Fixing Running PowerShell Scripts on Windows Server 2008 R2

Daniel Marino

Friday, July 12, 2024 at 8:32:40 AM

Troubleshooting PowerShell Script Execution Restrictions
When dealing with Windows Server 2008 R2, users may encounter an error indicating that PowerShell script execution has been disabled on the machine. This problem can occur when attempting to launch a script using cmd.exe, even if the execution policy is set to Unrestricted.
Despite confirming that the execution policy is Unrestricted, scripts may still fail to run, generating annoyance and impeding development. This article will look at the most common causes of this problem and how to ensure that the script runs properly.

Command Description

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force Temporarily sets the script execution policy to Bypass for the current PowerShell session, allowing all scripts to run without restrictions.

powershell -File .\Management_Install.ps1 Runs the supplied PowerShell script file from the command line.

New-SelfSignedCertificate Generates a new self-signed certificate that can be used to sign PowerShell programs for trusted execution.

Export-Certificate Exports a certificate as a file, which can later be imported into other certificate repositories.

Import-Certificate Imports a certificate into a certain certificate store, such as Trusted Publishers or Root Certification Authority.

Set-AuthenticodeSignature Signs a PowerShell script with a specific certificate, allowing it to run on systems that have script signing policies enabled.

Command	Description
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force	Temporarily sets the script execution policy to Bypass for the current PowerShell session, allowing all scripts to run without restrictions.
powershell -File .\Management_Install.ps1	Runs the supplied PowerShell script file from the command line.
New-SelfSignedCertificate	Generates a new self-signed certificate that can be used to sign PowerShell programs for trusted execution.
Export-Certificate	Exports a certificate as a file, which can later be imported into other certificate repositories.
Import-Certificate	Imports a certificate into a certain certificate store, such as Trusted Publishers or Root Certification Authority.
Set-AuthenticodeSignature	Signs a PowerShell script with a specific certificate, allowing it to run on systems that have script signing policies enabled.

Understanding and implementing script execution policies in PowerShell.

The scripts given are intended to address the issue of PowerShell script execution being disabled on Windows Server 2008 R2. The first script sets the execution policy to **Bypass** for the current PowerShell session using **Set-ExecutionPolicy -ExecutionPolicy**. **Bypass - Scope Process - Force**. This command permits all scripts to run without restrictions temporarily. The script then navigates to the directory that contains the **Management_Install.ps1** script and runs it with **powershell.\Management_Install.ps1**. This strategy ensures that the change in execution policy is only transitory and has no impact on the system's overall security posture.

The second script, a batch file, also sets the execution policy to **Bypass** but does so via the command line. To accomplish this, it runs **powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"**. After modifying the execution policy, the script goes to the script directory and executes the PowerShell script with **powershell -File.\Management_Install.ps1**. The batch script concludes with a **pause** command, which keeps the command prompt window open and allows the user to view any output or error warnings. This strategy is beneficial for automating the procedure and incorporating it into bigger batch procedures.

Script signing and security in PowerShell

The third script example shows how to sign a PowerShell script to meet with more stringent execution policies. First, use **New-SelfSignedCertificate** to create a self-signed certificate. This certificate can then be exported using **Export-Certificate** and imported into trustworthy certificate stores via **Import-Certificate**. By adding the certificate to the **TrustedPublisher** and **Root** stores, the system will trust scripts signed with this certificate. The script **Management_Install.ps1** is then signed using **Set-AuthenticodeSignature**.

Script signing ensures that only trusted scripts run on the system, adding an extra degree of protection. This method is especially effective in contexts with strict security needs and execution policies set to **AllSigned** or **RemoteSigned**. Administrators can reduce potential security concerns by signing scripts to confirm that they have not been tampered with and come from a trusted source. This technique combines security and functionality, allowing scripts to run while ensuring system integrity.

Setting Execution Policy to Bypass in PowerShell.

