locked
Execution policy RRS feed

  • Question

  • Hello, 

    I have Win 2012 R2, execution policy is set to remotesigned. However when I right-click a script and select run with Powershell it asks for execution policy change. The script is not downloaded from the internet and inside there is nothing about execution policy update. 

    Anyway, If I press no or yes, the script executes.

    What this might be?

    thx


    --------------------- Leos

    Tuesday, October 31, 2017 3:16 PM

Answers

  • Hello Albert,

    well the solution is to update the registry key

    HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\0\Command

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"

    Either change AllSigned to RemoteSigned or to remove this "Command" completely. Honestly I dont know what the default settings is to try to bypass system Execution policy when right-clicking a script.

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ; & '%1'"

    This also works fine and it respects the system Execution policy.

    Leos


    --------------------- Leos

    • Marked as answer by Leoš Marek Tuesday, November 7, 2017 3:05 PM
    Monday, November 6, 2017 8:36 AM

All replies

  • You will have to do more troubleshooting to find the cause.  It sounds lie your system has some issues.


    \_(ツ)_/

    Tuesday, October 31, 2017 3:31 PM
  • what kind of troubleshooting are we talking about? What would be the reason for a script is trying to change execution policy if there is nothing related to that inside the code?

    --------------------- Leos

    Tuesday, October 31, 2017 7:20 PM
  • Any windows utility command that requires elevation will automatically as for elevation.  If the PowerShell executable has been tagged in the shell as auto-elevate it will ask.  If there is malware that has hooked parts of the system it can force elevation.  There are likely many other hacks and breakages that can cause this.  You have to do basic troubleshooting to track it down.


    \_(ツ)_/

    Tuesday, October 31, 2017 8:33 PM
  • Hi Leos,

    I agree with jrv.

    Based on your situation, you may refer to the following steps to troubleshoot this issue:
    1. Is your server in the domain? If yes, please run gpresult /h result.html to see if there have any policies configured execution policy. If no, please run gpedit.msc and expand to User Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Execution for checking.
    2. Also, when opening PowerShell in different ways (For example: x86 and x64), execution policies are different, please run Get-ExecutionPolicy to confirm the current execution policy.
    3. In addition, please have a try to run Set-ExecutionPolicy -ExecutionPolicy Unrestricted to see if the script could run properly.

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 1, 2017 2:08 AM
  • Unfortunately execution policy has nothing to do with elevation.  Elevation is a windows method that applies to executable files and has nothing to do with scripts.  Execution policy is not an issue here as the script runs after dismissing the challenge.  The script is not being blocked.

    My recommendations above are the only issues that need to be checked.


    \_(ツ)_/

    Wednesday, November 1, 2017 2:12 AM
  • Following our discussion - how does elevation goes in line with script asking for execution policy change?

    Below screens from today. You can see on the to that its elevated.

    so the script is asking for EXpol change (which is remotesinged by GPO). If I press no, the script continues.

    if the script is executed from opened Powershell window, no message, just execution

    last screen with error, but the script is still running!

    I have observed that this behavior only happens when I right-click a script and select Run with Powershell. If I open Powershell separately and call the script there, no message/error at all.

    thx


    --------------------- Leos

    Thursday, November 2, 2017 7:51 PM
  • Why are you trying to change the execution policy in your script.  This is not how it is done.

    Please carefully read the error fully.  It tells you exactly why you are getting the error.  You cannot overcome this issue.  If Group Policy is setting a lower level you cannot override it.  We don't reset the policy in a script. It is set once per system, user.  Once set it doesn't get set again.  Locally you cannot override higher level policies.


    \_(ツ)_/

    Thursday, November 2, 2017 8:17 PM
  • jrv, do you think Im really that stupid? Why would I open such thread on this forum if I would have a code block in my script to change the execution policy?!

    It was myself who set the RemoteSigned via GPO!

