Understanding PowerShell’s ExecutionPolicy and Scope functionality -- Part 2

If you get the error below when you attempt to run a PowerShell script it is because PowerShell has a safety feature that is preventing your scripts from running


At https://www.alanbonnici.com/2021/04/understanding-powershells.html is an article that explains how to manage PowerShell’s ExecutionPolicy functionality using the Set-Execution cmdlet. Process, CurrentUser, and LocalMachine are discussed.

Comparing Settings


If you’re following along, it is best to have the ExecutionPolicy settings on your computer match the above; otherwise the outcomes may be different. Your administrator may block PowerShell functionality using the MachinePolicy or UserPolicy ExecutionPolicy Group Policy settings. If that’s the case, you need to speak to them.

HOWTO PowerShell GitHub repository

At https://github.com/chribonn/PSHelloWorld is a repository that contains the files used in this HOWTO. You can use it to follow along with this tutorial. Creating the script on your computer might not work if the setting is RemoteSigned. This is because this policy only applies to PowerShell files downloaded from external sources. Hope over to the Set-Content cmdlet below to see how you can make your file appear as if it was downloaded from the internet.

Unblock using the GUI


Right-click on the PowerShell script, choose properties and check the Unblock option in the Security section of the script’s General tab.

Unblock using PowerShell cmdlet Unblock-File

The Unblock-File cmdlet achieves the same result as described above.

In its simplest form one simply specifies the PowerShell script that should be unblocked.
Unblock-File .\Say-HelloWorld.ps1 As can be observed in the image, Unblock-File takes wildcards allowing you to adjust multiple files in one fell swoop. Unblock-File can also be used to unblock other download file types that are blocked by the operating system.

Reblock-File

There could be instances in which you unblocked a file that should not have been blocked, or, as happened in my case, I needed a quick way to re-enable the blocked state. This can be done using the command below (The stackoverflow.com link to this posting is in the Reblock-HelloWorld.ps1 script in the GitHub repository). Set-Content .\Say-HelloWorld.ps1 -Stream "Zone.Identifier" -Value "[ZoneTransfer]`nZoneId=3" There are 5 different Zones: ZoneId Details 0 Local machine 1 Local intranet 2 Trusted sites 3 Internet 4 Restricted sites These zones are represented graphically in the Internet Properties: Security tab (Control Panel -> Network and Internet -> Internet Options -> Internet Properties -> Security tab.



Unblock using PowerShell cmdlet Set-Content

If you set the ZoneId to 1, you would have indicated that the file is a Local Intranet file and, according to the setting of the environment described here, would unblock it. Set-Content .\Say-HelloWorld.ps1 -Stream "Zone.Identifier" -Value "[ZoneTransfer]`nZoneId=1"

Conclusion: Safety vs Security

The functionality described in this article and the one that preceded it, are safety settings not security settings. This is because this setting only deals with running PowerShell script files (extension ps1); and doesn’t block running individual cmdlets.

As can be seen in the above terminal capture, while Say-HelloWorld.ps1 would not execute, the (single) cmdlet Write-Host contained within it executed without issues.


Comments

Popular posts from this blog

20150628 Giarratana Circular

HOWTO setup OpenVPN server and client configuration files using EasyRSA

Proxmox-NUT Homelab HOWTO : Step 0 : The Proxmox-NUT HomeLab HowTo: Introduction