MC1381113: Windows 365: PowerShell execution policy change during Cloud PC provisioning
Starting July 2026, Windows 365 will set the PowerShell execution policy to RemoteSigned on Cloud PCs during provisioning, enhancing security by requiring downloaded scripts to be signed. Unsigned downloaded scripts may be blocked, and stricter policies like AllSigned can cause provisioning failu...
[What and Why]
Starting in early July 2026, Windows 365 will update the default PowerShell execution policy applied to Cloud PCs during provisioning to RemoteSigned at the LocalMachine scope.
This improves security by requiring downloaded scripts to be digitally signed, while allowing locally created scripts and Windows 365 provisioning scripts to run as expected.
This is a change to default OS configuration, should not impact end users, and only affects which PowerShell scripts can be run on Cloud PCs.
[Rollout Schedule]
- Rollout will begin in early July 2026.
[Impact on Your Organization]
Who is affected
This affects your organization only if you run unsigned downloaded PowerShell scripts on Cloud PCs after provisioning.
What will happen
Admin impact:
- Windows 365 will set the PowerShell execution policy to RemoteSigned at the LocalMachine scope during provisioning. This allows locally created and Custom Script Extension (CSE) scripts to run, while requiring downloaded scripts to be signed.
- Unsigned downloaded scripts will be blocked when run outside the provisioning process.
- CSE scripts during and after provisioning continue to run under the RemoteSigned policy.
- If admins have set the execution policy on Cloud PCs to AllSigned through Intune or Group Policy (MachinePolicy), it can override this default and cause provisioning, resize, or restore operations to fail.
- User impact: No direct user impact is expected.
[Action Required/Recommendations]
To prepare for the execution policy change:
- Inventory downloaded scripts — Identify any automation that downloads and runs PowerShell scripts post Cloud PC provisioning.
- Sign remote scripts — Ensure all remotely sourced scripts are signed with a trusted certificate.
- Review Group Policy/Intune — Audit execution policy at MachinePolicy scope. If set to AllSigned, consider changing to RemoteSigned to avoid provisioning failures.
- Confirm ANC health checks — Verify health checks pass after applying the change.
If no action is taken:
- If your organization relies on unsigned downloaded scripts after provisioning, they may fail to run under the updated policy.
- If a stricter execution policy such as AllSigned is enforced through Intune or Group Policy, provisioning and related operations may fail.
Learn more: Automated provisioning steps | Windows 365 Enterprise | Windows 365 | Microsoft Learn
[Compliance considerations]
No compliance considerations identified. Review as appropriate for your organization.