While setting up a new workstation, which is meant to be outside company's domain, I ran the script Baseline-LocalInstall -Win11NonDomainJoined. After the script was done, I cannot turn the Remote Desktop Protocol function. The slider stays on 'off', no matter what I do (tried editing GPO as well as adding a couple of REG_DWORD's, and for the life of mine I cannot figure out what else to do. Has anyone, by any chance, encountered similiar issues? What I've noticed is that the RDP has turned of automatically while the following line was being returned in PowerShell:
Running LGPO.exe /v /g ..\GPOs\{2C3C079A-D4FB-47BD-BF32-DE883E9AF6C4} Applying GPO "MSFT Windows 11 - Domain Security"... Running LGPO.exe /v /g ..\GPOs\{091755B0-6C83-48E7-A77A-E89D0C2EAF27} Applying GPO "MSFT Windows 11 - User"... Running LGPO.exe /v /g ..\GPOs\{80A3C624-3A13-4302-89AD-62D667966E4B} Non-domain-joined: back out the local-account restrictions... Running LGPO.exe /v /s ConfigFiles\DeltaForNonDomainJoined.inf /t ConfigFiles\DeltaForNonDomainJoined.txt
Any help would be appreciated!
For the Reset function, I go to Settings > Updates and Security > Recovery > Reset this PC. So this is a choice that I make, and on that basis I want to choose for that system to run a script after the Reset - and we know that should be possible as we can create completely customised Windows installation ISOs that install apps and Features in a clean state, so can someone tell me how to do a quite simple things - to just get Windows to run a PowerShell script after that Reset?
Actually, I only want to run a couple of lines:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
i.e. This will enable RDP and allow me to connect remotely and continue the configuration without having to plug in a monitor and keyboard and mouse all just to run the above two commands. As per title, this is a non-Domain scenario so accessing the system as Domain Admin is not possible (and really a Domain should not be necessary, these are my systems on my local network).
The other reason that should make all of the above completely possible is that performing a Reset is not an absolute reset as it retains user information (my main user is still there with the password intact), so just enabling RDP would make everything possible post-Reset.
For reference, nothing in the following have helped me to achieve this goal so far:
Run a powershell script on a remote system with elevated permissions to enable remoting
https://interfacett.com/blogs/how-to-remotely-enable-and-disable-rdp-remote-desktop
The easiest way to do this is to download PStools from Microsoft and use psexec to give yourself remote access:
psexec \\machinename reg add hklm\system\currentcontrolset\control\terminal server /f /v fDenyTSConnections /t REG_DWORD /d 0
psexec \\machinename netsh firewall set service remoteadmin enable
psexec \\machinename netsh firewall set service remotedesktop enable
psexec will let you supply credentials with -u and -p
I'm trying to delete registry keys in a batch file, here's what I'm doing.
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM" /f
I'm recieving the following error:
ERROR: Access is denied.
Yet I can simply open regedit.exe and right click and delete the registry key no problem! To state the obvious, I have elevated the batch file instance as administrator, am logged in as administrator, and tried running the batch from a cmd and powershell instance both as administrator. The Administrator account has full permissions for the registry keys, which is why I'm able to delete them simply through the regedit GUI. This is part of a large batch file script, the point is I want the whole process to be automated. Any ideas?
Lots of companies have a GPO setting called 'Prevent Access To Registry Editing Tools' set to 'Yes'.
Maybe that is the culprit here. When you run regedit yourself, the machine wil probably show you a UAC message first and next you click 'OK' on that?
You may get a useful errormessage if you try to delete the key using a different scripting language like VBScript:
Const HKEY_LOCAL_MACHINE = &H80000002
Dim objReg, strKeyPath, strComputer
strComputer = "."
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\CCM"
objReg.DeleteKey HKEY_LOCAL_MACHINE, strKeyPath
Set objReg = Nothing
or using PowerShell:
Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\CCM' -Recurse
More of a follow up to #Theo response, it seems like somethings preventing you access as that command should work. I would suggest trying his idea then if it does not work, trying this one.
Since you have admin access you could attempt to give Everyone perms to the key as all you want to do is simply remove it. The REGINI command can do this but will add some bulk to the script.
