rss logo

How to Run an Unsigned PowerShell Script at Startup with Group Policy

PowerShell logo

In a company, when administering a large number of machines, it quickly becomes essential to be able to run PowerShell scripts on users' computers.

Here, I'll show you how to run an unsigned PowerShell script on the computers of domain member users, in order to remove Built-In Applications.

Create a .bat file

Create a remove_appx.bat file and put it in the netlogon share folder.

Screenshot of the NETLOGON scripts folder showing a batch file named remove_appx.bat. 
@echo off
REM Delete the PowerShell script
del c:\windows\temp\remove_appx.ps1
REM Copy the PowerShell script to the Temp folder
copy \\shebangthedolphins.net\netlogon\SCRIPTS\remove_appx.ps1 c:\windows\temp\ /Z /Y
REM Run the PowerShell script
%windir%\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File c:\windows\temp\remove_appx.ps1
REM Delete the PowerShell script
del c:\windows\temp\remove_appx.ps1
  • What will this .bat file do?
    • Copy the PowerShell script to the Temp folder
    • Run the PowerShell script
    • Delete the PowerShell script

Create PowerShell script file

Next, we need to create our remove_appx.ps1 file in the netlogon share folder.

Screenshot of the NETLOGON scripts folder showing both remove_appx.bat and remove_appx.ps1 files. 
Set-Content -Path 'C:\std_rocks.txt' -Value 'OK'	#check if the script has been executed
Get-AppxPackage -AllUsers | ? { $_.Name -match "3dbuilder" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowsalarms" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowscommunicationsapps" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowscamera" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "officehub" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "skypeapp" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "getstarted" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "zunemusic" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowsmaps" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "solitairecollection" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingfinance" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "zunevideo" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingnews" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "people" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.People" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowsphone" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingsports" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "soundrecorder" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingweather" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "xboxapp" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "MixedReality" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "hub" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "YourPhone" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.OneConnect" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxGamingOverlay" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "twitter" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "candycrush" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "gethelp" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "messaging" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "3Dviewer" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "LinkedInforWindows" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.RemoteDesktop" } | Remove-AppxPackage -AllUsers
#XBOX
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.Xbox.TCUI" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxGameOverlay" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxIdentityProvider" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxSpeechToTextOverlay" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "xbox" } | Remove-AppxPackage -AllUsers
foreach ($app in $(Get-AppxPackage -AllUsers | ? { $_.Name -match "xbox" })) { $app | Remove-AppxPackage -AllUsers }

Create a Group Policy Object

  • Open the Active Directory Users and Computers console:
Screenshot of the Windows Run dialog box with dsa.msc command entered, showing administrative privileges.
  • Moving computers to an OU (Organizational Unit):
Screenshot of Active Directory Users and Computers with the Workstations folder selected, showing a computer named PC01.
  • Open the Group Policy Manager:
Screenshot of the Windows Run dialog box with gpmc.msc command entered, ready to open Group Policy Management Console.
  • Create a GPO:
Screenshot of Group Policy Management showing the option to create and link a new GPO in the domain.
  • Give the new GPO a name:
Screenshot of the New GPO dialog box with 'Run - PowerShell Script' as the name and no Source Starter GPO selected.
  • Edit the GPO:
Screenshot of the context menu in Group Policy Management with the 'Edit' option highlighted for the 'Run - PowerShell Script' GPO.
  • Go to Computer Configuration > Policies > Windows Settings > Scripts > Startup > Right click > Properties:
Screenshot of the Group Policy Management Editor showing the 'Startup' script with the 'Properties' option highlighted.
  • Stay on the Scripts tab, and click on the Add... button:
Screenshot of the Startup Properties dialog box with an arrow pointing to the 'Add' button for adding a new script.
  • Click on the Browse… button:
Screenshot of the Add a Script dialog box with an arrow pointing to the 'Browse' button for selecting a script.
  • Navigate to the NETLOGON share and select the .bat script:
Screenshot of the file browser dialog showing the NETLOGON scripts folder with remove_appx.bat selected and the Open button highlighted.
  • Click on OK:
Screenshot of the Add a Script dialog box with an arrow pointing to the 'OK' button to confirm the script path.

From the user computer

Let's check that the strategy has been applied.

  • First restart the computer, then open an administrator command prompt and run this command:
C:\WINDOWS\system32>gpresult /z /scope computer
  • In the Startup Scripts section, check that the GPO name is visible:
Screenshot of the Resultant Set of Policies for Computer showing details of the executed startup script remove_appx.bat.
  • You can also check that the file c:\std_rocks.txt has been created. (It's the first line of the PowerShell script: Set-Content -Path 'C:\std_rocks.txt' -Value 'OK'):
Screenshot of the Local Disk (C:) directory showing a text document named std_rocks.txt highlighted.