ISM-1659, ISM-1660, ISM-1870, ISM-1871