locked
Client Setting: PowerShell Execution Policy - Bypass RRS feed

  • Question

  • I am trying to setup an application that will install RDC and BITS using powershell and the ServerManager module.  I have set the PowerShell execution policy to Bypass.  From the deployment I am running powershell.exe -file .\script.ps1.  This does not seem to work.  If I change the command to powershell.exe -ExecutionPolicy ByPass -file .\script.ps1 then that seems to work.  Can someone explain how this client setting referenced below is supposed to work?  I assumed that setting this to "Bypass" would allow the PowerShell script to run without having to customize the command line.  Also what about the powershell scripts that can be used to determine if an application is already installed?

    PowerShell execution policy

    When you select Bypass, the Configuration Manager   client bypasses the Windows PowerShell configuration on the client computer   so that unsigned scripts can run. When you select Restricted, the   Configuration Manager client uses the current Windows PowerShell   configuration on the client computer, which determines whether unsigned   scripts can run.

    This option requires at least Windows PowerShell version   2.0 and the default is Restricted.

    http://technet.microsoft.com/en-us/library/gg682067.aspx


    -Jason Dye Consultant - Systems Management


    Tuesday, September 4, 2012 7:02 PM

Answers

  • If you are referring to the execution policy in the client settings, that does not affect PowerShell scripts in your packages and programs. It only affects PowerShell scripts when deployed from a task sequence 'Run PowerShell script' step and I believe compliance scripts as well.

    For packages and programs you either need to control your execution policy via GPO or some other method, or just specify the -executionpolicy bypass switch on your command lines.


    Daniel Ratliff | http://www.PotentEngineer.com | @PotentEngineer

    Thursday, March 19, 2015 7:21 PM

All replies

  • Did you ever find an answer for this? I have set mine to bypass also and all my clients still show restricted when I run get-executionpolicy on the client machine. I've also verified that the machines have powershell version 2.0 on them.
    Thursday, February 6, 2014 4:04 PM
  • I'm experiencing this same behavior.  I even upgraded my Windows 7 clients to PowerShell 4 to see if it makes any difference and it didn't.  I assumed the above posters were deploying "Applications" so I tried it in a "Package" format (with a "program") - same results.
    Thursday, March 19, 2015 5:01 PM
  • I read somewhere that this only affects the configuration manager client and doesn't affect the execution policy on the device, i wonder if it makes any difference if you point your program straight to the ps1 file. Will have a play around with it at the weekend.
    Thursday, March 19, 2015 6:48 PM
  • If you are referring to the execution policy in the client settings, that does not affect PowerShell scripts in your packages and programs. It only affects PowerShell scripts when deployed from a task sequence 'Run PowerShell script' step and I believe compliance scripts as well.

    For packages and programs you either need to control your execution policy via GPO or some other method, or just specify the -executionpolicy bypass switch on your command lines.


    Daniel Ratliff | http://www.PotentEngineer.com | @PotentEngineer

    Thursday, March 19, 2015 7:21 PM
  • To my knowledge, confirming what Daniel said above, this simply causes PowerShell scripts directly invoked by ConfigMgr (like in compliance settings and the Run PowerShell task like Daniel mentioned as well as global settings) to be run using the -ExecutionPolicy Bypass switch. It does not change the actual system policy and thus PowerShell scripts invoked in other methods.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Richard.Knight Thursday, March 19, 2015 7:28 PM
    Thursday, March 19, 2015 7:25 PM
  • nice :)
    Thursday, March 19, 2015 7:28 PM
  • does this mean that all application detection scripts need to be signed in order to use them?

    the reason why I ask,  is that even if I sign a detection script and import it,  the numbers of characters change and the PC doesn't think that the script is signed.

    How does one handle detection checks?

    Tuesday, June 9, 2015 9:11 PM
  • Looks like there are some specific tasks that have to be done. 

    http://blogs.msdn.com/b/ameltzer/archive/2014/09/24/using-signed-powershell-scripts-with-configuration-items-and-applications.aspx


    Daniel Ratliff | http://www.PotentEngineer.com | @PotentEngineer

    Sunday, June 14, 2015 7:47 PM