So first let's be clear, if you can run with a properly set execution policy using only signed scripts then I will recommend that you keep that way. If you want to learn how to sign your scripts here is a great blog that should get you started http://www.hanselman.com/blog/SigningPowerShellScripts.aspx. But if you are like all my customers and I'm assuming 99% of the world then you don't have the time to get all your scripts that will run against Production signed before you need to run them.\
And with my customer that is exactly the case, we needed to run several of my install scripts which are not signed (I have one central script that uses Start-Process to start other scripts), and he trusts me so he was comfortable running the following command.
Then when he went to run the script he was getting this prompt several times
Run only scripts that you trust. While scripts from theInternet can be useful, this script can potentially harm your computer. Do you want to run
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
WHAT? But I set the execution policy to unrestricted...ran the following command just to check
Yup, it was set just I had expected. So started to dig and try to figure what is going on and discovered in fact by design PowerShell will by design prompt you when you run a script using an execution policy of unrestricted (http://technet.microsoft.com/en-us/library/dd347641) and what you have to do is run the command
What this command does is set the following in the security of PowerShell for the local server
- Nothing is blocked and there are no warnings or prompts.- This execution policy is designed for configurations in which a Windows PowerShell script is built in to a larger application or for configurations in which Windows PowerShell is the foundation for a program that has its own security model.
So lesson learned unrestricted is not enough if you plan to run more complex scripts that open other PowerShell shells.
To learn more about setting execution policies start reading here http://www.techrepublic.com/blog/datacenter/set-the-powershell-execution-policy-via-group-policy/3305
If we are programming for other clients should we set the scope to "Process" so that running MyApp.exe with an internal powershell engine does not affect their native security policy ? Does this over-ride their current settings allowing them to keep secure but still run MyApp.exe ?
The execution policy affects only the current session
(the current Windows PowerShell process).