1 of 1 people found this helpful
Have you changed the powershell execution policy on the machine? I ran into this issue and you need to do the following to allow scriplets to run
Changing the Windows PowerShell Script Execution Policy
The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:
- Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
- AllSigned - Only scripts signed by a trusted publisher can be run.
- RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
- Unrestricted - No restrictions; all Windows PowerShell scripts can be run.
To assign a particular policy simply call Set-ExecutionPolicy followed by the appropriate policy name. For example, this command sets the execution policy to RemoteSigned:
I knew about this as we use powershell for other thiings however i "assumed" as we ran powershell scripts on the machines that this was unrestricted from the other powershell scripts.
I was wrong just checked the machine and it was set to unrestricted so the other scripts set this at the start and it reverts to unrestricted..
so as soon as chanegd this it worked : )
next question is when i add
set-executionpolicy unrestricted -Force
at start of the script it wont work.
how do you send the set-executionpolicy unrestricted -Force inside the ps1 file?
our other ps1 files are fired off with batch scripts which contain
powershell -command Set-ExecutionPolicy Unrestricted -Force
Its a catch 22... you want to execute the ps1 file but need to change the execution level first but you cant use a ps1 to do it!
do you just open this up across your machines as default?
You are having the same issue/dilemma i was having. I don't like setting this as default due to security vulnerabilities. I have resorted to using batch, msi, exe to deploy my software. Maybe someone else on here can provide further insight on this.
This may be something that also can be controlled via GPO if you are in a Active Directory environment.
can act on this policy using a GPO ( http://www.techrepublic.com/blog/datacenter/set-the-powershell-execution-policy-via-group-policy/3305 )
Or you can decide to sign the scripts that in my opinion is the most secure way to handle the situation: doing so you will be sure that only signed scripts are going to be executed.
It may require a bit of preparation job but at the end pays out in terms of security.
To know more about how to sign a powershell script you can have a look to this article: http://community.landesk.com/support/docs/DOC-25237
Well thought i would mention that we are going to create a custom MSI with powershell execution level being turned off, then running the code, then turning it on again.
The LANDesk way works great if you have the execution level set to unrestricted first but we cant do that.
your it is an interesting approach but in my opinion the best and safer approach is to sign the scripts. It seems a bit ''messy'' all the procedure around the signing but at the end it is quite straightforward.
If you sign the scripts you do not need any MSI or ''trick'' to change the execution policy.
Apologies StockTrader I overlooked your response by accident. You are indeed right. We are using powershell inside MSI's anyway but for the simple tasks that would be a great touch... will set up and test now.
happy testing then
If you have problem signing the scripts please do not hesitate to contact me. I was fighting with the procedure a while before to be able to write my article.
In the beginning seems a bit complex but then, once the mechanism is in place, is easy.