0

In this answer, Sam states that in order to get Windows to trust my Powershell profile for execution, every time that I open a PowerShell shell, I should be able to and click "Properties." At the bottom of the dialogue box click "Unblock"; when I do so, I don't see any unblock checkbox at all.

I also don't want to just be able to run any old script by setting Set-ExecutionPolicy Unrestricted. I want to just have the functions in my PowerShell profile loaded automatically when I open a PowerShell prompt on select machines on the network.

Instead when I load it I get the following error:

. : File \\redirected.domain.org\Redirected\yy-xxx\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot
be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . '\\redirected.domain.org\Redirected\yy-xxx\My Documents\WindowsPowerShell\Microsof ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

It seems to be Microsofts way of preventing you from knowing that you're using a computer and not some glorified piece of paper.

Is there a way to have my powershell profile load up by simply opening Powershell without opening myself to other vulnerabilities?

Community
  • 1
leeand00
  • 4,869
  • 15
  • 69
  • 110

1 Answers1

2

I think there are two problems.

You can use:

Set-ExecutionPolicy RemoteSigned

which tells PowerShell to execute local scripts, but not any non-local scripts.

A non-local script can be one that is stored on the local machine, but had been downloaded from the internet and has a :Zone.Identifier:$DATA 26 in it's NTFS alternate data stream. The unblock in the file properties dialog removes that data stream and makes a file 'truly' local. After you've done that you can run it in PowerShell.

But it seems your profile is located on a remote server, so it is never local.

You could either copy the profile file to your local machine, and make sure it is unblocked, you can use the Unblock-File cmdlet for that.

Or you keep your profile file remote but sign it with a digital signature, but for that you need a code-signing certificate that your workstation trusts.

Peter Hahndorf
  • 14,058
  • 3
  • 41
  • 58