    Below code example of failing script

    $ErrorActionPreference = "Stop"
    
    Write-Host "Configuring...." -ForegroundColor Cyan
    $sid = ($env:sid).toupper()
    if ($sid) {Write-Host "SID==> $sid" -ForegroundColor Green} 
        else {Write-Host "SID not identified, check SID variable which should already exist!!";break}
    $VMname = ($env:COMPUTERNAME).ToLower()
    
    $XMLsource = get-content -Path "H:\FAURECIA_MII_INSTALLATION\30_SAP_NW-MII\NW75_SP05_Upgrade-V20generated\stackV20generated_AM2renamed.xml"
    
    try {
    $XMLsource = ($XMLsource).replace('eudrpmii0029', $vmname)
    $XMLsource = ($XMLsource).replace('AM2', $sid)
    $XMLsource | Set-Content -Path "H:\FAURECIA_MII_INSTALLATION\30_SAP_NW-MII\NW75_SP05_Upgrade-V20generated\stack.xml"
    Write-Host "stack.xml update done" -ForegroundColor Green}
        catch {Write-Host $($_.Exception.Message)}
    
    Write-Host "Press CTRL+C to END the script or press ENTER to open stack.xml in Notepad"
    pause
    
    notepad "H:\FAURECIA_MII_INSTALLATION\30_SAP_NW-MII\NW75_SP05_Upgrade-V20generated\stack.xml"

    where I do anything about Execution policy?

    As I already said, it only happens upon right-click/Run in Pshell. Not via opened Pshell windows and calling the script.


    --------------------- Leos


    • Edited by Leoš Marek Friday, November 3, 2017 4:50 AM
    Friday, November 3, 2017 4:50 AM
  • You need to post the complete error message as text and not picture of a bunch of screens that seem to have nothing to do with each other.

    In order for anyone to understand what you are asking about you need to give clear and accurate information.  A group of screen with almost no code on them is not helpful.


    \_(ツ)_/

    Friday, November 3, 2017 5:08 AM
  • OK - now you have the code. Enlight me where am I trying to change the execution policy.

    Despite the fact that if I would do so, the behavior would be the same for right-clicking the script or calling it from Pshell window, which is not.


    --------------------- Leos

    Friday, November 3, 2017 5:33 AM
  • Please post the exact error message you are seeing.

    \_(ツ)_/

    Friday, November 3, 2017 5:34 AM
  • when you right click, it doesn't automatically Run as Administrator

    just right click powershell and open you will see it will not show administrator on Top


    Thanks & Regards Ramandeep Singh

    Friday, November 3, 2017 5:44 AM
  • Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by
    a policy defined at a more specific scope.  Due to the override, your shell will retain its current effective
    execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more
    information please see "Get-Help Set-ExecutionPolicy".
    At line:1 char:46
    + ...  -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'H ...
    +                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
        + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
    is this enough?

    --------------------- Leos

    Friday, November 3, 2017 7:10 AM
  • OK here is the thing.

    Even under my Domain account (administrator on the server) I get this:

    PS C:\Users\0marekleo> get-executionpolicy -list

            Scope ExecutionPolicy
            ----- ---------------
    MachinePolicy    RemoteSigned
       UserPolicy    RemoteSigned
          Process       Undefined
      CurrentUser       Undefined
     LocalMachine    RemoteSigned

    CurrentUser Undefined.

    My GPO says to define RemoteSigned on Machine level. Should the same be defined under User Configuration part?


    --------------------- Leos

    Friday, November 3, 2017 7:22 AM
  • and one question still remains. Why it only happens upon right-click and not when I open Pshell window manually and call the script? :/

    --------------------- Leos

    Friday, November 3, 2017 7:24 AM
  • If you would read carefully you would see I have UAC off and all of the screens show Administrator on top.

    --------------------- Leos

    Friday, November 3, 2017 7:31 AM
  • Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by
    a policy defined at a more specific scope.  Due to the override, your shell will retain its current effective
    execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more
    information please see "Get-Help Set-ExecutionPolicy".
    At line:1 char:46
    + ...  -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'H ...
    +                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
        + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
    is this enough?

    --------------------- Leos

    The error message clearly states that you cannot override the current policy.  Again - why are you executing this set of the policy?

    You are executing this command:

    Set-ExecutionPolicy -Scope Process Bypass

    You cannot override the "RemoteSigned" policy with a looser policy and "Bypass" is less restrictive than Remote signed.  Why would you want "Bypass" when you already have "RemoteSigned"?  That doesn't  make any sense.  Setting bypass inside a script cannot cause a bypass.  YOU would need to be an administrator running elevated and set the policy when starting PowerSHell

    powershell -ExecutionPolicy Bypass ...

