block unsigned scripts when using powershell -nop

A GPO was implemented to block execution of unsigned scripts but it looks like using powershell -noprofile bypasses this GPO. Anyone having suggestions/solutions/workarounds for this?



The -noprofile doesn’t do that -ExecutionPolicy Bypass does,

This is how it is designed and cannot be blocked.

[pre]powershell.exe -ExecutionPolicy Bypass[/pre]

For more details visit Microsoft Docs

If there is a GPO set, then there is a reason behind it. I suggest you to get it signed.

I think Barts referring to Microsofts security model when it comes to powershell.
Kiran’s Doc goes through set-executionpolicy to give some options.

The concern is anyone can bypass the GPO setting to lock down the shell.

There is no work-around realistically from the shell or gpos for this.

There are only a couple of options available if you truly need to prevent code from being executed in the shell.
white-listing and black-listing of applications, both approaches can result in a rather large over-head to manage.

My approach to this has been to fully enable logging in our environment on any machine that supports it.
At least then we have detective controls, and a preserved history of all actions taken.

here is a really good read about security in powershell for enterprise customers.

ExecutionPolicy does not stop anyone from run PS code.

15 Ways to Bypass the PowerShell Execution Policy

It’s design is to prevent the normal or even user from hurting themselves accidently. It is, nor has it ever been positioned as a security boundary.

If you are looking at securing your PS use cases, then think, code-signing, App restriction policies, constrained endpoints, Just Enough Admin, auditing and monitoring.