none
Changing the Powershell execution Policy bofore running a script.

    Question

  • I have been using the "powershell -executionpolicy bypass" option in task sequences, applications, and programs when I want to deploy an installer or make some changes via powershell.  Is this a security risk?  Do I need to do something like:

    $oldpolicy = get-executionpolicy

    set-executionpolicy -$oldpolicy

    Or does changing the execution policy just change it for that instance?

    Tuesday, January 07, 2014 8:11 PM

Answers

  • If you call "powershell.exe -executionpolicy Bypass", then only this powershell process is running with this execution policy.

    You can set the Executionpolicy on various scopes(Process, CurrentUser, LocalSystem, UserPolicy, MachinePolicy) with the set-executionpolicy command. Only if you set the executionlevel for a scope other than process, it's persistent. 

    Most of my customers use the method you already use with specifing the policy by using the -executionpolicy Parameter. Some of them run a lot of script on test machines manually. There they set the execution policy with the following command:

    powershell.exe -command Set-ExecutionPolicy -ExecutionPolicy Bypass -Force -Scope LocalMachine



    Cheers,

    Thomas Kurth
    Netree AG, System Engineer
    Blog: http://netecm.netree.ch/blog | Twitter: | LinkedIn: | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 07, 2014 10:25 PM

All replies

  • If you call "powershell.exe -executionpolicy Bypass", then only this powershell process is running with this execution policy.

    You can set the Executionpolicy on various scopes(Process, CurrentUser, LocalSystem, UserPolicy, MachinePolicy) with the set-executionpolicy command. Only if you set the executionlevel for a scope other than process, it's persistent. 

    Most of my customers use the method you already use with specifing the policy by using the -executionpolicy Parameter. Some of them run a lot of script on test machines manually. There they set the execution policy with the following command:

    powershell.exe -command Set-ExecutionPolicy -ExecutionPolicy Bypass -Force -Scope LocalMachine



    Cheers,

    Thomas Kurth
    Netree AG, System Engineer
    Blog: http://netecm.netree.ch/blog | Twitter: | LinkedIn: | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 07, 2014 10:25 PM
  • You can also control the execution policy using client settings within ConfigMgr or Group Policy or better yet, sign your scripts.

    Jason | http://blog.configmgrftw.com

    Tuesday, January 07, 2014 11:51 PM
    Moderator
  • Thanks for clarifying Thomas.  I just wanted to make sure I wasn't inadvertently opening up a security hole.
    Thursday, January 16, 2014 7:57 PM