CODEWITHSUNDEEP
windowspowershellbatch-file
KR4STL
KR4STL

Reputation: 159

Windows Powershell policy execution bypass

I have been creating a powershell script to help me automate tasks across various user's PCs, I've encountered an issue where I have to manually allow scripts to run on each PC before I can execute it.

I have attempted to use various solutions that I have found but so far none seem to work.

Solutions I have tried as a batch file (Ideally I would like to have the batch file download the script (sorted this already) then open the powershell script and successfully bypass this):

powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file "multitool.ps1"

powershell -command "& {Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force}"

    @echo off
reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"
reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "ExecutionPolicy" /d "unrestricted"

@echo off
regedit /s file.reg

Where file.reg contains the following:

[hkey_local_machine\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell] 
"Path"="c:\windows\system32\windowspowershell\v1.0\powershell.exe"
"ExecutionPolicy"="unrestricted"

All of these result in the following when running the powershell script: screen shot

All help is greatly appreciated

Upvotes: 10

Views: 154044

Answers (6)

Joshua
Joshua

Reputation: 21

I ran across this when many of the above answers were at one time working and then suddenly stopped and felt there was a need here to help understand why. This change was caused by a Microsoft security update. Using -ExecutionPolicy bypass "anything" within a script actually gives a PowerShell error indicating scripts are disabled and it cannot run. You have to run your powershell with -noexit or within the Windows PowerShell ISE utility to see it.

Now correct me if I'm wrong please, but as I understand it, the reason for this is an update from Microsoft that changed the default security settings for PowerShell to be defaulted as Restricted in the default LocalMachine, which takes precedence, and not allow scripts to elevate themselves with -ExecutionPolicy bypass "anything"... you now must now set the execution policy prior to running the script, such as in an elevated .bat file that can set the execution policy and then also call the powershell script, and that's IF it's NOT completely blocked by a group policy setting.

Read more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.5&viewFallbackFrom=powershell-7.1

and also read more here:

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.5&viewFallbackFrom=powershell-7.1

So while you CAN preemptively change the execution policy (although not recommended to set as unrestricted), the change in security defaults that Microsoft has set into play are for a good reason, so I would stick with the answer by @TechyMac and @DTM gave but mixed together. For security reasons the answer from @DTM is actually partially better practice as it only changes it while that one script runs with "-scope process", then goes back to normal defaults. I would upvote their answers, but I have a level 13 profile, and upvoting requires a level 15.

Also keep in mind that any external scripts from the internet or a usb drive will be considered Blocked. Use the Unblock-File cmdlet to unblock the scripts so that you can run them in PowerShell.

In my findings for best security practices, you don't want to change the default execution policy for a workstation to "unrestricted" or completely bypass it when you're just running a one-off script, change it only for your script that one time to RemoteSigned. Remote signed allows "local" scripts to run and also remote signed. "Local" includes mapped drives or UNC paths if a computer is part of the same domain, and scripts stored locally on the %systemdrive%.

Start with (PowerShell set-executionpolicy -executionpolicy remotesigned -scope process) from an elevated command prompt or batch script that way you're not lowering the security level of a pc and end up allowing users to run scripts that can potentially cause havoc:

Here's an example of a .bat file that can do this:

:::::::::::::::::::::::::::::::::::::::::
:: Automatically check & get admin rights
:::::::::::::::::::::::::::::::::::::::::

ECHO Running Admin shell
:checkPrivileges 
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges ) 
 
:getPrivileges 
if '%1'=='ELEV' (shift & goto gotPrivileges)  
ECHO. 
ECHO **************************************
ECHO Invoking UAC for Privilege Escalation 
ECHO **************************************
 
setlocal DisableDelayedExpansion
set "batchPath=%~0"
setlocal EnableDelayedExpansion
ECHO Set UAC = CreateObject^("Shell.Application"^) > %temp%\OEgetPrivileges.vbs" 
ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs" 
"%temp%\OEgetPrivileges.vbs" 
exit /B 
 
:gotPrivileges 
::::::::::::::::::::::::::::

::Change Powershell execution policy prior to running a script

powershell -Command "Set-ExecutionPolicy RemoteSigned

::call said script now that policy will allow it to run

powershell -noexit "& ""C:\my_path\yada_yada\run_import_script.ps1"""

::end of batch file

Reference: How to run a PowerShell script

Upvotes: 0

mklement0
mklement0

Reputation: 437743

powershell.exe -executionpolicy bypass ... is the right approach in principle for an ad-hoc policy override, but as the conceptual help topic that the error message points to, about_Execution_Policies, states, if execution policies are set via Group Policy (GPO) (rather than via Set-ExecutionPolicy), they cannot be overridden through other means, including on the command line:

From the Use Group Policy to Manage Execution Policy section (emphasis added):

You can use the Turn on Script Execution Group Policy setting to manage the execution policy of computers in your enterprise. The Group Policy setting overrides the execution policies set in PowerShell in all scopes.

See also: About Group Policy Settings (Windows PowerShell) and About Group Policy Settings (PowerShell (Core) 7+), which discusses the relevant Group Policy settings in detail.

Note the following (leaving GPOs aside):

  • powershell.exe -executionpolicy ... sets the execution policy ad hoc, i.e. for that call (process) only.

  • To set the execution policy persistently, use Set-ExecutionPolicy; e.g., use the following to set it to RemoteSigned for the current user (a commonly used policy that balances security and convenience: local scripts can run without restriction, downloaded-from-the-web ones must be signed):

    • Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

    • See this answer for a comprehensive overview of PowerShell's execution policies.

Upvotes: 8

DTM
DTM

Reputation: 51

To temporarily bypass the execution policy and run a PowerShell script, do either of the following:

  1. Temporarily set the Bypass Execution Policy. This will set the execution policy to “Bypass” for the current user during the session, allowing you to run multiple scripts without restrictions in the current session.
  • Open a PowerShell window as an Administrator.
  • Execute the following command: Set-ExecutionPolicy Bypass -Scope Process

OR

  1. Run a Single Script with the Bypass Policy. If you need to execute an unsigned script that doesn’t adhere to the current session's execution policy, use the following command:

  • powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\YourScript.ps1

  • Script shorthand: powershell -ep Bypass C:\Path\To\YourScript.ps1

Upvotes: 5

TechyMac
TechyMac

Reputation: 1

Write this in an open powershell window with admin rights:

set-executionpolicy -executionpolicy remotesigned

then run the script with:

.\your script.ps1

Upvotes: 0

JonDane
JonDane

Reputation: 61

Try running this code, it helped me with same problem

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted

Upvotes: 6

KR4STL
KR4STL

Reputation: 159

Closest solution I've found for this is running the following line in powershell as admin which will execute the script and bypass the restrictions:

powershell.exe -executionpolicy unrestricted C:\multitool.ps1

If anyone has a cleaner solution that can run the script from the bat file I would greatly appreciate it.

Upvotes: 5

Related Questions