1

Up until the end of last month 8/31/2022, I have had a functioning PS script that pings a server and sends an email with either 'All is well' or 'Problem!'. At or around 8/31 or 9/1, the emails stopped being sent, so I've begun to investigate. I have Win Task Scheduler for automating and its history shows that the bat file is being process/run as expected.

However, when I try to run the PowerShell script on its own as admin, I first received the error of:

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope.

Here was my initial Get-ExecutionPolicy -List:

PS C:\WINDOWS\system32> Get-ExecutionPolicy -List

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy    RemoteSigned
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine    RemoteSigned

So I tried setting the ExecutionPolicy, via cmd line and regedit and gpedit.

When I ran Set-ExecutionPolicy -ExecutionPolicy Bypass in PS, I get the following error:

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope.  Due to the override, your shell will retain its current effective execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information please see "Get-Help Set-ExecutionPolicy".
At line:1 char:46
+ ...  -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C ...
+                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
    + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand

Then I run Get-ExecutionPolicy -List:

PS C:\WINDOWS\system32> Get-ExecutionPolicy -List

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy    RemoteSigned
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine    ByPass

And when I try to run the script now, PowerShell opens up, but hangs forever without running the script. This used to work, I don't know what has happened to make it not work.

There are many sites with different opinions of what needs to happen around the ExecutionPolicy. What do I need to do in order for this to work again? What are the definitive requirements? Honestly, I'd rather not use PowerShell as it always seems to have these 'permission' issues.

This may also be an issue: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

but the article does not seem to provide a definitive 'fix'.

Many Thanks for any help!

UPDATED

thanks @mklement0, so I ran your Set... and my ExecutionPolicy is now as seen below. Is this correct?

Scope ExecutionPolicy
----- ---------------
MachinePolicy    Bypass
UserPolicy       Undefined
Process          Bypass
CurrentUser      Undefined
LocalMachine     RemoteSigned
Improve this question

1 Answer 1

Reset to default
3

What the error message is trying to tell is that while the execution policy was set for the requested scope, one set in a scope with higher precedence overrides it.

You have a GPO-based MachinePolicy set, which overrides all other scopes, and makes any attempts to call Set-ExecutionPolicy or the PowerShell CLI's -ExecutionPolicy parameter ineffective: all code on your machine will run with policy RemoteSigned in effect.

To allow Set-ExecutionPolicy / -ExecutionPolicy to control the effective execution policy, no policy must be set in either GPO-based scope (that is, Get-ExecutionPolicy -List should show Undefined for both the MachinePolicy and UserPolicy scopes).

Without a GPO-based policy in effect, when PowerShell is called from the outside, such as from Task Scheduler, the execution policy is usually bypassed on a per-process-only basis, via the PowerShell CLI's -ExecutionPolicy parameter, e.g.:

powershell.exe -NoProfile -ExecutionPolicy ByPass -File someScript.ps1

That is, -ExecutionPolicy ByPass on the command line is the equivalent of calling Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force from inside a PowerShell session.

See also:

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

thanks @mklement0, I've updated my question to show I've updated my ExecutionPolicy. I its current status what you would expect?
@Redink: I'd set the MachinePolicy to Undefined, which will make the LocalMachine policy take effect (RemoteSigned, which is a good compromise: run local scripts, but prevent running scripts downloaded from the web). Once that is in effect, you no longer need -ExecutionPolicy Bypass in your CLI calls (but it doesn't hurt). -ExecutionPolicy Bypass is primarily useful if you know the script to be safe but want to guard against the effective execution policy being Restricted (default on client Windows editions) or AllSigned. However, as stated, it cannot override GPO policies.
Thanks so much, I'm still a bit foggy here, my current standing for the 5 are as follows: MachinePolicy=Restricted, UserPolicy=Undefined, Process=Undefined, CurrentUser=Undefined, LocalMachine=RemoteSigned. Is this what you would recomment? And it sounds like I should add -ExecutionPolicy ByPass CLI, where and how do i do that? Then it also sounds like even if all of these things work, I may still have issues based on the Exchange Server Authentication Update, see link above.
@Redink: If you set the MachinePolicy to Restricted, you won't be able to execute any scripts - set it to Undefined instead, and set the LocalMachine scope to RemoteSigned. Then - on that machine - you don't need -ExecutionPolicy Bypass in CLI calls (unless you're trying to use downloaded-fron-the-web scripts as-is, which is ill-advised). If you do need to use -ExecutionPolicy Bypass (on machines where you don't know the effective policy), use it like in the sample CLI call shown in the answer.
@Redink: Connecting to Exchange Online is unrelated to local script-execution policies.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.