Home
%3CLINGO-SUB%20id%3D%22lingo-sub-571499%22%20slang%3D%22en-US%22%3EBut%20I%20ran%20Set-Executionpolicy%20unrestricted%2C%20what%20is%20going%20on%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-571499%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Sep%2020%2C%202012%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ESo%20first%20let's%20be%20clear%2C%20if%20you%20can%20run%20with%20a%20properly%20set%20execution%20policy%20using%20only%20signed%20scripts%20then%20I%20will%20recommend%20that%20you%20keep%20that%20way.%26nbsp%3B%20If%20you%20want%20to%20learn%20how%20to%20sign%20your%20scripts%20here%20is%20a%20great%20blog%20that%20should%20get%20you%20started%20%3CA%20href%3D%22http%3A%2F%2Fwww.hanselman.com%2Fblog%2FSigningPowerShellScripts.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fwww.hanselman.com%2Fblog%2FSigningPowerShellScripts.aspx.%20%3C%2FA%3E%20But%20if%20you%20are%20like%20all%20my%20customers%20and%20I'm%20assuming%2099%25%20of%20the%20world%20then%20you%20don't%20have%20the%20time%20to%20get%20all%20your%20scripts%20that%20will%20run%20against%20Production%20signed%20before%20you%20need%20to%20run%20them.%5C%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EAnd%20with%20my%20customer%20that%20is%20exactly%20the%20case%2C%20we%20needed%20to%20run%20several%20of%20my%20install%20scripts%20which%20are%20not%20signed%20(I%20have%20one%20central%20script%20that%20uses%20Start-Process%20to%20start%20other%20scripts)%2C%26nbsp%3Band%20he%20trusts%20me%20so%20he%20was%20comfortable%20running%20the%20following%20command.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CCODE%3E%0A%20%20%20Set-ExecutionPolicy%20unrestricted%0A%20%20%3C%2FCODE%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20Then%20when%20he%20went%20to%20run%20the%20script%20he%20was%20getting%20this%20prompt%20several%20times%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20Security%20Warning%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20Run%20only%20scripts%20that%20you%20trust.%20While%20scripts%20from%20the%0A%20%20%20%3CBR%20%2F%3E%0A%20%20%20Internet%20can%20be%20useful%2C%20this%20script%20can%20potentially%20harm%20your%20computer.%20Do%20you%20want%20to%20run%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20E%3A%5CInstallFiles%5Cinstall%20Scripts%5CSharePointServers.ps1%3F%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20%5BD%5D%20Do%20not%20run%26nbsp%3B%20%5BR%5D%20Run%20once%26nbsp%3B%20%5BS%5D%20Suspend%26nbsp%3B%5B%3F%5D%20Help%20(default%20is%20%22D%22)%3A%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20%3CEM%3E%0A%20%20%20%3C%2FEM%3E%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20WHAT%3F%26nbsp%3B%20But%20I%20set%20the%20execution%20policy%20to%20unrestricted...ran%20the%20following%26nbsp%3Bcommand%20just%20to%20check%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CCODE%3E%0A%20%20%20Get-ExecutionPolicy%0A%20%20%3C%2FCODE%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CCODE%3E%0A%20%20%3C%2FCODE%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20Yup%2C%20it%20was%20set%20just%20I%20had%20expected.%26nbsp%3B%20So%20started%20to%20dig%20and%20try%20to%20figure%20what%20is%20going%20on%20and%20discovered%20in%20fact%20by%20design%20PowerShell%20will%20by%20design%20prompt%20you%20when%20you%20run%20a%20script%20using%20an%20execution%20policy%20of%20unrestricted%20(%0A%20%20%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd347641%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%0A%20%20%20%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd347641)%0A%20%20%20%3C%2FA%3E%0A%20%20%20and%20what%20you%20have%20to%20do%20is%20run%20the%20command%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CCODE%3E%0A%20%20%20Set-ExecutionPolicy%20Bypass%0A%20%20%3C%2FCODE%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20What%20this%20command%20does%20is%20set%20the%20following%20in%20the%20security%20of%20PowerShell%26nbsp%3Bfor%20the%20local%20server%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20-%20Nothing%20is%20blocked%20and%20there%20are%20no%20warnings%20or%20prompts.%0A%20%20%20%3CBR%20%2F%3E%0A%20%20%20%3CBR%20%2F%3E%0A%20%20%20-%20This%20execution%20policy%20is%20designed%20for%20configurations%20in%20which%20a%20Windows%20PowerShell%20script%20is%20built%20in%20to%20a%20larger%20application%20or%20for%20configurations%20in%20which%20Windows%20PowerShell%20is%20the%20foundation%20for%20a%20program%20that%20has%20its%20own%20security%20model.%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20So%20lesson%20learned%20unrestricted%20is%20not%20enough%20if%20you%20plan%20to%20run%20more%20complex%20scripts%20that%20open%20other%20PowerShell%20shells.%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20To%20learn%20more%20about%20setting%20execution%20policies%20start%20reading%20here%0A%20%20%20%3CA%20href%3D%22http%3A%2F%2Fwww.techrepublic.com%2Fblog%2Fdatacenter%2Fset-the-powershell-execution-policy-via-group-policy%2F3305%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%0A%20%20%20%20http%3A%2F%2Fwww.techrepublic.com%2Fblog%2Fdatacenter%2Fset-the-powershell-execution-policy-via-group-policy%2F3305%0A%20%20%20%3C%2FA%3E%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20%3CBR%20%2F%3E%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-571499%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Sep%2020%2C%202012%20Hello%20All%2CSo%20first%20let's%20be%20clear%2C%20if%20you%20can%20run%20with%20a%20properly%20set%20execution%20policy%20using%20only%20signed%20scripts%20then%20I%20will%20recommend%20that%20you%20keep%20that%20way.%3C%2FLINGO-TEASER%3E
First published on TECHNET on Sep 20, 2012

