PowerShell Execution Policy

You have just found the perfect script online to take care of that weird, overly complex thing your boss asked you to do.  You have combed through the code to make sure nothing dodgy is hidden in there and modified it to fit your environment.  You launch the PowerShell command shell and run the script only to be greeted with some lovely red lettering informing you that your script is not digitally signed.

This is the PowerShell execution policy at work.  From a security stand point its fantastic.  It prevents people from running malicious scripts they find on the internet.  A security measure sorely lacking with VBScripts and batch files.

From an IT admins standpoint it's a pain in the ass because it's standing between you and the completion of an annoying task that needs to go away so you can move onto the next project\fire\lunch.

For those of you in a rush here is the quick and dirty way around this.

  1. Open PowerShell as an administrator (The old right click and run as administrator).
  2. Enter "Set-ExecutionPolicy Unrestricted."
  3. Say "Yes" when asked if your sure.
  4. Now you can run your script all day long.

To check the settings took, perform the following.
  1. Launch the PowerShell console.
  2. Enter "Get-ExecutionPolicy -list."

This is most definitely a work-around and not something that should be considered the best way to solve this issue.

Now for those with a little more time on their hands, let's look at a nice way of taming this feisty little restriction.

PowerShell will let you choose between 6 different execution modes.
  • Restricted - This lets you run nothing.
  • AllSigned - If its been signed with a certificate it will run.  Anything not signed will not run
  • RemoteSigned - If it's from the internet it must be signed, otherwise it won't run.  If you write it in your editor of choice and save it, then it will run.
  • Unrestricted - Runs everything but will ask for confirmation if the script was downloaded from the internet.
  • Bypass - No restrictions or warnings.  Like the Vegas of PowerShell restrictions.  Anything goes.
  • Undefined - This just puts the execution policy into a limbo state.
I personally like remote signed option.  It gives the freedom of being able to write and run your own stuff with the protection of not allowing random people to download a script called "RunMeAndBeRich.ps1" from the internet and screw up your day.

But how do I configure my hundreds of machines I hear you ask.  Well, for that, we turn to our old friend group policy.  Using a GPO, we can configure the execution policy on a mass scale.

You will want to modify what ever policy controls all your workstations and the policy that controls all your servers....assuming you want this rolled out on a large scale of course.  

  1. Right click on your policy and click Edit.
  2. Expand Computer Configuration\Administrative Templates\Windows Components.
  3. Select the Windows PowerShell folder.
  4. In the right pane Double Click "Turn on Script Execution."
  5. Select Enable.
  6. Select one of the options from the Execution Policy drop down list.  See table below of explanation of the options.
  7. Click on and close the Group Policy Management Editor

GPO Drop Down Execution Policy
Allow only signed scripts AllSigned
Allow local scripts and remote signed scripts RemoteSigned
Allow all scripts Unrestricted


Job done.  All your machines are now protected from PowerShell internet nasties while still allowing you to take care of business with your masterfully written scripts.

Taking all of the above into account, I would still recommend signed scripts with a code signing certificate.  But that's for another day.

Comments

Post a Comment

Popular posts from this blog

Local Administrator Password Solution(LAPS)

Image
We have all come across it.  It's a problem as old as the computer itself.  Ever since those first few engineers sat around the PC and said, "Hey Frank, I can'y log in.  What's the password?"  I am of course talking about local admin passwords.  For what ever reason your local admin password will eventually leak out and when it does, it spreads quicker than rumors of free donuts in the break room. You may have combated this with a script that you run once a year that changes the local admin password.  The problem with this solution is that if a machine is turned off or remote then it won't get the script run against it.  You could put the script into a logon script but then your sticking a clear text version of the script onto your network somewhere. "Well, I just use GPO to deploy my passwords using Group Policy Preferences." I hear you say.  This I will agree was an excellent solution until https://technet.microsoft.com/en-us/library/se...
Read more

Error Connecting to Hyper-V Host

Image
Got yourself a Hyper-V host on a nice HP server and can't connect to it remotely from the Hyper-V manager?  You are not alone.  Assuming your error is something like the error below then I may be able to help. The WS-Management service cannot process the request.  The class Msvm_RegisteredProfile does not exist in the root/interop namespace. This has something to do with the HP tools messing with the registration of the MOF's.  All we need to do to fix it is register the MOF files.  To do this, open an administrative command prompt on the server and run the following command. MOFCOMP %SYSTEMROOT%\System32\WindowsVirtualization.V2.mof That will parse through the MOF file and register it on the system leaving you with the nice screenshot below. You should now be able to use your local Hyper-V console to connect to the server and manage away. As with anything you find on the Internet use this at your own risk.  Just because it...
Read more

MBAM Not BitLocking

Image
MBAM is installed,  group policies are set.  You install the MBAM client and nothing happens. First place to start is the Eventlog.  Open eventvwr.msc and browse through to ' Applications and Services Logs\Microsoft\Windows\MBAM' .  In my case I had 'TPM hardware is missing error' This was an easy one to sort out.  Just reboot, enter the BIOS and enable the TPM module.  Some manufacturers do offer tools to do this remotely so might be worth checking with your vendors on this one if you have a bunch of machines to do. Once the machine came back up it still wasn't encrypting the disk so back to the eventlog we go. This time I was presented with 'Unable to connect to the MBAM Recovery and Hardware service.  Access was denied by the remote endpoint.' For this one I started with checking access to the endpoint.  To do this open up regedit and browse to 'HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement' .  Copy...
Read more