locked
Override Execution Policy Set via GPO RRS feed

  • Question

  • I completely understand why this wouldn't be possible, but I want to explore my options.

    I have, for a test group of computers, created a GPO that sets the PowerShell execution policy to All Signed. I have a certificate, and I'm able to sign scripts, and it all works great.

    ...until I writing/debugging a new scripts.  I sign it, run it, and get an error.  I do what I think I need to do to resolve the issue, but now I have to save/close the script, sign it again, re-opening and run it. Now I realize I'm missing a comma, or misspelled a variable name, and I have to go through that entire process again.

    Is the only way to make my computer 'special' to move it to another OU and apply a GPO that is not so restrictive?

    Tuesday, July 18, 2017 7:38 PM

Answers

All replies

  • Self signed certs are only good for the account that created them.  Any change to a script requires resigning the script.  It is recommended that you do you debugging under an account set to "RemoteSigned".


    \_(ツ)_/

    Tuesday, July 18, 2017 7:44 PM
  • do I need to isolate my computer in AD so I can set my account to RemoteSigned, since my GPO dictates AllSigned?
    Tuesday, July 18, 2017 8:53 PM
  • Depends on the current policy settings.  If you are an admin you should be able to over ride this by setting "Bypass" or "RemoteSigned" in your session.


    \_(ツ)_/

    Tuesday, July 18, 2017 8:55 PM
  • That's not working so well for me.  My MachinePolicy and UsersPolicy scopes are set via GPO. I've set Process, CurrentUser, and LocalMachine to RemoteSigned, but I cannot run a modified, local script without resigning it.
    Tuesday, July 18, 2017 9:05 PM
  • Then you need exempt the machine from the policy.


    \_(ツ)_/

    Tuesday, July 18, 2017 9:21 PM
  • Hi JT65

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 21, 2017 8:50 AM
  • I created to GPOs, one that sets the execution policy to Remote Signed and one to allow all scripts.  I created an AD group for each.  I've restricted each of these GPOs to apply to the corresponding AD group and linked the GPO to the relevant Computers containers. Now with the Default Domain Policy set to All Signed, I can tailor the execution policy as needed.

    Thank you for your help.

    Monday, August 21, 2017 11:25 AM