Remotely tweak powershell execution policies without powershell remoting.


Today I was trying to schedule a powershell command to execute via scheduled task on all my machines.  Copied the powershell script to execute on all the machines ran a for loop as follows to create the scheduled tasks on all the machines.

for /f %i in (\\utilityserver\servers.txt) do schtasks /s %i /create /TN custom_task /TR "powershell -nologo -file c:\localbin\task.ps1" /ST 16:00 /SC MINUTE /MO 5 /RU <Domain\user> /RP "XXXXX"

The tasks were created fine on all the machines but when I tried to run , it failed. Tried executing the powershell script locally on a server and it threw me a error message about execution policy. Now I have to enable the execution policy on around 100 servers which unfourtunately did not have powershell remoting setup. When you set a execution policy in powershell it actually modifies registry value for ExecutionPolicy at the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell ( I found this by running procmon) .

If you have a unrestricted policy your registry will read like this

reg query  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

    Path    REG_SZ    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    ExecutionPolicy    REG_SZ    Unrestricted

Now to set this across 100 machines

for /f %i in (\\utilityserver\servers.txt) do reg add \\%i\HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy /t REG_SZ /d Unrestricted /f

Replace the value with Unrestricted | RemoteSigned | AllSigned | Restricted | Bypass which ever you want to set. This key will set the execution policy for all the users on a machine. You can also use the set-execution policy cmdlet if you have powershell remoting setup.

This will save you a bunch of time , or I will suggest you make this a part of your build process.


Comments (2)

  1. Paul Gordon says:

    Another caveat…. on 64 bit machines, there are TWO Powershell hosts.. "Windows Powershell" and "Windows PowerShell (x86)… all the discussions I’ve seen thus far regarding manipulating the policy by whatever means, have been effective ONLY for the 64-bit
    PowerShell host… the (x86) host execution policy remains unaffected… Who cares about the old x86 version anyway I hear you ask… well, I know of at least 1 very well known and oft-used migration tool (Quest Migration Manager for AD) that offers the option
    to remotely run scripts on computers as part of the migration process…. when this tool is directed to run a POSH script on a remote computer, it instantiates the old 32-bit shell… and obeys whatever execution policy is effective *there*…. this has just
    bitten me during a fairly large domain migration, so I’m now looking for a way to remotely affect the 32-bit shell policy across a large number of machines, and I may not be allowed to use group policy to do it…

  2. Paul Gordon says:

    Found it… different REG location:
    HKLMsoftwareWow6432NodeMicrosoftPowerShell1ShellIdsMicrosoft.PowerShellExecutionPolicy

    🙂

Skip to main content