Friday, September 24, 2010 Issues With Configuring Powershell ExecutionPolicy via Group Policy

When you publish an ExecutionPolicy for Powershell via Group Policy, several issues will crop up. The first I came across is that it breaks several of the Best Practices Analyzers. The second is that it breaks some of the Exchange 2010 installers.

You can reproduce this error on 2008 R2 with IIS or the File Services role installed:

  1. Make sure your ExecutionPolicy is only defined locally:

    PS> Set-ExecutionPolicy RemoteSigned -Force
    PS> Get-ExecutionPolicy -List

    MachinePolicy = Undefined
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = RemoteSigned
  2. Run the IIS or File Services BPA, this should be successful
  3. Set the ExecutionPolicy in your Local Computer Policy:

    Open Local Policy Editor, browse to Local Computer Policy> Computer Configuration> Administrative Templates> Windows Components> Windows Powershell. Enable “Turn on Script Execution” and set the policy to “Allow local scripts and remote signed scripts”.

  4. Verify that your ExecutionPolicy is now defined as a Group/Local Policy:

    PS> Get-ExecutionPolicy -List

    MachinePolicy = RemoteSigned
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = RemoteSigned
  5. Run IIS or File Services BPA, this fails with:

    There has been a Best Practice Analyzer engine error for Model ID:'Microsoft/Windows/FileServices' during execution of the Model. (Inner Exception: One or more model documents are invalid: {0} Discovery exception occurred proccessing file '{0}'. Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due ot the override, your shell will retain its current effective execution policy of "RemoteSigned".

Rather than constantly have to move our Exchange servers in and out of the GPO, I decided to fix our issue by switching over to a Group Policy Preference that sets the same registry key as if you had typed Set-ExecutionPolicy RemoteSigned at the command prompt.

  1. Open Group Policy Management Editor
  2. Browse to Computer Configuration> Preferences>Windows Settings> Registry
  3. Right click and create a new registry item:

    • Action: Update
    • Hive: HKEY_LOCAL_MACHINE
    • Key Path: SOFTWARE\Microsoft\PowersShell\1\ShellIds\Microsoft.PowerShell
    • Value name: ExecutionPolicy
    • Value type: REG_SZ
    • Value data: RemoteSigned
  4. Now create a second registry item that will cover 32-bit Powershell on 64-bit machines:

    • Action: Update
    • Hive: HKEY_LOCAL_MACHINE
    • Key Path: SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
    • Value name: ExecutionPolicy
    • Value type: REG_SZ
    • Value data: RemoteSigned
    • On the “Common” tab… <ol>
    • Check Item-level targeting
    • Press the "Targeting" button
    • Create a new "Environment Variable" item
    • Name: PROCESSOR_ARCHITECTURE
    • Value: AMD64

    </ol></span>

  5. Verify that only the local settings are being applied and that the preference will reset the value if a user changes it:

    PS> Set-ExecutionPolicy Undefined -Force
    PS> Get-ExecutionPolicy -List

    MachinePolicy = Undefined
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = Undefined

    PS> gpupdate /force /target:computer
    PS> Get-ExecutionPolicy -List

    MachinePolicy = Undefined
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = RemoteSigned

Note that this method does require the Group Policy Preferences Client to be installed on XP/Vista/2003 (it is included in Win7/2008/2008 R2) and be aware that an administrative user can easily override the ExecutionPolicy setting until Group Policy is applied again (although they could also override the Group Policy setting since they are admin, just not as easily).


comments powered by Disqus