1

Hello,

I would like to try and make a GPO that runs a PowerShell script instead of a bat file. However, they are not running. I believe that it is related to PowerShell settings being in a remote signed state:

Scope ExecutionPolicy

MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned

I am running these scripts as NT Authority\System, but I have a feeling that are not running because LocalMachine is set to RemoteSigned (hopefully it is not MachinePolicy). I cannot seem to figure out how to remote sign this script, can someone point me in a good direction?

Thank you,

Michael

8 Spice ups
2

have you tried launching powershell with a specific ExecutionPolicy at runtime and passing the script file to this instance?

something like this:

powershell -ExecutionPolicy Unrestricted -File "\\path\to\myscript.ps1"

or this:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -File "\\path\to\myscript.ps1"

ExecutionPolicy types in PowerShell:

Restricted:

This is the most restrictive policy.It doesn’t load configuration files or run scripts.It only allows individual commands to be run interactively.Useful for environments where security is of utmost importance, as it prevents any script execution.

AllSigned:

Requires that all scripts and configuration files be signed by a trusted publisher. Unsigned scripts won’t run. This policy is more flexible than Restricted but still maintains a high level of security.

RemoteSigned:

Requires that all scripts and configuration files downloaded from the internet be signed by a trusted publisher. Locally created scripts don’t need to be signed. This policy balances security with convenience, allowing locally created scripts to run without requiring a signature but enforcing signature checks for scripts obtained from the internet.

Unrestricted:

Allows all scripts and configuration files to run, regardless of origin or whether they’re signed. This policy prioritizes convenience over security and should be used with caution, as it opens up the system to potential risks from running unsigned or malicious scripts.

Bypass:

Allows all scripts to run, regardless of signature. Unlike Unrestricted, Bypass still respects the system’s execution policy. This policy is useful for temporarily bypassing the execution policy when running scripts from trusted sources, but it should be used with caution to avoid unintended security vulnerabilities.

3 Spice ups
3

If you want to run as system, then PSEXEC will do this for you

How to: become the LOCAL SYSTEM account with PsExec - Specops Software

Alternatively, you may be able to setup a scheduled task , configure it to run as system and manually run the task

2 Spice ups
4

I would use Bypass rather than Unrestricted.

4 Spice ups
5

same , if I know it’s the ExecutionPolicy, I use bypass to call the script.

3 Spice ups
6

So what your telling me to do is launch powershell in my task, and then add the wicked nice bypass arguments/script.

I will give this a whirl tomorrow. Thank you.

7

My default PowerShell scheduled task Action statement is:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionPolicy Bypass -File \server\share\directory\script.ps1

The scheduled tasks I (WE) run are all authenticated by a Service Account having all the required permissions to do what’s necessary

1 Spice up
8

@britv8, that works! Be careful to use powershell.exe over the MSIX pwsh.exe, though:

9

Sign the script using a code signing certificated issued by AD Certificate Services with the root cert trusted via GPO.

$codeCert = Get-PfxCertificate -FilePath "{path}\{certificate}.pfx"
Set-AuthenticodeSignature -Certificate $codeCert -FilePath "{path}\{script}.ps1"
1 Spice up