How to run unsigned PowerShell scripts on start up with Group Policy

It can be useful to be able to run unsigned PowerShell script through Group Policy.

Here we will see how to run PowerShell script on domain members machine in order to remove Built-In Applications. It works even with Standard Users, (Users which don't have Admin Rights).

Create .bat file

Create remove_appx.bat file inside netlogon share folder

remove_appx.bat script
del c:\windows\temp\remove_appx.ps1
copy \\shebangthedolphins.net\netlogon\SCRIPTS\remove_appx.ps1 c:\windows\temp\ /Z /Y
%windir%\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File c:\windows\temp\remove_appx.ps1
del c:\windows\temp\remove_appx.ps1

This .bat will copy the PowerShell script to the Temp folder and Execute it. At the end, the ps1 file will be removed.

Create the PowerShell script file

Create remove_appx.ps1 file inside netlogon share folder

remove_appx.bat script
Set-Content -Path 'C:\remove_app.txt' -Value 'OK'	#check if the script has been executed
Get-AppxPackage -AllUsers | ? { $_.Name -match "3dbuilder" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowsalarms" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowscommunicationsapps" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowscamera" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "officehub" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "skypeapp" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "getstarted" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "zunemusic" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowsmaps" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "solitairecollection" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingfinance" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "zunevideo" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingnews" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "people" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.People" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "windowsphone" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingsports" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "soundrecorder" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "bingweather" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "xboxapp" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "MixedReality" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "hub" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "YourPhone" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.OneConnect" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxGamingOverlay" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "twitter" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "candycrush" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "gethelp" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "messaging" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "3Dviewer" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "LinkedInforWindows" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.RemoteDesktop" } | Remove-AppxPackage -AllUsers
#XBOX
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.Xbox.TCUI" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxGameOverlay" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxIdentityProvider" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "Microsoft.XboxSpeechToTextOverlay" } | Remove-AppxPackage -AllUsers
Get-AppxPackage -AllUsers | ? { $_.Name -match "xbox" } | Remove-AppxPackage -AllUsers
foreach ($app in $(Get-AppxPackage -AllUsers | ? { $_.Name -match "xbox" })) { $app | Remove-AppxPackage -AllUsers }

Create Group Policy Object

  • Open Active Directory Users and Computers :
Run Active Directory Users and Computers
  • Move Computers to OU (Organizational Unit) :
Run Active Directory Users and Computers
  • Open Group Policy Manager :
Run Group Policy Management Console
  • Create GPO :
Create a GPO
  • Give a name to the new GPO :
Give name to a GPO
  • Edit the GPO :
Edit a GPO
  • Go to Computer Configuration > Policies > Windows Settings > Scripts > Startup > Right click > Properties
Scripts Startup Properties GPO
  • Stay on Scripts tab, and click on Add... button :
Script Startup Properties
  • Click on Browse... button :
Add a script
  • Navigate to the NETLOGON share and select the .bat script :
Add a script
  • Click on OK
Add a script

From the computer

  • First restart the computer
  • Open an administrator command prompt and run this command :
C:\WINDOWS\system32>gpresult /z /scope computer
  • Check in Startup Scripts part that the script has been taken into account
Restart Windows 10 Computer
  • You can also check that the c:\toto.txt file has been created. (It's the first line of the PowerShell script)
Restart Windows 10 Computer
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :