When I run any script from a .ps1 file on my server I receive an error about the Set-ExcutionPolicy being successful but being overridden by a higher scope.
However none of the code I am running has anything to do with execution policies or changing them. Any Idea why I'm getting this error?
This is on a Windows 2012 R2 server where execution policy for all levels is set to remote signed. I'm running on PowerShell V4.0
If I open PowerShell or the ISE and type in the command it completes without showing the error it only occurs when I try and run a script from a .ps1 file.
This is the error:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a more
specific scope. Due to the override, your shell will retain its current
effective execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List"
to view your execution policy settings. For more information please see
"Get-Help Set-ExecutionPolicy".
At line:1 char:46
+ if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
+ FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
The "Run with PowerShell" context menu entry for .ps1 files invokes the following commandline:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"
It's stored in the registry key HKCU\Microsoft.PowerShellScript.1\Shell\0\Command. Since you have the execution policy defined via Group Policy, setting a conflicting execution policy in the Process scope whenever you're running a PowerShell script via its context menu causes the error you observed.
Change the commandline in the registry to something like this:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File "%L"
and the error will disappear.
Related
I am writing a script to prepare our laptops before use. It essentially installs certificates and sets the executionpolicy to AllSigned.
It gets executed by right mouse click and "Run with Powershell". This is a windows 10 standard bypass of executionpolicy and lets the script run on unmodified windows 10 machines (That's what it looks like to me at least). So I can execute my script without the need to change the executionpolicy explicitly.
After the script ran the machine is set up. I just get a warning that I want to suppress.
To do this inside the script I elevate the script to administrator rights with a bypass parameter. This works fine except that I get a warning when setting the AllSigned execution policy. It says that I have a policy defined at a more specific scope.
Note: The command worked and the execution policy is set. It just pops up red and looks like an error. If someone else executes the script I don't want to have questions popping up.
--My question:--
As I know that this behavior is intended I don't want the warning from showing up. How can I suppress the message?
I tried various settings with the switches "WarningAction" and "ErrorAction" but it does not work.
Some Details:
ErrorMessage:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a
more specific scope. Due to the override, your shell will retain its
current effective execution policy of Bypass. Type
"Get-ExecutionPolicy -List" to view your execution policy settings.
For more information please see "Get-Help Set-ExecutionPolicy". At
C:\Users\uwe\Desktop\InstallRootCA\InstallRootCertificate.ps1:46
char:5
+ Set-ExecutionPolicy AllSigned -Scope LocalMachine -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
+ FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
Relevant Code parts from powershell script:
Elevating the script prior to execution:
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Start-Process PowerShell -Verb RunAs "-NoProfile -ExecutionPolicy Bypass -Command `"cd '$pwd'; & '$PSCommandPath';`"";
exit;
}
Setting the Executionpolicy at the end of the script:
Set-ExecutionPolicy AllSigned -Scope LocalMachine
I tried all kinds of flags
-Force
-WarningAction Ignore|SilentlyContinue
-ErrorAction same
But still the red warning pops up.
You can put this command into a try catch statement. The catch statement will handle the errors and if it is empty, nothing will happen if Set-ExecutionPolicy throws an error.
try{
Set-ExecutionPolicy AllSigned -Scope LocalMachine
}
catch {
#Do Nothing
}
Please test it, let me know if it worked and if it did, please mark the post as the answer :)
Nicicalu's answer is effective; let me add some background information:
What Set-ExecutionPolicy emits in your case is a (statement-)terminating error, which is why it is neither affected by -ErrorAction nor by -WarningAction.
Terminating errors can only be handled via:
try / catch, as shown in Nicicalu's answer.
The - rarely used - trap statement
Confusingly, they can be silenced and ignored by setting preference variable $ErrorActionPreference to 'SilentlyContinue'.
That is confusing, because the seemingly equivalent -ErrorAction common parameter does not work; that is, -ErrorAction SilentlyContinue or -ErrorAction Ignore have no effect, because -ErrorAction is designed to operate on non-terminating errors only.
For a comprehensive overview of PowerShell's complex error handling, see this GitHub docs issue.
