3

I'm trying to solve a problem where I can't run local .ps1 scripts from the right-click menu without the Execution Policy Change warning appearing after every reboot.

Steps to reproduce:

Open elevated Powershell and run:

Set-Executionpolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Set-Executionpolicy -ExecutionPolicy RemoteSigned -Scope Process

Running ExecutionPolicy -List then returns:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process    RemoteSigned
  CurrentUser    RemoteSigned
 LocalMachine    RemoteSigned

But upon closing and reopening the Powershell window and running ExecutionPolicy -List again, only the LocalMachine setting sticks:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine    RemoteSigned

Why don't the other ones stick? I've run DISM restorehealth and sfc /scannow and didn't get any errors.

gargoylebident
  • 373
  • 1
  • 2
  • 12
  • 1
    The `Process` policy is by definition an _ephemeral_ one: that is, it applies to a given process _instance_ only, and goes out of scope when that instance terminates. The `CurrentUser` policy _should_ stick. Are you sure that the elevated process ran with the same user account as the non-elevated one after? – mklement0 Feb 21 '20 at 04:35
  • @mklement0 you're right it did stick! After I ran it with the `-Force` flag. So then, if `Process` doesn't persist, what should I do to get the scripts to run without the warning? If I exit the window (without replying to the warning) and re-run the script, it does run somehow. The only fixes I've found so far involve editing the registry or GPO. Is there really no other way to run scripts that I wrote locally, and if so, what's even the point of changing ExecutionPolicy? – gargoylebident Feb 21 '20 at 04:46
  • `-Force` is indeed the way to skip the confirmation prompt and have the command execute quietly. Setting the `CurrentUser` policy is only required _once_, but, apart from the performance impact, running `Set-Executionpolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force` every time shouldn't be a problem; ditto for scope `Process`. After the first successful `CurrentUser` change, subsequent processes will default to that policy. All this assumes that no execution-policy group policies are in effect. – mklement0 Feb 21 '20 at 05:09
  • Are you saying I should have `Set-Executionpolicy -ExecutionPolicy RemoteSigned -Scope Process -Force` as the first line in all scripts? I have two problems with the warning popping up after every reboot: 1) It's annoying to have to press several buttons to execute something that was created for automation and fewer button presses in the first place, and 2) If I were to put it into Task Scheduler, it wouldn't run without user interaction on startup. IDK it just seems kinda dumb that I can't execute my own locally written scripts. I must be missing something crucial. – gargoylebident Feb 21 '20 at 05:23
  • On a given machine, for a given user, you should only ever have to set the `CurrentUser` execution policy _once_. If your script gets to execute at all, then at the very least execution policy `AllSigned` is already in effect, or possibly something more permissive - with `-Force` you then should _not_ see a warning. To run via Task Scheduler with `Run only when user is logged on`, whatever user happens to be logged on must have an effective execution policy that allows script execution; otherwise, you probably need to set the `LocalMachine` policy. What does the warning say? – mklement0 Feb 21 '20 at 16:58
  • It's very inconsistent. I've tried several scenarios (rebooting, shutting down and starting up, running several times). Sometimes I get the warning, sometimes I don't - _even after a reboot_. The warning says `Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend` etc. – gargoylebident Feb 24 '20 at 23:34
  • 1
    Despite always using `-Force`? – mklement0 Feb 24 '20 at 23:47
  • 1
    I think I've finally pinned it down: OpenVPN! Here's how it goes: IF I don't set a `-Force` flag in my script: after a reboot / shutdown, the warning only appears after the first script _if_ I have OpenVPN active and connected to a VPN server. If I _do_ set a `-Force` flag it seems to execute no matter what (even right after reboot when connected to a VPN). I don't know why OpenVPN does this, but I think I'll just follow your suggestion and put a `-Force` flag in my scripts. Thanks a ton! – gargoylebident Feb 25 '20 at 00:06
  • Glad to hear you found a solution; my pleasure. Please consider writing it up as an answer for the benefit of future readers. – mklement0 Feb 25 '20 at 02:10

0 Answers0