PowerShell Script

# Ensure the script execution policy is set to Bypass
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force

# Navigate to the script directory
cd "C:\Projects\Microsoft.Practices.ESB\Source\Samples\Management Portal\Install\Scripts"

# Execute the PowerShell script
powershell .\Management_Install.ps1

Using a batch script to modify the execution policy and run the PowerShell script.

Batch Script

@echo off

:: Set PowerShell execution policy to Bypass
powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"

:: Navigate to the script directory
cd "C:\Projects\Microsoft.Practices.ESB\Source\Samples\Management Portal\Install\Scripts"

:: Run the PowerShell script
powershell -File .\Management_Install.ps1

pause

Creating a signed PowerShell script.

PowerShell Script for Signing

# Sample script content
Write-Output "Executing Management Install Script"

# Save this script as Management_Install.ps1

# To sign the script, follow these steps:
# 1. Create a self-signed certificate (if you don't have one)
$cert = New-SelfSignedCertificate -DnsName "PowerShellLocalCert" -CertStoreLocation "Cert:\LocalMachine\My"

# 2. Export the certificate to a file
Export-Certificate -Cert $cert -FilePath "C:\PowerShellLocalCert.cer"

# 3. Import the certificate to Trusted Publishers and Trusted Root Certification Authorities
Import-Certificate -FilePath "C:\PowerShellLocalCert.cer" -CertStoreLocation "Cert:\LocalMachine\TrustedPublisher"
Import-Certificate -FilePath "C:\PowerShellLocalCert.cer" -CertStoreLocation "Cert:\LocalMachine\Root"

# 4. Sign the script with the certificate
Set-AuthenticodeSignature -FilePath .\Management_Install.ps1 -Certificate $cert

Ensure Script Execution Policy Compliance and System Security

When administering Windows Server 2008 R2, it is critical to understand the various execution policies available in PowerShell and how they affect script execution. PowerShell execution controls are intended to prohibit the execution of potentially hazardous scripts. The four major policies are: **Restricted**, **AllSigned**, **RemoteSigned**, and **Unrestricted**. The default policy is **Restricted**, which does not allow any scripts to run. **AllSigned** demands that all scripts and configuration files be signed by a trusted publisher. **RemoteSigned** mandates that all scripts and configuration files obtained from the internet be signed by a trustworthy publisher, while local scripts can run without a signature.

Understanding these regulations allows administrators to pick the appropriate level of security for their environment. In cases where scripts must be executed on a frequent basis, setting the policy to **Unrestricted** can be hazardous because it permits all scripts to run without limits. Instead, administrators should consider using **RemoteSigned** or **AllSigned** to strike a balance between security and functionality. Administrators can reduce the danger of malicious code execution by signing scripts and controlling certificates.

How can I examine my system's current execution policy?
To verify the current execution policy in PowerShell, use the command .
How can I permanently modify the execution policy for all users?
To alter the execution policy for all users, run the command .
What should I do if I come across a script that cannot be performed due to policy restrictions?
Set the policy to **Bypass** with and run the script.
Is it safe to employ the **unrestricted** policy?
Using **Unrestricted** is not advised for production situations because it allows any script to run, which can pose a security risk.
How can I sign a PowerShell script?
Create a self-signed certificate using , then sign the script with .
Can I limit script execution to only trustworthy scripts?
Yes, by changing the execution policy to **AllSigned** or **RemoteSigned** and signing your scripts.
What is the distinction between the **AllSigned** and **RemoteSigned** policies?
**AllSigned** needs all scripts to be signed by a reputable publisher, whereas **RemoteSigned** simply requires scripts downloaded via the internet to be signed.
How can I generate a self-signed certificate for script signing?
To create a self-signed certificate, run the command .
What are the security implications of disabling script execution policies?
Disabling script execution controls might leave your system vulnerable to malicious scripts, resulting in potential security breaches and data loss.

Running scripts on Windows Server 2008 R2 requires that the PowerShell execution policy be set correctly. Setting the policy to or using batch files may temporarily fix execution concerns, but signing scripts provides a more secure, long-term solution. Administrators should be aware of the security implications of various execution policies and take steps to balance security with operational requirements.