::Grant perms to REG key
echo \Registry\machine\SOFTWARE\Microsoft\NEW [7] >> "%~dp0KeyPermx.txt"
REGINI %~dp0KeyPermx.txt
del %~dp0KeyPermx.txt
::Remove the key
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NEW" /f
I want to activate the developer mode (to use the ubuntu subsystem), but I don't have admin account credentials. However, I have access to a cmd.exe with admin rights. So I can open regedit and use the powershell without restrictions. Some tutorials (this one for example) state that the dev mode can be easily activated by creating or setting special keys in the registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
In my case these keys did not exist in the registry before, so I added them manually. Sadly, it does not work and dev mode is still inactive. I also tried to open the Settings App using the terminal (start ms-settings:) and enable dev mode using the GUI, but it seems like the start command ignores/flushes the admin previleges and the app asks for credentials.
OS: Win10
Build Version: 14393.1198
EDIT
Because of #magicandre1981 answer, I tried to run the following command
DISM /Online /Add-Capability /CapabilityName:Tools.DeveloperMode.Core~~~~0.0.1.0
But I got this error:
Deployment Image Servicing and Management tool
Version: 10.0.14393.0
Error: 11
You cannot service a running 64-bit operating system with a 32-bit version of DISM.
Please use the version of DISM that corresponds to your computer's architecture.
The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log
With the help of google, I found out that I have to use a different cmd.exe version located in C:\\Windows\native. So I navigated there and called cmd.exe. After that I got another error, that the current directory is invalid, but after navigating back to C:\\Windows\System32 the command finished without an error. However, it still does not work. I restarted the system and the dev mode is still not activated.
In the cmd.exe that is running as admin, run the following 2 commands:
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"
and
DISM /Online /Add-Capability /CapabilityName:Tools.DeveloperMode.Core~~~~0.0.1.0
Depending on Which Windows 10 Build you run, you may need to reboot the system to finish setup.
To enable the Linux Subsystem, open a cmd.exe as admin and run
DISM /Online /Enable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux
Once in cmd/admin, run mmc compmgmt.msc and create yourself a user with administrator rights. Log in as that user, pwn.
There are official instructions:
https://learn.microsoft.com/en-us/windows/apps/get-started/developer-mode-features-and-debugging
To enable sideloading:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowAllTrustedApps" /d "1"
To enable developer mode:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"
Bonus: to enable (outdated) SSH for UWP remote deployment & Windows Device Portal:
dism /Online /Add-Capability /CapabilityName:Tools.DeveloperMode.Core~~~~0.0.1.0
dism /Online /Get-CapabilityInfo /CapabilityName:Tools.DeveloperMode.Core~~~~0.0.1.0
See details about capability here: https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-10#developer-mode
I have been attempting to run powershell as my terminal on windows in pycharm, so I did the following:
However, when I try this, it says that it cannot execute my scripts, and hence I get the following error: SecurityError and the Fully Qualified Id is : UnAuthorizedAccess.
This arises from the fact that pycharm's terminal cannot execute my Powershell_profile.ps1 profile file.
How can I successfully run Pycharm's terminal with Powershell?
What I have tried so far, is going into my main powershell directory as in %windir%/system32/WindowsPowerShell/1.0/profile.ps1, and then change it to include the following:
Set-ExecutionPolicy Unrestricted
However, this does not help, and I get the same error when I try to open of pycharm's terminal.
I have also tried to run pycharm as Admin, however this does not solve the problem either, and I get the same aforementioned error.
I've replaced cmd.exe with powershell.exe in a simpler way and hope it can help.
I'm using webstorm2017 and Win10 os.
1.Find the exact location of powershell.exe.In mine and I believe in most computers the location would be C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.Copy the whole path into your clipboard.
2.In your IDE open File=>Setting=>Tools=>Terminal, and paste the path into "Shell path" blank.
3.Restart the IDE and everything would be ok.
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
I updated the powershell.exe path in IntelliJ -> Settings -> Terminal
Opened a powershell instance in Admin mode.
Executed Set-ExecutionPolicy Unrestricted -Scope CurrentUser
Restarted IntelliJ and the issue was solved.
