16

I have been creating a powershell script to help me automate tasks across various user's PCs, I've encountered an issue where I have to manually allow scripts to run on each PC before I can execute it.

I have attempted to use various solutions that I have found but so far none seem to work.

Solutions I have tried as a batch file (Ideally I would like to have the batch file download the script (sorted this already) then open the powershell script and successfully bypass this):

powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file "multitool.ps1"

powershell -command "& {Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force}"

    @echo off
reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"
reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "ExecutionPolicy" /d "unrestricted"

@echo off
regedit /s file.reg

Where file.reg contains the following:

[hkey_local_machine\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell] 
"Path"="c:\windows\system32\windowspowershell\v1.0\powershell.exe"
"ExecutionPolicy"="unrestricted"

All of these result in the following when running the powershell script: screen shot

All help is greatly appreciated

Improve this question
1
  • 1
    In order to permanently change the execution policy, you need to run your powershell or registry change elevated, i.e Run as administrator. Additionally, you may have to modify your Windows setting which is likely to have marked your downloaded file as unsafe, this is a common marker attributed to executable downloaded files. Commented Apr 26, 2021 at 16:31

6 Answers 6

Reset to default
10

Try running this code, it helped me with same problem

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

10

tl;dr

  • powershell.exe -executionpolicy bypass ... sets PowerShell's script execution policy for that call only.

  • To persistently set it, use something like
    Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
    from inside PowerShell (or pass it to a powershell.exe call); Bypass is a potential security risk, RemoteSigned is a compromise between security and convenience.

  • If neither approach works, the implication is that the execution policy is controlled via GPOs (Group Policy Objects) and can only be changed via them.

powershell.exe -executionpolicy bypass ... is the right approach in principle for an ad-hoc policy override, but as the conceptual help topic that the error message points to, about_Execution_Policies, states, if execution policies are set via Group Policy (GPO) (rather than via Set-ExecutionPolicy), they cannot be overridden through other means, including on the command line:

From the Use Group Policy to Manage Execution Policy section (emphasis added):

You can use the Turn on Script Execution Group Policy setting to manage the execution policy of computers in your enterprise. The Group Policy setting overrides the execution policies set in PowerShell in all scopes.

See also: About Group Policy Settings (Windows PowerShell) and About Group Policy Settings (PowerShell (Core) 7+), which discusses the relevant Group Policy settings in detail.

Note the following (leaving GPOs aside):

  • powershell.exe -executionpolicy ... sets the execution policy ad hoc, i.e. for that call (process) only.

  • To set the execution policy persistently, use Set-ExecutionPolicy; e.g., use the following to set it to RemoteSigned for the current user (a commonly used policy that balances security and convenience: local scripts can run without restriction, downloaded-from-the-web ones must be signed):

    • Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

    • See this answer for a comprehensive overview of PowerShell's execution policies.

Improve this answer

Comments

6

To temporarily bypass the execution policy and run a PowerShell script, do either of the following:

  1. Temporarily set the Bypass Execution Policy. This will set the execution policy to “Bypass” for the current user during the session, allowing you to run multiple scripts without restrictions in the current session.
  • Open a PowerShell window as an Administrator.
  • Execute the following command:
Set-ExecutionPolicy Bypass -Scope Process

OR

  1. Run a Single Script with the Bypass Policy. If you need to execute an unsigned script that doesn’t adhere to the current session's execution policy, use the following command:
powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\YourScript.ps1

Shorthand of the same script:

powershell -ep Bypass C:\Path\To\YourScript.ps1
Improve this answer

Comments

5

Closest solution I've found for this is running the following line in powershell as admin which will execute the script and bypass the restrictions:

powershell.exe -executionpolicy unrestricted C:\multitool.ps1

If anyone has a cleaner solution that can run the script from the bat file I would greatly appreciate it.

