Client Setting: PowerShell Execution Policy - Bypass
I am trying to setup an application that will install RDC and BITS using powershell and the ServerManager module. I have set the PowerShell execution policy to Bypass. From the deployment I am running
powershell.exe -file .\script.ps1. This does not seem to work. If I change the command to
powershell.exe -ExecutionPolicy ByPass -file .\script.ps1 then that seems to work. Can someone explain how this client setting referenced below is supposed to work? I assumed that setting this to "Bypass" would
allow the PowerShell script to run without having to customize the command line. Also what about the powershell scripts that can be used to determine if an application is already installed?
PowerShell execution policy
|
When you select Bypass, the Configuration Manager client bypasses the Windows PowerShell configuration on the client computer so that unsigned scripts can run. When you select
Restricted, the Configuration Manager client uses the current Windows PowerShell configuration on the client computer, which determines whether unsigned scripts can run.
This option requires at least Windows PowerShell version 2.0 and the default is
Restricted.
|
http://technet.microsoft.com/en-us/library/gg682067.as
September 4th, 2012 7:02pm
Did you ever find an answer for this? I have set mine to bypass also and all my clients still show restricted when I run get-executionpolicy on the client machine. I've also verified that the machines have powershell version 2.0 on them.
February 6th, 2014 4:04pm
I'm experiencing this same behavior. I even upgraded my Windows 7 clients to PowerShell 4 to see if it makes any difference and it didn't. I assumed the above posters were deploying "Applications" so I tried it in a "Package"
format (with a "program") - same results.
March 19th, 2015 1:03pm
I read somewhere that this only affects the configuration manager client and doesn't affect the execution policy on the device, i wonder if it makes any difference if you point your program straight to the ps1 file. Will have a play around with it at the
weekend.
March 19th, 2015 2:51pm
If you are referring to the execution policy in the client settings, that does not affect PowerShell scripts in your packages and programs. It only affects PowerShell scripts when deployed from a task sequence 'Run PowerShell script' step and I believe compliance
scripts as well.
For packages and programs you either need to control your execution policy via GPO or some other method, or just specify the -executionpolicy bypass switch on your command lines.
March 19th, 2015 3:23pm
To my knowledge, confirming what Daniel said above, this simply causes PowerShell scripts directly invoked by ConfigMgr (like in compliance settings and the Run PowerShell task like Daniel mentioned as well as global settings) to be run using the -ExecutionPolicy
Bypass switch. It does not change the actual system policy and thus PowerShell scripts invoked in other methods.
March 19th, 2015 3:27pm
nice :)
March 19th, 2015 3:31pm
does this mean that all application detection scripts need to be signed in order to use them?
the reason why I ask, is that even if I sign a detection script and import it, the numbers of characters change and the PC doesn't think that the script is signed.
How does one handle detection checks?
June 9th, 2015 5:14pm
Looks like there are some specific tasks that have to be done.
http://blogs.msdn.com/b/ameltzer/archive/2014/09/24/using-signed-powershell-scripts-with-configuration-items-and-applications.aspx
June 17th, 2015 4:02pm