    Do you see how that works.

    "Bypass" is most often misused assuming it will override the current policy but it can only be used by an elevated administrator and on the commandline.


    \_(ツ)_/

    Friday, November 3, 2017 7:44 AM
  • If you would read carefully you would see I have UAC off and all of the screens show Administrator on top.

    --------------------- Leos

    You still cannot set the process policy lower than the system setting.  You can on a command line but not from within the script.


    \_(ツ)_/

    Friday, November 3, 2017 7:45 AM
  • Please show me a line in the script block I posted you where it says 

    Set-ExecutionPolicy -Scope Process Bypass

    !!!!

    This has to be done by the system itself upon the action of right-clicking the script and selecting Run with Powershell.


    --------------------- Leos

    Friday, November 3, 2017 7:50 AM
  • OK here is the thing.

    Even under my Domain account (administrator on the server) I get this:

    PS C:\Users\0marekleo> get-executionpolicy -list

            Scope ExecutionPolicy
            ----- ---------------
    MachinePolicy    RemoteSigned
       UserPolicy    RemoteSigned
          Process       Undefined
      CurrentUser       Undefined
     LocalMachine    RemoteSigned

    CurrentUser Undefined.

    My GPO says to define RemoteSigned on Machine level. Should the same be defined under User Configuration part?


    --------------------- Leos

    Another thing that is clear.  The "MachinePolicy" can only be set via Group Policy.  It cannot be overridden by a local admin even if the admin is elevated.

    Sorry I missed that earlier.


    \_(ツ)_/

    Friday, November 3, 2017 7:50 AM
  • Please show me a line in the script block I posted you where it says 

    Set-ExecutionPolicy -Scope Process Bypass

    !!!!

    This has to be done by the system itself upon the action of right-clicking the script and selecting Run with Powershell.


    --------------------- Leos


    Apparently you are not executing the script you think you are executing.  Perhaps it is in one of the  profiles.

    \_(ツ)_/

    Friday, November 3, 2017 7:52 AM
  • Notice also that you error says "Atline:1 char:46"


    \_(ツ)_/

    Friday, November 3, 2017 7:54 AM
  • sorry your way of talking to people like they are totally retarded and they dont know what they do is totally nonconstructive.

    Doing this

    leads to this:

    Please bring something useful instead of telling me how I cant control my actions.


    --------------------- Leos

    Friday, November 3, 2017 7:58 AM
  • the same thing appears when my script is one line with word "pause"

    At line:1 char:46


    --------------------- Leos

    Friday, November 3, 2017 8:01 AM
  • The point is that I cannot help you.  You have a line in a script or profile or you context menu item has been altered to run a different script before it executes your script.  You have to do some work and track that down. Complaining about it and me will not help you to find the answer.

    Start by tracking down the context menu definition and verify that it is correct and look in ALL profiles to see if it is in a profile.

    The rest is up to you.


    \_(ツ)_/

    Friday, November 3, 2017 8:04 AM
  • Look here: HKEY_CLASSES_ROOT\Directory\shell\Powershell\command

    It should only have:

    default = powershell.exe -noexit -command Set-Location '%V'


    \_(ツ)_/

    Friday, November 3, 2017 8:10 AM
  • I dont have such key. They key I have is 

    HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\0\Command

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"

    2 VMs with different behavior (key is the same on both):

    First VM (Policy not defined by GPO - default settings)

    PS C:\Users\Administrator> get-executionpolicy -list

            Scope ExecutionPolicy
            ----- ---------------
    MachinePolicy       Undefined
       UserPolicy       Undefined
          Process       Undefined
      CurrentUser       Undefined
     LocalMachine    RemoteSigned

    NO ISSUE!

    Second VM (defined by GPO):

    PS C:\Users\Administrator> get-executionpolicy -list

            Scope ExecutionPolicy
            ----- ---------------
    MachinePolicy    RemoteSigned
       UserPolicy    RemoteSigned
          Process       Undefined
      CurrentUser       Undefined
     LocalMachine    RemoteSigned

    ISSUE HERE!

    doesnt make sense. Even in first VM I dont have Allsigned (like the cmd says) but not error show.


