Powershell Execution Policy Restricted behaviour not always the same

Jonas Leu 116 Reputation points
2021-02-18T10:23:16.877+00:00

To whom it may concern

I was struggling with some powershell scripts and It took me quite a bit to find the problem.

Problem:
On some client machines of a customer, powershell scripts did not work anymore. Logonscripts written in Powershell did not work, even if the exectionpolicy was on bypass.

Solution:
I checked their GPOs, but could not find any powershell policy setting. I then found in the staging-process, that Powershell Executionpolicy was set to restricted with the following key:
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f

The exact same key is set to registry, if powershell execution policy is set to disabled through:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell -> "Turn on Script Execution" = Disabled

As soon as I deleted the registry key on the client machines, all powershell scripts were working fine with the bypass parameter. So it lookes like the behaviour of the execution policy restricted is not the same if set by gpo or set by default. I made some further tests which confirm my outcome:

69502-powershell-execution-policy.jpg

69474-powershell-execution-policy-2.jpg

Question:
Why is the execution policy behaving different if it is in both ways "Restricted"

69498-about-execution-policies.jpg
Source: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,455 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 34,191 Reputation points Microsoft Vendor
    2021-02-19T07:10:13.623+00:00

    Hi,

    According to the link you provided, the Group Policy setting overrides the execution policies set in PowerShell in all scopes, including that set with the “-executionpolicy” parameter. When the group policy is not configured, the “-executionpolicy” parameter sets the execution policy for the current session but it doesn't change the execution policy that is set in the registry.

    When determining the effective execution policy for a session, PowerShell evaluates the execution policies in the following precedence order:

    Group Policy: MachinePolicy
    Group Policy: UserPolicy
    Execution Policy: Process (or pwsh.exe -ExecutionPolicy)
    Execution Policy: CurrentUser
    Execution Policy: LocalMachine

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jonas Leu 116 Reputation points
    2021-02-20T11:52:49.467+00:00

    Everything clear now :-)

    Thank you!

    Best Regards,
    Jonas

    0 comments No comments