PowerShell: ExecutionPolicy cannot be modified with PowerShell 7.2.2 / 7.2.3

Prerequisites

Steps to reproduce

Modifying ExecutionPolicy with PowerShell 7.2.2 does not work correctly. When I set ExecutionPolicy to Unrestricted using “Set-ExecutionPolicy Unrestricted” the RegistrySetting Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy is still set to “Restricted”, even after refreshing / rebooting and all ps scripts are blocked. When checking with Get-ExecutionPolicy -List the result is “Unrestricted” for local maching and undefined for all other scopes, so obviously the setting is somehow set but does not have any effect

When I do the same using PowerShell 5.1 everything works as expected.

Also when running Get-ExecutionPolicy -List in both versions different results are displayed

Screenshot 2022-05-02 115035

Expected behavior

PowerShell 7.2.2 should identically work as PowerShell 5 when modifying/Listing ExecutionPolicy

Actual behavior

PowerShell 7.2.2 not modifies ExecutionPolicy correctly

Error details

No response

Environment data

Windows 10 Professional 19043, Single unmanaged Workstation (not part of a domain or AD)

Name                           Value
----                           -----
PSVersion                      7.2.2
PSEdition                      Core
GitCommitId                    7.2.2
OS                             Microsoft Windows 10.0.19043
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

https://user-images.githubusercontent.com/2854973/166218680-bfb3b0a5-290e-4b54-b665-15d3ea0b05da.mp4

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 18

Most upvoted comments

@griesi007 - you’re welcome. You’re not the first to have that misconception, and I’m sure you won’t be the last.

+1
jhoneill on May 5, 2022

@jhoneill Thanks for clarifying this. My misconception was, that ExecutionPolicy is a global system wide setting. But in fact it is a PowerShell specific setting, which must be configured in each PowerShell used. You can close the issue

+1
griesi007 on May 5, 2022

@jhoneill

  1. I am modifying a policy to have any effect. Storing it in JSON files does not have any effect. So this is pretty useless

PowerShell 7 reads the JSON and Group Policy Settings. As you have shown:

  • When you run Set-ExecutionPolicy in 64 bit PowerShell 5 it sets the policy for 64 bit PowerShell 5, but not for 32 bit PowerShell 5 or Powershell 6 and later.
  • When you run Set-ExecutionPolicy in 32 bit PowerShell 5 it sets the policy for 32 bit PowerShell 5, but not for 64 bit PowerShell 5 or Powershell 6 and later.
  • When you run Set-ExecutionPolicy in PowerShell 6 or 7 it sets the policy for that installation of PowerShell 6/7 (there may be more than one).

At no time has Set-ExecutionPolicy been a global setting for all different versions of PowerShell.

In PowerShell 5 normal users have read-only access to the Registry key holding the machine setting.
In PowerShell 6/7 Normal users have read-only access to the JSON file holding the machine setting.

As the image below shows running Set-Execution policy changes the json. Changing the JSON causes an issue with an untrusted file in PSReadline, and won’t load my unsigned profile. Clearly the policy IS effective.

image

Here’s a second screen shot showing that if you edit the JSON the policy changes - and this is PowerShell 6 image

Note that this is not supported. The text in the JSON might change, the location of the file might change. In version 8 it could be YAML or XML format, or back in the registry. The only supported way to read or write the policy is with cmdlet for that version of PowerShell.

  1. That´s not true. All official MS Documentation refers to the powershell for configuring the ExecutionPolicy, which implies that this modifies the appropriate registry settings and that this is supported. Otherwise it would not have any effect

All official documentation that I am aware of refers to the set-ExcutionPolicy cmdlet. Which sets the policy (via json) for 6/7 and via registry for 5 and earlier. I’m pretty sure there is no official advice to use reg.exe <something> to set set a policy by merging in a .REG file, nor to run regedit and navigate to HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy,
nor to use Get-ItemProperty hklm:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell -name ExecutionPolicy
but if you know different please share.

There is an error in the on-line help which still says the policy is stored in the registry, but does not give a path or recommend accessing the registry directly.

  1. Could you please advise what needs to be configured so PowerShell 7 ExecutionPolicy cmdlet modifies the appropriate registry settings

PowerShell 7 doesn’t get its execution policy from the registry but from a JSON file. there is no “appropriate registry setting” for execution policy in PS 7. If the cmdlet changed a registry setting pwsh.exe would still look at the JSON not the registry. You can hack the registry for the PowerShell 5 policy setting from PowerShell 7 (e.g. with Set-ItemProperty) I don’t know how many different ways I can put that.

+1
jhoneill on May 4, 2022

I think PowerShell 7 writes the execution Policy to powershell.config.json (machine policy is in the $psHome directory) where Windows PowerShell uses to the registry. If I don’t have write access to $Pshome I get an error Access to the path 'C:\Program Files\PowerShell\7\powershell.config.json' is denied. if I try to set execution policy for the machine.

+1
jhoneill on May 3, 2022
Read more comments on GitHub
← PowerShell: Corrupted text provided by command is automatically invoked by PowerShell during an interactive session.
PowerShell: Export-WindowsDriver cmdlet fails on Windows 11 (22000) and later on 7.2.1 →