Improve this answer

4 Comments

In essence, this is no different from the first command in your question, so if this command works, so does the one in the question. As explained, only GPO-based execution policies could thwart this approach. (The only difference is that Bypass never restricts script execution, whereas Unrestricted, despite its name, will prompt you to confirm the intent to execute scripts downloaded from the internet.)
@K4STRL I am doing the suggested code but the location of the script has a space in it. Powershell stops at C:\Folder and doesn't to go C:\Folder Space\. I have put that location in "" but it does the same thing. What else can I do to get the script to run?
@JukEboX, use powershell.exe -executionpolicy Bypass -File "c:\your path\with spaces.ps1". Without -File, -Command is implied in Windows PowerShell, which removes (unescaped) " chars. from the command.
To add to my first comment: There is also no requirement to run a powershell.exe -ExecutionPolicy ... command line as administrator: The specified execution policy only applies to the process being launched (unless overridden by a GPO), which doesn't require elevation (running as admin).
0

Write this in an open powershell window with admin rights:

set-executionpolicy -executionpolicy remotesigned

then run the script with:

.\your script.ps1

Improve this answer

Comments

0

I ran across this when many of the above answers were at one time working and then suddenly stopped and felt there was a need here to help understand why. This change was caused by a Microsoft security update. Using -ExecutionPolicy bypass "anything" within a script actually gives a PowerShell error indicating scripts are disabled and it cannot run. You have to run your powershell with -noexit or within the Windows PowerShell ISE utility to see it.

Now correct me if I'm wrong please, but as I understand it, the reason for this is an update from Microsoft that changed the default security settings for PowerShell to be defaulted as Restricted in the default LocalMachine, which takes precedence, and not allow scripts to elevate themselves with -ExecutionPolicy bypass "anything"... you now must now set the execution policy prior to running the script, such as in an elevated .bat file that can set the execution policy and then also call the powershell script, and that's IF it's NOT completely blocked by a group policy setting.

Read more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.5&viewFallbackFrom=powershell-7.1

and also read more here:

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.5&viewFallbackFrom=powershell-7.1

So while you CAN preemptively change the execution policy (although not recommended to set as unrestricted), the change in security defaults that Microsoft has set into play are for a good reason, so I would stick with the answer by @TechyMac and @DTM gave but mixed together. For security reasons the answer from @DTM is actually partially better practice as it only changes it while that one script runs with "-scope process", then goes back to normal defaults. I would upvote their answers, but I have a level 13 profile, and upvoting requires a level 15.

Also keep in mind that any external scripts from the internet or a usb drive will be considered Blocked. Use the Unblock-File cmdlet to unblock the scripts so that you can run them in PowerShell.

In my findings for best security practices, you don't want to change the default execution policy for a workstation to "unrestricted" or completely bypass it when you're just running a one-off script, change it only for your script that one time to RemoteSigned. Remote signed allows "local" scripts to run and also remote signed. "Local" includes mapped drives or UNC paths if a computer is part of the same domain, and scripts stored locally on the %systemdrive%.

Start with (PowerShell set-executionpolicy -executionpolicy remotesigned -scope process) from an elevated command prompt or batch script that way you're not lowering the security level of a pc and end up allowing users to run scripts that can potentially cause havoc:

Here's an example of a .bat file that can do this:

:::::::::::::::::::::::::::::::::::::::::
:: Automatically check & get admin rights
:::::::::::::::::::::::::::::::::::::::::

ECHO Running Admin shell
:checkPrivileges 
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges ) 
 
:getPrivileges 
if '%1'=='ELEV' (shift & goto gotPrivileges)  
ECHO. 
ECHO **************************************
ECHO Invoking UAC for Privilege Escalation 
ECHO **************************************
 
setlocal DisableDelayedExpansion
set "batchPath=%~0"
setlocal EnableDelayedExpansion
ECHO Set UAC = CreateObject^("Shell.Application"^) > %temp%\OEgetPrivileges.vbs" 
ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs" 
"%temp%\OEgetPrivileges.vbs" 
exit /B 
 
:gotPrivileges 
::::::::::::::::::::::::::::

::Change Powershell execution policy prior to running a script

powershell -Command "Set-ExecutionPolicy RemoteSigned

::call said script now that policy will allow it to run

powershell -noexit "& ""C:\my_path\yada_yada\run_import_script.ps1"""

::end of batch file

Reference: How to run a PowerShell script

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.