locked
Powershell Scripts in the Windows 10 OS and script execution policy of "Allow only Signed scripts" RRS feed

  • Question

  • We have the group policy " Turn on Script execution" enabled and set to "Allow only Signed scripts".  

    Will this affect the powershell scripts used in the Windows 10 operating System or does windows have something inbuilt that overrides the settings we apply.  I'm thinking that it would block even the W10 built in scripts.  

    An example of what I am talking about are the 246 .ps1 files in the various diagnostic directories in c:\windows\diagnostics\system\ .  our diags never come back with issues even when deliberately disabling components before running.  

    other areas that Powershell scripts live that I have found with a quick search - 

    C:\Windows\WinSxS\wow64_microsoft.powershell.odatautils_31bf3856ad364e35_10.0.17763.1_none_d60dcab1d9234fab

    C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive

    C:\Program Files\WindowsPowerShell\Modules - various folders in here.  

    Do we need to sign all powershell scripts that come with the OS?

    Does Microsoft have a method of doing this? 

    Is there a list of script files that come with the OS so we don't just do a sign all approach, then find we have signed malware files.  

    we could probably configure something in the build task sequence to sign what is there initially.  Is there any plan in place for Microsoft to start signing their scripts?

    Will this be an ongoing process as updates are applied and files replaced, do we need to have a process in place to sign all PS1 files in the OS?


    MCSA, MCSE

    Monday, November 11, 2019 10:22 PM

All replies

  • GP almost always overrides. In this case it does absolutely but no amount of signing can prevent the use of "bypass".


    \_(ツ)_/

    Monday, November 11, 2019 10:30 PM
  • Is there a particular use case you are trying to use for requiring signing of all PowerShell scripts? As jrv said you can you can use “powershell –ExecutionPolicy Bypass.” This way you can set the execution policy to restricted, then when you need to run a PowerShell script, you can use the bypass. 

    You can even go the simplified way and make a powershell.exe shortcut with -ExecutionPolicy Bypass <script>. This way if you run a particular script often you do not have to go through many steps to run the script. 

    Thursday, November 14, 2019 12:53 AM
  • The purpose of the execution policy is not to prevent the running of powershell scripts, but to prevent the unknowing running of powershell scripts, like from an email attachment.

    Thursday, November 14, 2019 4:47 AM