Summary
Table of Contents
- Windows 365 will change the default PowerShell execution policy applied to Cloud PCs during provisioning to RemoteSigned at the LocalMachine scope.
- This affects organizations that run unsigned downloaded PowerShell scripts on Cloud PCs or that enforce a stricter MachinePolicy (for example AllSigned) via Intune or Group Policy, which can cause provisioning/resize/restore failures.
- Admins should inventory any automation that downloads/runs scripts post-provisioning, sign remotely sourced scripts, and audit execution policy settings deployed by Intune/GPO (MachinePolicy scope).
- Test changes in a pilot tenant/Cloud PC pool, verify CSE scripts and provisioning complete successfully, and confirm ANC/health checks after applying policy changes.
- No direct end user experience changes are expected if admins act; unsigned downloaded scripts may fail otherwise.
Primary Service: Windows 365
Admin Impact: High
User Impact: Low
Release Start: 01 Jul 2026
Release End: 01 Jul 2026
Services: Intune, PowerShell, Windows, Windows 365
Category: Plan for change
Tags: Admin Action, User Adoption
History
6/5/2026 Item Added to Message Center
Microsoft Message
What and Why
Starting in early July 2026, Windows 365 will update the default PowerShell execution policy applied to Cloud PCs during provisioning to RemoteSigned at the LocalMachine scope.
This improves security by requiring downloaded scripts to be digitally signed, while allowing locally created scripts and Windows 365 provisioning scripts to run as expected.
This is a change to default OS configuration, should not impact end users, and only affects which PowerShell scripts can be run on Cloud PCs.
Rollout Schedule
Rollout will begin in early July 2026.
Impact on Your Organization
Who is affected
- This affects your organization only if you run unsigned downloaded PowerShell scripts on Cloud PCs after provisioning.
What will happen
Admin impact:
- Windows 365 will set the PowerShell execution policy to RemoteSigned at the LocalMachine scope during provisioning. This allows locally created and Custom Script Extension (CSE) scripts to run, while requiring downloaded scripts to be signed.
- Unsigned downloaded scripts will be blocked when run outside the provisioning process.
- CSE scripts during and after provisioning continue to run under the RemoteSigned policy.
- If admins have set the execution policy on Cloud PCs to AllSigned through Intune or Group Policy (MachinePolicy), it can override this default and cause provisioning, resize, or restore operations to fail.
User impact: No direct user impact is expected.
Action Required/Recommendations
To prepare for the execution policy change:
- Inventory downloaded scripts — Identify any automation that downloads and runs PowerShell scripts post Cloud PC provisioning.
- Sign remote scripts — Ensure all remotely sourced scripts are signed with a trusted certificate.
- Review Group Policy/Intune — Audit execution policy at MachinePolicy scope. If set to AllSigned, consider changing to RemoteSigned to avoid provisioning failures.
- Confirm ANC health checks — Verify health checks pass after applying the change.
If no action is taken:
- If your organization relies on unsigned downloaded scripts after provisioning, they may fail to run under the updated policy.
- If a stricter execution policy such as AllSigned is enforced through Intune or Group Policy, provisioning and related operations may fail.
Learn more: Automated provisioning steps | Windows 365 Enterprise | Windows 365 | Microsoft Learn
Compliance considerations
No compliance considerations identified. Review as appropriate for your organization.