But I ran Set-Executionpolicy unrestricted, what is going on?


Hello All,

So first let's be clear, if you can run with a properly set execution policy using only signed scripts then I will recommend that you keep that way.  If you want to learn how to sign your scripts here is a great blog that should get you started http://www.hanselman.com/blog/SigningPowerShellScripts.aspx.  But if you are like all my customers and I'm assuming 99% of the world then you don't have the time to get all your scripts that will run against Production signed before you need to run them.\

And with my customer that is exactly the case, we needed to run several of my install scripts which are not signed (I have one central script that uses Start-Process to start other scripts), and he trusts me so he was comfortable running the following command.

 

Set-ExecutionPolicy unrestricted 

 

Then when he went to run the script he was getting this prompt several times 

Security Warning

Run only scripts that you trust. While scripts from the
Internet can be useful, this script can potentially harm your computer. Do you want to run

E:\InstallFiles\install Scripts\SharePointServers.ps1?

[D] Do not run  [R] Run once  [S] Suspend [?] Help (default is "D"):

 

WHAT?  But I set the execution policy to unrestricted...ran the following command just to check

Get-ExecutionPolicy
 

Yup, it was set just I had expected.  So started to dig and try to figure what is going on and discovered in fact by design PowerShell will by design prompt you when you run a script using an execution policy of unrestricted (http://technet.microsoft.com/en-us/library/dd347641) and what you have to do is run the command

Set-ExecutionPolicy Bypass

What this command does is set the following in the security of PowerShell for the local server

- Nothing is blocked and there are no warnings or prompts.

- This execution policy is designed for configurations in which a Windows PowerShell script is built in to a larger application or for configurations in which Windows PowerShell is the foundation for a program that has its own security model.

So lesson learned unrestricted is not enough if you plan to run more complex scripts that open other PowerShell shells.

To learn more about setting execution policies start reading here http://www.techrepublic.com/blog/datacenter/set-the-powershell-execution-policy-via-group-policy/3305

 

 


Comments (6)

  1. If we are programming for other clients should we set the scope to "Process" so that running MyApp.exe with an internal powershell engine does not affect their native security policy ?  Does this over-ride their current settings allowing them to keep secure but still run MyApp.exe ?

           – Process

                The execution policy affects only the current session

                (the current Windows PowerShell process).

    1. Nightkiller says:

      From https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_execution_policies

      SET A DIFFERENT EXECUTION POLICY FOR ONE SESSION

      You can use the ExecutionPolicy parameter of PowerShell.exe to set an execution policy for a new Windows PowerShell session. The policy affects only the current session and child sessions.
      To set the execution policy for a new session, start Windows PowerShell at the command line (such as Cmd.exe or Windows PowerShell), and then use the ExecutionPolicy parameter of PowerShell.exe to set the execution policy.
      For example:
      PowerShell.exe -ExecutionPolicy AllSigned
      The execution policy that you set is not stored in the registry. Instead, it is stored in the $env:PSExecutionPolicyPreference environment variable. The variable is deleted when you close the session in which the policy is set. You cannot change the policy by editing the variable value.
      During the session, the execution policy that is set for the session takes precedence over an execution policy that is set in the registry for the local computer or current user. However, it does not take precedence over the execution policy set by using a Group Policy setting (discussed below).

  2. Yet another stupid pointless poorly documented part of powershell. Nothing makes any logical sense. Unrestricted means exactly what it says.

  3. CC says:

    Yeah, cause lets make everything harder than it needs to be without actually making it more secure.

    Well done.

  4. JM says:

    There appears to be a bug in powershell where when setting unrestricted does not truly set it properly. If you set to Bypass and then back to Unrestricted it should work just fine.

  5. MV says:

    I am running powershell.exe -ExecutionPolicy ByPass -file “.\filename.ps1” and I still get the warning. What gives?

Skip to main content