Summary: Guest bloggers Judith Herman and June Blender discuss how to run Windows PowerShell scripts from a shared directory.
Microsoft Scripting Guy, Ed Wilson, is here. Today, we have a guest blog with two writers Judith Herman and June Blender. June has been a guest blogger before (see more here), but this is the first time for Judith. Judith has this to say about herself: I work in Windows Server as a Senior Technical Writer. I have been involved with testing and documenting Group Policy since Windows 2000. Before coming to work at Microsoft, I worked on movies, rockets, and computer networks. Here is a photo of Judith.
Ed suggested we write about new Windows PowerShell 3.0 features, but we hit a gotcha that seems even more urgent.
The hard-working elves in our Updatable Help office at the North Pole were trying to run the scripts that assemble the Updatable Help files for Windows Server modules. The scripts are stored in a shared file system directory.
But, instead of a clean run, they got an error. Here’s what happened.
PS C:\> \\Server01\Share\Scripts\Get-HelpFilesForCoolModules.ps1
File cannot be loaded. The file \\Server01\Share\Scripts\Get-HelpFilesForCoolModules.ps1 is not digitally signed. The script will not execute on the system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ CategoryInfo : SecurityError: (:) , PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
This error occurs when you try to run a script that was downloaded from the Internet and does not have a digital signature. But the scripts on the file share weren’t downloaded from the Internet! We wrote them and put them right there on the share on our favorite file server.
Lee Holmes (author of Windows PowerShell Cookbook, 3rd Edition) solved the mystery for us. Lee often solves mysteries, which is why we call him “Holmes.”
By default, computers running Windows Server include UNC paths in the Internet security zone. Windows PowerShell is actually responding to the security zone when it throws the error for the UNC paths. Windows does the same thing.
You might think that changing the execution policy to Unrestricted fixes this. But it doesn’t. We tried. There are, however, several ways to run scripts with UNC paths. They all incur some security risk, so please consider the consequences carefully before implementing any fix.
The best fix is to add the UNC server—in our case, Server01—to the Local intranet security zone, either manually or by using the Intranet Sites: Include all network paths (UNCs) Group Policy setting. This takes a few minutes, but it is the right way to do it.
In Group Policy Management Editor, you’ll find this policy setting under both the Computer Configuration and the User Configuration sections in the following path:
\Windows Components\Internet Explorer\Internet Control Panel\Security Page\ Intranet Sites: Include all network paths (UNCs)
The elves wanted to know which magic hat we used to find this GP setting. We just used the latest Group Policy Settings Reference Spreadsheet. Click the Administrative Template tab on the spreadsheet, and then search for UNCAsIntranet.
The easy, but more risky, method is to turn off Internet Explorer Enhanced Security Configuration. Think carefully before you try this one. Many data centers prohibit this action.
Also, in the “don’t try this in a production environment” category is editing the registry. You can set the UNCAsIntranet registry setting that adds UNC paths to the Local security zone. It’s in HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UncAsIntranet, and you can read about it here. I’m pretty risk-averse at work (ye of little faith and much experience), but this might appeal to you.
In the end, we solved our problems and our elves got back to work running scripts from the UNC directory. And happy elves mean more Updatable Help.
Thank you, Judith and June. This is indeed a timely and helpful article.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy