Powershell security warning

Hi all - long time since I’ve posted here and just had to re-write this since Wordpress had a fail on me and deleted my original post, so forgive any bad grammar :confused:

I’ve been looking for years to find a way to disable Powershell’s annoying security warnings. Recently I’ve started to script some more, and its gotten to the point now that its making me angry every time I try to debug or write anything.

Is there a way to properly disable the Powerhsell security warnings that pop up every time you run a script? I write all my own scripts, so usually dont bother to sign them or anything (no point) and I often write little scriptlets to help me automate tasks.

Most of what I code is done to automate really basic stuff, or things like a full on server deployment. They rely entirely on zero-touch from the user/admin running them, so this security warning always throws a spanner in the works. I kick off a server deployment using my script for e.g. and come back hours later expecting it to be done only to find it stuck on this infuriating warning screen:

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run <file-name>?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is “D”):

I’ve searched online long and hard for a solution, and nothing I’ve tried seems to do anything with this warning message.

  • Set-ExecutionPolicy to bypass - does nothing
  • Setting Intranet zone security for SMB shares (my scripts are stored on our network SMB shares) - does nothing
  • Setting GPOs to disable POSH security - does nothing
  • Unblock-File cmdlet does not do anything at all
I've even attempted using some janky workaround using SysInternals Streams to try and sort the security zones out, but I couldnt figure out what they were trying to achieve with that method - just dont understand it enough.

My question is simple - how do I disable these warnings?

And why is this information so well hidden from Microsoft? I’ve tried to structure my google searches in multiple ways but found nothing that’s helped - either I’m looking in the wrong places, or using some wrong search criteria.

Thanks all

Greg

Can you open Powershell.exe and run this without running anything else before?

Get-ExecutionPolicy -list

Post the results.

Hi Mike,

Output below:

Scope ExecutionPolicy
----- ---------------
MachinePolicy Unrestricted
UserPolicy Unrestricted
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned

Where are you running the script from? A UNC path? If it’s local, Unblock-File (run as admin) should uncheck the blocked from the file.

Hi Rob,

Couple of things:

  • Yes, running from a mapped drive, which maps to a network share (UNC path) - this is true of all of my scripts, but I get the warning when copied locally too
  • Unblock-File actually does nothing (yes even run as admin and elevated). I also dont have the unblock option in the file properties if I try to use the GUI to do it
Something odd about the Unblock-File not doing anything tbh!

PS X:\Scripts\Server Build\New Deploy Scripts> Unblock-File .\Deploy-Server.ps1
PS X:\Scripts\Server Build\New Deploy Scripts> .\Deploy-Server.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this
script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run X:\Scripts\Server Build\New Deploy
Scripts\Deploy-Server.ps1?

This is definitely an ExecutionPolicy issue. Rob’s suggestion should “fix” this. If you want to change the policy the least restrictive you can do is “unrestricted” because GPO (MachinePolicy and UserPolicy is set be GPO) is highest precedent. At unrestricted, you’ll still get a message that “Warns the user before running scripts and configuration files that are not from the local intranet zone.”

Recommend taking a look at Get-Help about_Execution_Policies

Thanks Mike, so basically “Unrestricted” is a misnomer then?

I am a ent admin here, so can easily change the GPO that sets this - however its not clear what GPO setting would do it…

e.g. my GPO is setting the following:

Computer config > Policies > Admin Templates > Windows Components > Windows Powershell > Turn on Script Execution > Allow all scripts

Is there another GPO setting I need to change then?

 

For the record, I was using this guide to setup the GPO in the first place:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1

Greg, you can make the security setting whatever you want. People get spun up about it, but ExecutionPolicy is NOT security IMO. It’s really to prevent unwitting users from running malicious scripts. It does not prevent execution of code. It can be easily worked around. i.e.

Get-Content .\yourscript.ps1 -Raw | Invoke-Expression

When you ran Get-ExecutionPolicy -list it listed the scopes in order of precedent and the effective policy will be most restrictive by precedent.

If you can set the GPO to Undefined, the localmachine (local admin priv needed) or current user can be set to Bypass. Session scope is only for the current session so it won’t “stick”.

If you look at the properties of the file, do you still see the Unblock file checkbox after Unblock-File is executed? I’ve never run Unblock-File with a relative path, I’m working with modules and would just do something like:

Get-ChildItem -Path C:\Downloads\MyModule -Recurse | Unblock-File

Also concur with Mike on security, there is a lot of blogs and forums regarding it:

https://devblogs.microsoft.com/powershell/powershells-security-guiding-principles/
https://www.reddit.com/r/PowerShell/comments/i4xa0/what_is_the_point_of_powershell_execution_policies/

If an attacker can execute code or anything on your computer, the battle is lost already.

Thanks guys.

I have the same view on EP - its just an annoying hurdle outside of the consumer space (i.e. for people actually writing the scripts on servers) and isn’t real security.

That said, the Invoke-Expression method does work for me. It took a long time to actually execute the script though - wasn’t as instant as I was expecting and the script is currently only doing some 'Write-Host" output for me to test with.

Basically to call our scripts, we should use the Invoke-Expression method - so far this is the only thing that has bypassed the security warning in my testing.

Thanks for the help.