alter_ego_dev2
Posts: 15
Joined: Wed May 10, 2023 4:09 pm

What would be the best practice to handle users with the restricted PowerShell ExecutionPolicy?

Mon Dec 04, 2023 10:33 am

An installer has several "Run PowerShell Inline Script" custom actions. We have found that some users face installation issues because of PowerShell ExecutionPolicy settings. How can this case be handled?

1). Probably we could have an additional custom action that would change ExecutionPolicy to RemoteSigned and at the installation end return the original value.
2). Advanced installer could run scripts with Bypass argument

Code: Select all

powershell -ExecutionPolicy Bypass -File script.ps1
. Not sure, why it doesn't do that already?
3). Convert PowerShell scripts into .NET executable code and just launch exe file in a custom action.

I'm wondering what would be the best practice option in this case?

Catalin
Posts: 6427
Joined: Wed Jun 13, 2018 7:49 am

Re: What would be the best practice to handle users with the restricted PowerShell ExecutionPolicy?

Mon Dec 04, 2023 2:14 pm

Hello,

You are indeed right that on some systems, the execution of PowerShell scripts is prohibited.

There are two scenarios here:

1. the policy is set from PowerShell. In this case, it would be enough to just have the script signed and it should bypass the RemoteSigned Execution Policy.

2. the policy is set through a GPO. In this case, the script should be signed and the certificate should be installed in the Trusted Root Certification Authority.

Powershell Script Options Dialog

In case 1, we can do as you said in your point 1. However, for the second case, there's nothing we can really do.

And most of the times, in an corporate environment, we are talking about the 2nd case.

Regarding the conversion of the script to an EXE, I honestly can not say how this would work as I have not tested it.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

alter_ego_dev2
Posts: 15
Joined: Wed May 10, 2023 4:09 pm

Re: What would be the best practice to handle users with the restricted PowerShell ExecutionPolicy?

Tue Dec 05, 2023 2:55 pm

Catalin wrote:
Mon Dec 04, 2023 2:14 pm
In case 1, we can do as you said in your point 1. However, for the second case, there's nothing we can really do.

And most of the times, in an corporate environment, we are talking about the 2nd case.
Just to double check, are you saying that if the Execution Policy is set using GroupPolicy (MachinePolicy or UserPolicy) to Restricted, an installer can't use custom "Run Powershell Inline Scripts" or "Run PowerShell script file" actions because execution will be restricted?

Catalin
Posts: 6427
Joined: Wed Jun 13, 2018 7:49 am

Re: What would be the best practice to handle users with the restricted PowerShell ExecutionPolicy?

Wed Dec 06, 2023 1:22 pm

Hello,
Just to double check, are you saying that if the Execution Policy is set using GroupPolicy (MachinePolicy or UserPolicy) to Restricted, an installer can't use custom "Run Powershell Inline Scripts" or "Run PowerShell script file" actions because execution will be restricted?
Well, if the execution is restricted at all, then yes.

The only thing I can think of is the execution would be restricted from a specific folder (usually %temp%) and you might be able to work it around by launching your script into a different folder.

However, most companies I would believe have the Group Policy set to "AllSigned". In this case, the certificate would need to be installed on the machine for extra security.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”