Taking a step back: It doesn't make sense for Set-ExecutionPolicy to report an error in this scenario, given that the command still succeeded in principle.
Emitting a warning would be more appropriate, as suggested in GitHub issue #12032.
My script runs fine in ISE however not in a PowerShell console window.
I have tried to replace any " with ' (just in case it was an encoding error but I am not sure).
EDIT: The script works when copy and pasted into the console but not when opened with the console.
Here is the script, ZAOCC.ps1:
$path = '\\auisasvc2k801\safe\Information Technology\Support\Powershell\ZAOCC\Excel'
$path2 = '\\auisasvc2k801\safe\Information Technology\Support\Powershell\ZAOCC\PDF'
$xlFixedFormat = 'Microsoft.Office.Interop.Excel.xlFixedFormatType' -as [type]
$excelFiles = Get-ChildItem -Path $path -include *.xls, *.xlsx -recurse
$objExcel = New-Object -ComObject excel.application
$objExcel.visible = $false
$date = Get-Date -Format 'dd.MM.yyyy'
foreach($workbook in $excelFiles)
{
$filepath = Join-Path -Path $path2 -ChildPath ('Mine Control Record - ' + $date + '.pdf')
$workbook = $objExcel.workbooks.open($workbook.fullname, 3)
$workbook.Saved = $true
'Saving $filepath'
$workbook.ExportAsFixedFormat($xlFixedFormat::xlTypePDF, $filepath)
$objExcel.Workbooks.close()
}
$objExcel.Quit()
Here is the error message:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by
a policy defined at a more specific scope. Due to the override, your shell will retain its current effective
execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more
information please see "Get-Help Set-ExecutionPolicy".
At line:1 char:46
+ ... -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & "\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
+ FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
The error message suggests that you're running your script from File Explorer, using the shortcut menu's Run with PowerShell command (which uses Windows PowerShell; note that PowerShell [Core] (v6+) no longer offers this command - see middle section).
Note that doing so will automatically close the console window that is opened to run the script when the script exits.
To avoid that, open a Windows PowerShell console window first, and then run your script from there - this will also make your problem go away.
(Another option is to modify the shortcut-menu command definition, as shown below.)
The reason for the error is that your execution policy is set by either a machine-level or a user-level Group Policy, which takes precedence over the attempt to set the execution policy at the process level.
In fact, you cannot override an execution policy set via Group Policy from user code, neither with a Set-ExecutionPolicy call nor via the -ExecutionPolicy CLI parameter.
The attempt to set the execution at the process level - Set-ExecutionPolicy -Scope Process Bypass - is part of the command line that is used by the shortcut-menu command definition, and it is it - not your script - that triggers the error.
Therefore, the error message will appear on any system where the execution policy is defined via Group Policy, every time a script is directly invoked from File Explorer.
Note that the error message is confusing in this case, claiming that the command "updated your execution policy successfully", when in reality it had no effect.
Also note that the error is a statement-terminating error[1], which means that overall execution still continues and your script is invoked, despite the error - assuming that the Group Policy-set execution policy allows it.
In general, especially given that the console window automatically closes when the script terminates (for whatever reason), consider not using this direct-invocation feature.
In fact, PowerShell [Core] (v6+) doesn't even offer this shortcut-menu command anymore and instead offers commands at the directory / drive level to open an interactive session there.
If you still want to invoke your script via File Explorer and want to avoid the error message, you can modify the shortcut-menu command definition in the registry by simply removing the attempt to set the execution policy.
The definition is at HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\0\Command and modifying it requires elevation (running as admin); however, it is possible to create a user-level definition as well.
The following command redefines the shortcut-menu command definition so that Set-ExecutionPolicy is no longer called:
# NOTE: Requires elevation:
Set-ItemProperty registry::HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\0\Command '(default)' #'
powershell.exe -NoLogo -File "%1"
'#
If you also want to keep the window open, add -NoExit as the first parameter.
[1] Generally speaking, the message shouldn't be an error at all; it should be a warning, as suggested in this GitHub issue. However, in the interest of backward compatibility it was decided to keep the current behavior.
