Windows Powershell: Execution Policies
Eseguendo uno script PowerShell in un computer che esegue Windows 8/8.1 o Windows Server 2012 si riceve l’errore seguente e lo script non viene eseguito.
.\WSUS_CleanUp.ps1 : File C:\Temp\WSUS_CleanUp.ps1 cannot be loaded because running scripts is disabled on this
system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\WSUS_CleanUp.ps1
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
Questo perchè di default le Execution Policies sono impostate su Restricted.
Le possibili opzioni per la policy sono:
- Restricted
- Default execution policy in Windows 8, Windows Server 2012, and Windows 8.1.
- Permits individual commands, but will not run scripts.
- Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and Windows PowerShell profiles (.ps1).
- AllSigned
- Scripts can run.
- Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
- Prompts you before running scripts from publishers that you have not yet classified as trusted or untrusted.
- Risks running signed, but malicious, scripts.
- RemoteSigned
- Scripts can run. This is the default execution policy in Windows Server 2012 R2.
- Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the Internet (including e-mail and instant messaging programs).
- Does not require digital signatures on scripts that you have written on the local computer (not downloaded from the Internet).
- Runs scripts that are downloaded from the Internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
- Risks running unsigned scripts from sources other than the Internet and signed, but malicious, scripts.
- Unrestricted
- Unsigned scripts can run. (This risks running malicious scripts.)
- Warns the user before running srcipts and configuration files that are downloaded from the Internet.
- Bypass
- Nothing is blocked and there are no warnings or prompts.
- This execution policy is designed for configurations in which a Windows PowerShell script is built in to a larger application or for configurations in which Windows PowerShell is the foundation for a program that has its own security model.
- Undefined
- There is no execution policy set in the current scope.
- If the execution policy in all scopes is Undefined, the effective execution policy is Restricted, which is the default execution policy.
Per visualizzare la policy attualmente impostata si può usare il comando Get-ExecutionPolicy:
PS C:\Temp> Get-ExecutionPolicy
Restricted
Per modificare il valore della policy si possono percorrere due strade: direttamente da PowerShell o tramite Group Policy Object (GPO).
PowerShell
Per modificare l’impostazione della policy è necessario usare il comando Set-ExecutionPolicy, indicando semplicemente come parametro una delle policy disponibili e rispondendo Yes alla richiesta di conferma.
Ad esempio per impostare la policy ad Unrestricted il comando è:
Set-ExecutionPolicy Unrestricted:
Group Policy Object (GPO)
Come prima cosa è necessario scaricate l’Administrative Templates for Windows PowerShell da questo indirizzo ed installarlo, oppure scaricare il file PowerShellExecutionPolicy.7z direttamente da qui.
Una volta estratto il file ed importato nel Group Policy Management Editor, sarà visibile la Policy necessaria all’interno dell’alberatura:
Per permettere l’esecuzione di tutti gli script PowerShell impostare la policy ad Enabled ed Allow all scripts.
Una volta applicata la policy, o forzata tramite il comando gpudate, testando di nuovo l’impostazione si otterrà:
PS C:\Temp> Get-ExecutionPolicy
Unrestricted
Allora stesso modo si possono impostare gli altri valori possibili.
RSS - Articoli