Hello All,



So first let's be clear, if you can run with a properly set execution policy using only signed scripts then I will recommend that you keep that way.  If you want to learn how to sign your scripts here is a great blog that should get you started http://www.hanselman.com/blog/SigningPowerShellScripts.aspx. But if you are like all my customers and I'm assuming 99% of the world then you don't have the time to get all your scripts that will run against Production signed before you need to run them.\


And with my customer that is exactly the case, we needed to run several of my install scripts which are not signed (I have one central script that uses Start-Process to start other scripts), and he trusts me so he was comfortable running the following command.



Set-ExecutionPolicy unrestricted


Then when he went to run the script he was getting this prompt several times


Security Warning


Run only scripts that you trust. While scripts from the
Internet can be useful, this script can potentially harm your computer. Do you want to run


E:\InstallFiles\install Scripts\SharePointServers.ps1?


[D] Do not run  [R] Run once  [S] Suspend [?] Help (default is "D"):



WHAT?  But I set the execution policy to unrestricted...ran the following command just to check


Get-ExecutionPolicy

Yup, it was set just I had expected.  So started to dig and try to figure what is going on and discovered in fact by design PowerShell will by design prompt you when you run a script using an execution policy of unrestricted ( http://technet.microsoft.com/en-us/library/dd347641) and what you have to do is run the command


Set-ExecutionPolicy Bypass

What this command does is set the following in the security of PowerShell for the local server


- Nothing is blocked and there are no warnings or prompts.

- This execution policy is designed for configurations in which a Windows PowerShell script is built in to a larger application or for configurations in which Windows PowerShell is the foundation for a program that has its own security model.


So lesson learned unrestricted is not enough if you plan to run more complex scripts that open other PowerShell shells.


To learn more about setting execution policies start reading here http://www.techrepublic.com/blog/datacenter/set-the-powershell-execution-policy-via-group-polic...