Use DSC Resource to Configure PowerShell Execution Policy


Summary: Microsoft Scripting Guy, Ed Wilson, talks about using a DSC resource to configure the Windows PowerShell execution policy.

Microsoft Scripting Guy, Ed Wilson, is here. I am sipping a cup of mint tea and munching on a piece of fruitcake. I may be one of the few people in the world who actually likes fruitcake, and I am not afraid to admit it. I like fruitcake—especially if it is a good one, and not one of those Technicolor doorstops that seem to be regifted year after year after year, until eventually they look like some sort of bizarre biology experiment gone horribly wrong. The best fruitcake, of course, is probably one that you make yourself. But around here, there are some fine ones made with fresh organic ingredients by local bakeries. They are quite nice.

The xPowerShellExecutionPolicy DSC resource

One of the new resources from the DSC Resource Kit Wave 9 release is the xPowerShellExecutionPolicy resource. This permits me to configure the Windows PowerShell execution policy by using a DSC configuration.

Note  For more information, see PowerShell DSC Resource Kit Wave 9.

To use DSC to configure the Windows PowerShell execution policy, I first create a configuration script, and specify the target nodes. I then import the xPowerShellExecutionPolicy module. I have to explicitly import the module because the DSC Resource Kit providers are not standard DSC resources. It is a good idea to validate input, so I specify the permissible Windows PowerShell execution policies by using the [ValidateSet] tag. Here is this portion of my script:

Configuration SetPowerShellExecutionPolicy

{

    Param

    (

        #Target nodes to apply the configuration 

        [String[]]$NodeName = ((Get-ADComputer -Filter *).name),

       

        #Changes the user preference for the Windows PowerShell execution policy.

        [Parameter(Mandatory)]

        [ValidateSet("Bypass","Restricted","AllSigned","RemoteSigned","Unrestricted")]

        [String]$SetExecutionPolicy

    )

    Import-DSCResource -ModuleName xPowerShellExecutionPolicy

Now I specify the array of node names that I retrieved by using the Get-ADComputer cmdlet.

Note  The Get-ADComputer cmdlet comes from the Active Directory module, which is available via the Remote Server Administration Tools (RSAT).

It is pretty easy to set the execution policy. I simply call ExecutionPolicy from the xPowerShellExecutionPolicy resource, and I specify my desired Windows PowerShell execution policy. This is shown here:

Node $NodeName

    {

        xPowerShellExecutionPolicy ExecutionPolicy

        {

            ExecutionPolicy = $SetExecutionPolicy

        }

    }

}

Now I need to create the MOF files, so I call my configuration. As shown here, I also pass my desired policy setting as a parameter when calling the configuration:

SetPowerShellExecutionPolicy -output C:\serverConfig -SetExecutionPolicy "RemoteSigned"

The last thing I need to do is start the DSC configuration. To do this, I specify the path to my MOF files, and I call Start-DSCConfiguration:

Start-DscConfiguration -Path C:\serverConfig  -Wait -Force -Verbose

Here is what the script looks like while it is running:

Image of command output

After the configuration script runs, I like to quickly check to see if it worked properly. My previous Windows PowerShell execution policies were varied, but now they should all be set to RemoteSigned. I use the Invoke-Command cmdlet (ICM is an alias) to check. Here is the command and the results:

Image of command output

Yep, they are all set the same now. Here is the complete script:

#Requires -version 4.0

Configuration SetPowerShellExecutionPolicy

{

    Param

    (

        #Target nodes to apply the configuration 

        [String[]]$NodeName = ((Get-ADComputer -Filter *).name),

       

        #Changes the user preference for the Windows PowerShell execution policy.

        [Parameter(Mandatory)]

        [ValidateSet("Bypass","Restricted","AllSigned","RemoteSigned","Unrestricted")]

        [String]$SetExecutionPolicy

    )

    Import-DSCResource -ModuleName xPowerShellExecutionPolicy

 

    Node $NodeName

    {

        xPowerShellExecutionPolicy ExecutionPolicy

        {

            ExecutionPolicy = $SetExecutionPolicy

        }

    }

}

 

SetPowerShellExecutionPolicy -output C:\serverConfig -SetExecutionPolicy "RemoteSigned"

Start-DscConfiguration -Path C:\serverConfig  -Wait -Force –Verbose

That is all there is to using DSC to configure the Windows PowerShell execution policy. DSC Week will continue tomorrow when I will talk about more cool DSC stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Comments (3)

  1. Kjetil says:

    I get an error when running the start-dscConfiguration saying;

    "Importing module xPowershellSetExecutionpolicy failed with error – (filepath to c:programfiles…etc) cannot be loaded because you opted not to run this software now."

    But if i move the modules to the "C:WindowsSystem32WindowsPowerShellv1.0Modules" it works.

    Why is this?

  2. Pavan Adepu says:

    +1

    Even I am facing the same issue? What is the cause of this?

  3. walt says:

    +1

    Me too!

Skip to main content