PowerShell Execution Policies

So you decide to use PowerShell for the first time, and when you run a PowerShell script, you get a security warning or maybe you see some error messages and then the PowerShell window disappears. Here are some simple tips for your first PowerShell experience to be a success.

Make sure you are using the latest version of PowerShell:

https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7.1

About Execution Policies

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1

Open your PowerShell console

Always open it in elevated mode (If possible), with the title “Administrator: Windows PowerShell”. Then you try to execute a command, script or even import a module as in my example below.

image

This issue occurs because PowerShell starts with the execution of scripts disabled, obviously this happens for security reasons, after all, your environment can be seriously affected by a malicious script.

In the screen below, you can see that I ran the Get-ExecutionPolicy command and the response was Restricted

image

There are 5 scopes of Execution Policy, and it depends on your need, but it is important that you know how to manipulate each scope and why.

  1. MachinePolicy: Set by a Group Policy for all users of the computer.
  2. UserPolicy: Set by a Group Policy for the current user of the computer.
  3. Process: The Process scope only affects the current PowerShell session. The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the PowerShell session is closed, the variable and value are deleted.
  4. CurrentUser: The execution policy affects only the current user. It’s stored in the HKEY_CURRENT_USER registry subkey.
  5. LocalMachine: The execution policy affects all users on the current computer. It’s stored in the HKEY_LOCAL_MACHINE registry subkey.

It is also important to know how to manipulate policies and which is the most suitable for your needs. I will list the policies that you can configure to use in your environment

  • AllSigned
  • Scripts can run.
  • Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
  • Prompts you before running scripts from publishers that you haven’t yet classified as trusted or untrusted.
  • Risks running signed, but malicious, scripts.
  • Bypass
  • Nothing is blocked and there are no warnings or prompts.
  • This execution policy is designed for configurations in which a PowerShell script is built in to a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.
  • Default
  • Sets the default execution policy.
  • Restricted for Windows clients.
  • RemoteSigned for Windows servers.
  • RemoteSigned
  • The default execution policy for Windows server computers.
  • Scripts can run.
  • Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the internet which includes email and instant messaging programs.
  • Doesn’t require digital signatures on scripts that are written on the local computer and not downloaded from the internet.
  • Runs scripts that are downloaded from the internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
  • Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.
  • Restricted
  • The default execution policy for Windows client computers.
  • Permits individual commands, but does not allow scripts.
  • Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).
  • Undefined
  • There is no execution policy set in the current scope.
  • If the execution policy in all scopes is Undefined, the effective execution policy is Restricted for Windows clients and RemoteSigned for Windows Server.
  • Unrestricted
  • The default execution policy for non-Windows computers and cannot be changed.
  • Unsigned scripts can run. There is a risk of running malicious scripts.
  • Warns the user before running scripts and configuration files that are not from the Local intranet zone.

And finally, right after changing the execution policy in my example below to Unrestricted, it was possible to import the Azure module into the PowerShell.

image

Example 1: Set-ExecutionPolicy Unrestricted -force

Example 2: Set-ExecutionPolicy RemoteSigned -force

Note: The Parameter –Force is used only to prevent warnings from appearing, and then it is not necessary to make confirmations.

I do not recommend leaving the policy set to Unrestricted, this was just for example. You must adapt to your need and if it is necessary to apply the Unrestricted policy do not forget to change when you finish your task. At the beginning of the article, I also left a link to Microsoft Docs where you can learn more about the subject, I will stop here and see you later!

How to connect to Azure from PowerShell

Today I will talk about how to use PowerShell. I know that there is already integrated access to the browser directly through the Azure portal, but the idea of this post is to show how to access it as in the old days and mainly to help those who do not know where to start.

Well, let’s get started! If you have not yet installed the PowerShell module, I will demonstrate here how to do this, basically, you will need to open PowerShell as Administrator (Right-click and select “Run as administrator”), then execute the following command (Copy and Paste it):

If you want the module to be available only to the user performing the procedure on this workstation, choose command 1, if not, you want the module to be available to all users of this workstation, choose command 2.

1 – Install for Current User

if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
'Az modules installed at the same time is not supported.')
} else {
Install-Module -Name Az -AllowClobber -Scope CurrentUser
}

2 – Install for All Users
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
      'Az modules installed at the same time is not supported.')
} else {
    Install-Module -Name Az -AllowClobber -Scope AllUsers
}

If you try to understand the commands, you will see that only the parameter –Scope is changed. My learning tip here is, always try to understand the command that is being executed, this will help you to become familiar with Cmdlets (CmdLets is the name given to the commands used in PowerShell).

image

If you want to understand more about the subject, here are some links that will help you learn.

  • Introducing the Azure Az PowerShell module

From now on I am assuming you have already installed the Az Module and using PowerShell. Here is the simple command for your reference. The below command will connect to your Azure Account and it will connect to the default subscription.

Import-Moduloe –Name Az

Connect-AzAccount

AzAccountConnected

And if you have different subscriptions you have to set the default subscription with the below command.

Set-AzContext ‘YOUR_SUBSCRIPTION_NAME’

To Discover or list all the Az Module

Get-Module Az.* -ListAvailable | Select-Object Name -Unique

To discover the available cmdlets within a module we can use the Get-Command cmdlet. In this example, we browse all cmdlets within the Az.Account module:

Get-Command -Module Az.Accounts

You can use the Get-Help command to get help with any specific command

Get-Help Get-AzVM

image

If want to see a few examples against this command you can use this.

Get-Help Get-AzVM –Examples

image

That and everything for today. If you have any questions, leave them in the comments or contact us, it will be a pleasure to answer them Smile.