Step 3 is from ebelanger's answer.
Browse to the PowerShell executable, right-click, run as administrator.
From the prompt, use the same command you tried:
Set-ExecutionPolicy Unrestricted
Once that is done, close PowerShell, and attempt to use it again from your application.
Note:
You can't set the execution policy from a script, as the default execution policy prevents you from running scripts. (even if it's the profile script - still a script)
In PyCharm
File->Settings->Tools->Terminal
Shell path:
"powershell.exe -ExecutionPolicy Bypass"
Then restart PyCharm
In the Default Shell TextBox you can append the execution policy command line option like so:
powershell.exe -Executionpolicy Unrestricted
If you're running on Windows 8 x64 then running both the commands below may help. It worked for me.
Set-ExecutionPolicy Unrestricted
start-job { Set-ExecutionPolicy Unrestricted -Force } -RunAs32
Credit to a comment found here:
Powershell on Windows 7: Set-ExecutionPolicy for regular users
As mentioned in other answers, if after setting powershell.exe as your terimal in IntelliJ → Settings → Tools → Terminal → Shell path it throws UnAuthorizedAccess errors, normal way to solve this is to alter execution policy:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
Note that Unrestricted level is the least secure of all, and you're usually can go with RemoteSigned in order to disable unsigned scripts downloaded from the web until you manually remove Internet or Intranet Zone.Identifier from them, usually with Unlock button in file properties.
However, you may run to an occasion when you're not able to change execution policy. Usually that's because of corporate security settings in Active Directory. In PowerShell, that corresponds to scopes MachinePolicy and UserPolicy. A primary symptom of this situation is the following message:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a
more specific scope. Due to the override, your shell will retain its
current effective execution policy of AllSigned. Type
"Get-ExecutionPolicy -List" to view your execution policy settings.
For more information please see "Get-Help Set-ExecutionPolicy".
You can't set execution policies at this scopes with PowerShell or gpedit.msc. Attempts to change this settings directly in registry is also ineffective: they're applied on restart or login, but at the same time they're being re-imported from Active Directory. However, while you won't be able to run arbitrary PowerShell scripts all around, for profiles and other local scripts that's only modified manually there's still a solution:
Run the following command in PowerShell to create ceritificate files root.pvk and root.cer - it will ask you to define and then confirm password to the certificate:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
In the same folder, run the following command to import generated certificate files as your self-signed certificate - it will ask for the password you're defined above:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
Sign your profile script with the following command:
Set-AuthenticodeSignature "[script path]" #(Get-ChildItem cert:\CurrentUser\My -codesign)[0]
When running a script signed with self-ceritificate for the first time, PowerShell will ask you about trusting the certificate like this:
The file [script path] is published by CN=PowerShell User. This publisher is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D")
Answer A to always run self-signed certificates.
Now your profile script won't cause any errors. However, note that signing a certificate adds a signature block in the end of your script containing its hash. If you're about to modify the script, remove that block and, after you're done with editing the script, sign it again by repeating step 3.
Specify the shell that will run by default. Here are some examples of different shells:
Bash: /bin/bash
Z shell: /bin/zsh
Bash for Windows: bash.exe
WSL: wsl.exe
PowerShell: powershell
Command Prompt: cmd.exe
Cygwin: "C:\cygwin\bin\bash.exe" --login -i
for more info: https://www.jetbrains.com/help/webstorm/settings-tools-terminal.html
As of this writing (2018-9-20), there is now a PowerShell plugin available here.
I have installed v1.1 in PyCharm v2018.2.3 (Professional), and it seems to work like a charm, no pun intended.
This plugin provides Intellisense-type support of PS1 scripts, as well as an integrated PowerShell terminal. In order to open the terminal, go to Tools > PowerShell Console...
There appears to be no need to muck about with any kinds of settings or permissions in order to get it to work. It Just Works.
You only need to write powershell in the Shell path input, just like in the image, also you can see jetBrains documentation and configure any shell you want.
powershell configuration
For WebStorm and PowerShell 6+ on Windows 10.
Just follow this screenshot and change the default cmd.exe to pwsh.exe from settings. Finally restart the ide. Done!