I am writing a script to prepare our laptops before use. It essentially installs certificates and sets the executionpolicy to AllSigned.
It gets executed by right mouse click and "Run with Powershell". This is a windows 10 standard bypass of executionpolicy and lets the script run on unmodified windows 10 machines (That's what it looks like to me at least). So I can execute my script without the need to change the executionpolicy explicitly.
After the script ran the machine is set up. I just get a warning that I want to suppress.
To do this inside the script I elevate the script to administrator rights with a bypass parameter. This works fine except that I get a warning when setting the AllSigned execution policy. It says that I have a policy defined at a more specific scope.
Note: The command worked and the execution policy is set. It just pops up red and looks like an error. If someone else executes the script I don't want to have questions popping up.
--My question:--
As I know that this behavior is intended I don't want the warning from showing up. How can I suppress the message?
I tried various settings with the switches "WarningAction" and "ErrorAction" but it does not work.
Some Details:
ErrorMessage:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a
more specific scope. Due to the override, your shell will retain its
current effective execution policy of Bypass. Type
"Get-ExecutionPolicy -List" to view your execution policy settings.
For more information please see "Get-Help Set-ExecutionPolicy". At
C:\Users\uwe\Desktop\InstallRootCA\InstallRootCertificate.ps1:46
char:5
+ Set-ExecutionPolicy AllSigned -Scope LocalMachine -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
+ FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
Relevant Code parts from powershell script:
Elevating the script prior to execution:
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Start-Process PowerShell -Verb RunAs "-NoProfile -ExecutionPolicy Bypass -Command `"cd '$pwd'; & '$PSCommandPath';`"";
exit;
}
Setting the Executionpolicy at the end of the script:
Set-ExecutionPolicy AllSigned -Scope LocalMachine
I tried all kinds of flags
-Force
-WarningAction Ignore|SilentlyContinue
-ErrorAction same
But still the red warning pops up.
You can put this command into a try catch statement. The catch statement will handle the errors and if it is empty, nothing will happen if Set-ExecutionPolicy throws an error.
try{
Set-ExecutionPolicy AllSigned -Scope LocalMachine
}
catch {
#Do Nothing
}
Please test it, let me know if it worked and if it did, please mark the post as the answer :)
Nicicalu's answer is effective; let me add some background information:
What Set-ExecutionPolicy emits in your case is a (statement-)terminating error, which is why it is neither affected by -ErrorAction nor by -WarningAction.
Terminating errors can only be handled via:
try / catch, as shown in Nicicalu's answer.
The - rarely used - trap statement
Confusingly, they can be silenced and ignored by setting preference variable $ErrorActionPreference to 'SilentlyContinue'.
That is confusing, because the seemingly equivalent -ErrorAction common parameter does not work; that is, -ErrorAction SilentlyContinue or -ErrorAction Ignore have no effect, because -ErrorAction is designed to operate on non-terminating errors only.
For a comprehensive overview of PowerShell's complex error handling, see this GitHub docs issue.
Taking a step back: It doesn't make sense for Set-ExecutionPolicy to report an error in this scenario, given that the command still succeeded in principle.
Emitting a warning would be more appropriate, as suggested in GitHub issue #12032.
I have a clean Windows 2012 R2 with SharePoint 2016. Installed Visual Studio Community 2017, when I try to install the JustInTime Debugger using the VS update I get the following error:
The product failed to install the listed workloads and components due to one or more package failures.
Incomplete components
Just-In-Time debugger (Microsoft.VisualStudio.Component.Debugger.JustInTime,version=15.0.26208.0)
You can search for solutions using the information below, modify your selections for the above workloads and components and retry the installation, or remove the product from your machine.
Following is a collection of individual package failures that led to the incomplete workloads and components above. To search for existing reports of these specific problems, please copy and paste the URL from each package failure into a web browser. If the issue has already been reported, you can find solutions or workarounds there. If the issue has not been reported, you can create a new issue where other people will be able to find solutions or workarounds.
Package 'Microsoft.VisualStudio.Debugger.JustInTime,version=15.0.26424.2' failed to install.