    --------------------- Leos


    • Edited by Leoš Marek Friday, November 3, 2017 8:23 AM
    Friday, November 3, 2017 8:22 AM
  • BTW - It seems like default settings for Windows 2012 R2. I just deployed new VM from clean ISO and the key says the same.

    --------------------- Leos

    Friday, November 3, 2017 8:24 AM
  • Something has altered your systems.  You need to find out why the shell menu has been changed.

    The menu item is trying to force a bypass if the policy is not AllSigned.  It looks very suspicious unless you have installed some software that thinks it needs this.

    You will have to troubleshoot this. 


    \_(ツ)_/

    Friday, November 3, 2017 8:29 AM
  • what you say its not true.

    New VM en_windows_server_2012_r2_x64_dvd_2707946.iso 

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"

    BTW the command you posted -

    default = powershell.exe -noexit -command Set-Location '%V'

    Ends up with Set-Location : Cannot find path 'C:\test.ps1' because it doesnt exist.

    When I right click test.ps1 in c:\


    --------------------- Leos

    Friday, November 3, 2017 8:32 AM
  • Works fine on my systems and it is the default shell command for PowerShell.

    \_(ツ)_/

    Friday, November 3, 2017 8:35 AM
  • OK and we are back where we were. You say it works for you and its default. You dont read what I type. I have 2008 R2, 2012 R2, they all say 

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "%1" "-Command" "if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }"

    after clean installation.

    Im just downloading latest ISO from MSDN and will check the key when its deployed.


    --------------------- Leos


    • Edited by Leoš Marek Friday, November 3, 2017 8:39 AM
    Friday, November 3, 2017 8:39 AM
  • Ok.  I checked on 2012 and the newer launch method is the same as yours but all of my VMs that I have checked have no issues launching a script.  You will have to look elsewhere for the cause.


    \_(ツ)_/

    Friday, November 3, 2017 8:43 AM
  • sorry, its a picture, I dont have copy/paste enabled in vSphere for this VM


    --------------------- Leos

    Friday, November 3, 2017 8:43 AM
  • yes I will continue to look around.

    finally we got some agreement. thanks for the hint with the regkey


    --------------------- Leos

    Friday, November 3, 2017 8:44 AM
  • Did you check all 4 profiles?


    \_(ツ)_/

    Friday, November 3, 2017 8:46 AM
  • I have no powershell profiles at all on the server. the issue I have happend under Administrator account, new local account or domain account.

    I do more tests and add my brand new VM to the domain and apply the GPO there to see if this is causing it.

    later... :)


    --------------------- Leos

    Friday, November 3, 2017 8:53 AM
  • OK so here is the thing:

    - the default for 2012 R2 is RemoteSigned.

    - the registry key says to bypass the policy defined, unless its set to AllSigned

    - since I have used the GPO to Force RemoteSigned and the policy precedence is 

    • Group Policy: Computer Configuration
    • Group Policy: User Configuration
    • Execution Policy: Process (or powershell.exe -ExecutionPolicy)
    • Execution Policy: CurrentUser
    • Execution Policy: LocalMachine

    - Group policy over process - the command fails to update it.

    Im surprised this is not well documented anywhere

    So to solve my issue I will update my template and replace AllSigned with RemoteSigned :)


    --------------------- Leos

    Friday, November 3, 2017 9:11 AM
  • Hi,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,
    Albert Ling


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 6, 2017 8:30 AM
  • Hello Albert,

    well the solution is to update the registry key

    HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\0\Command

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"

    Either change AllSigned to RemoteSigned or to remove this "Command" completely. Honestly I dont know what the default settings is to try to bypass system Execution policy when right-clicking a script.

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ; & '%1'"

    This also works fine and it respects the system Execution policy.

    Leos


    --------------------- Leos

    • Marked as answer by Leoš Marek Tuesday, November 7, 2017 3:05 PM
    Monday, November 6, 2017 8:36 AM
  • Hi Leos,

    Thank you for your solution. We've learned a lot from it. Also, please "mark it as answer" to help other community members find the helpful reply quickly.

    Thanks again for your understanding and cooperation.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 7, 2017 9:44 AM