Search URL: https://aka.ms/VSSetupErrorReports?q=PackageId=Microsoft.VisualStudio.Debugger.JustInTime;PackageAction=Install;ReturnCode=1
Impacted components
Just-In-Time debugger (Microsoft.VisualStudio.Component.Debugger.JustInTime,version=15.0.26208.0)
Log
C:\Users\Administrator\AppData\Local\Temp\dd_setup_20170622105625_003_Microsoft.VisualStudio.Debugger.JustInTime.log
Details
Command executed: "c:\windows\syswow64\\windowspowershell\v1.0\powershell.exe" -ExecutionPolicy Bypass -InputFormat None -NoLogo -NonInteractive -NoProfile -Command "$ErrorActionPreference="""Stop""";$VerbosePreference="""Continue""";$Action="""Modify""";$AppId="""9180617e""";$Packages="""Microsoft.VisualStudio.Component.CoreEditor,Microsoft.VisualStudio.Component.NuGet,Microsoft.Net.Component.4.6.1.SDK,Microsoft.VisualStudio.Component.TypeScript.2.2,Microsoft.VisualStudio.Component.JavaScript.TypeScript,Component.WebSocket,Microsoft.VisualStudio.Component.JavaScript.Diagnostics,Microsoft.VisualStudio.Component.Roslyn.Compiler,Microsoft.VisualStudio.Component.Static.Analysis.Tools,Microsoft.VisualStudio.Component.Roslyn.LanguageServices,Microsoft.VisualStudio.Component.PortableLibrary,Microsoft.VisualStudio.Component.SQL.CLR,Microsoft.VisualStudio.Component.VisualStudioData,Microsoft.VisualStudio.Component.AppInsights.Tools,Microsoft.Component.ClickOnce,Microsoft.Net.Component.4.5.TargetingPack,Microsoft.VisualStudio.Component.Debugger.JustInTime,Microsoft.Component.MSBuild,Microsoft.Net.Component.4.6.1.TargetingPack,Microsoft.Net.ComponentGroup.DevelopmentPrerequisites,Microsoft.VisualStudio.Component.TextTemplating,Microsoft.VisualStudio.Component.ManagedDesktop.Core,Microsoft.Net.Component.4.TargetingPack,Microsoft.Net.Component.4.5.2.TargetingPack,Microsoft.VisualStudio.Component.IISExpress,Microsoft.VisualStudio.Component.WebDeploy,Microsoft.VisualStudio.Component.SQL.NCLI,Microsoft.VisualStudio.Component.SQL.LocalDB.Runtime,Microsoft.VisualStudio.Component.SQL.ADAL,Microsoft.VisualStudio.Component.Common.Azure.Tools,Microsoft.VisualStudio.Component.SQL.CMDUtils,Microsoft.VisualStudio.Component.SQL.SSDT,Microsoft.VisualStudio.Component.SQL.DataSources,Microsoft.VisualStudio.Component.Web""";[io.file]::ReadAllText("""C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Debugger.JustInTime,version=15.0.26424.2\RegisterJustInTimeDebugger.ps1""") | Invoke-Expression; if (!$?) { exit 1603 } elseif ($LastExitCode) { exit $LastExitCode }"
Return code: 1
Return code details: Incorrect function.
In the log:
[10c8:002a][2017-06-22T10:32:43] c:\windows\syswow64\\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -InputFormat None -NoLogo -NonInteractive -NoProfile -Command "$ErrorActionPreference="""Stop""";$VerbosePreference="""Continue""";$Action="""Modify""";$AppId="""9180617e""";$Packages="""Microsoft.VisualStudio.Component.CoreEditor,Microsoft.VisualStudio.Component.NuGet,Microsoft.Net.Component.4.6.1.SDK,Microsoft.VisualStudio.Component.TypeScript.2.2,Microsoft.VisualStudio.Component.JavaScript.TypeScript,Component.WebSocket,Microsoft.VisualStudio.Component.JavaScript.Diagnostics,Microsoft.VisualStudio.Component.Roslyn.Compiler,Microsoft.VisualStudio.Component.Static.Analysis.Tools,Microsoft.VisualStudio.Component.Roslyn.LanguageServices,Microsoft.VisualStudio.Component.PortableLibrary,Microsoft.VisualStudio.Component.SQL.CLR,Microsoft.VisualStudio.Component.VisualStudioData,Microsoft.VisualStudio.Component.AppInsights.Tools,Microsoft.Component.ClickOnce,Microsoft.Net.Component.4.5.TargetingPack,Microsoft.VisualStudio.Component.Debugger.JustInTime,Microsoft.Component.MSBuild,Microsoft.Net.Component.4.6.1.TargetingPack,Microsoft.Net.ComponentGroup.DevelopmentPrerequisites,Microsoft.VisualStudio.Component.TextTemplating,Microsoft.VisualStudio.Component.ManagedDesktop.Core,Microsoft.Net.Component.4.TargetingPack,Microsoft.Net.Component.4.5.2.TargetingPack,Microsoft.VisualStudio.Component.IISExpress,Microsoft.VisualStudio.Component.WebDeploy,Microsoft.VisualStudio.Component.SQL.NCLI,Microsoft.VisualStudio.Component.SQL.LocalDB.Runtime,Microsoft.VisualStudio.Component.SQL.ADAL,Microsoft.VisualStudio.Component.Common.Azure.Tools,Microsoft.VisualStudio.Component.SQL.CMDUtils,Microsoft.VisualStudio.Component.SQL.SSDT,Microsoft.VisualStudio.Component.SQL.DataSources,Microsoft.VisualStudio.Component.Web""";[io.file]::ReadAllText("""C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Debugger.JustInTime,version=15.0.26424.2\RegisterJustInTimeDebugger.ps1""") | Invoke-Expression; if (!$?) { exit 1603 } elseif ($LastExitCode) { exit $LastExitCode }"
[10c8:002a][2017-06-22T10:32:43] Error: Invoke-Expression : The term 'Invoke-Expression' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1812
+ ... bugger.ps1") | Invoke-Expression; if (!$?) { exit 1603 } elseif ($LastExitCode) ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Invoke-Expression:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : CommandNotFoundException
It seems that Invoke-Expression is not recognized....how is it possible?
I was trying to run a powershell script (which I have run before) and received the following error:Authorizationmanager Check Failed
I figured it was the Execution Policy, so ran:
Set-ExecutionPolicy Unrestricted
I then received:
Set-ExecutionPolicy : Initialization failure
At line:1 char:20
+ set-executionpolicy <<<< unrestricted
+ CategoryInfo : NotSpecified: (:) [Set-ExecutionPolicy], ManagementException
+ FullyQualifiedErrorId : System.Management.ManagementException,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
The same initialization error occurs for Get-ExecutionPolicy
Some basic commands seem to work fine, such as:
Write-Output "hi"
Can anyone suggest a fix?
Note: This is on Windows XP
Update: If I run the contents of ascript from within the powershell command prompt, it works. I only get the errors if it is run as a script. Also, Get-ExecutionPolicy and Set-ExecutionPolicy still fail from within the powershell prompt.
Make sure you are running the console as admin [Right click] then [click] "run as administrator" when you run Set-ExecutionPolicy Unrestricted.
The source of the error was due to a problem with the WMI repository. I was able to repair the repository running the following command:
Note: This is for Windows XP
rundll32 wbemupgd, UpgradeRepository
Once this was run, I was successfully able to execute Get-ExecutionPolicy, and other powershell scripts again.
A couple of links that detail repairing the WMI Repository.
Another very common case (I think this only applies post-XP), is where the .ps1 file has been 'blocked' after being downloaded from an untrusted location.
Solution: open the 'Properties' of the file in Windows Explorer, and on the 'General' tab click 'Unblock', then 'Apply' or 'OK'.
Another potential reason for this error (seen on Windows Server 2012) is that the Windows Management Instrumentation service is not running.
Starting and running the service allows for Get-ExecutionPolicy to run, and then Set-ExecutionPolicy.