CA Client Automation

Expand all | Collapse all

Using ITCM to set Power Shell Execution Policy

Jump to Best Answer
  • 1.  Using ITCM to set Power Shell Execution Policy

    Posted 04-04-2017 04:54 PM

    Hello,

     

    I am trying to figure out a way to use ITCM to set the configuration settings for Power Shell on my servers. I can get the config changes to happen if I run the bat file remotely but not via ITCM. Here is what I have to change the execution policy to Unrestricted:

     

    @echo off
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList 'Set-ExecutionPolicy Unrestricted -Force' -Verb RunAs}"
    exit.

     

    I have also tried to deploy this in ps1 format but still no luck. How can I get ITCM to make this change for me?

     

    Thanks,

    Chris

    #windowspowershell #caitcm



  • 2.  Re: Using ITCM to set Power Shell Execution Policy
    Best Answer

    Broadcom Employee
    Posted 04-04-2017 07:28 PM

    Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\PowerShell -Name ExecutionPolicy -Value unrestricted.

     

    The command you are running sets it for current user.  Current user is system.  The above command set it for all users.

     

    Richard Lechner

    Principal Engineering Services Architect

     

    CA Technologies

    Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

     

    <mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>



  • 3.  Re: Using ITCM to set Power Shell Execution Policy

    Posted 04-05-2017 11:59 AM

    Hi Richard,

     

    Thanks so much for your prompt response! The script you provided me did work but I ran into some issues. I noticed when I packaged the script and deployed it, the job executor services would just hang. I tried to run the script manually and it returned:

    Cannot find path ‘HKLM:\Software\Policies\Microsoft\Windows\PowerShell’ because it does not exist.

     

    I then noticed that "script execution" was not configured on the server. After I configured that, the job delivery service went away and the registry updated. 

     

    I guess here is my next question. I know that this can bet set via GPO but that just simply is not an option currently. How would you recommend I proceed? I beginning to think a bat file is my only option. Thanks in advance!



  • 4.  Re: Using ITCM to set Power Shell Execution Policy

    Broadcom Employee
    Posted 04-05-2017 12:08 PM

    There is a command line version of gpedit you can use to configure it.  I do know the syntax offhand.

     

     

     

    Sent from my Verizon, Samsung Galaxy smartphone



  • 5.  Re: Using ITCM to set Power Shell Execution Policy

    Broadcom Employee
    Posted 04-05-2017 12:16 PM

    Look at gpmc

     

     

     

    Sent from my Verizon, Samsung Galaxy smartphone



  • 6.  Re: Using ITCM to set Power Shell Execution Policy

    Broadcom Employee
    Posted 04-05-2017 02:11 PM

    @echo off

    reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"

    reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "ExecutionPolicy" /d "unrestricted"

     

    Try something like this.

     

    Do it manually first using gpedit to see which keys are added then edit the above script

    Richard Lechner

    Principal Engineering Services Architect

     

    CA Technologies

    Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

     

    <mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>



  • 7.  Re: Using ITCM to set Power Shell Execution Policy

    Broadcom Employee
    Posted 04-05-2017 04:44 PM

    Chris,

     

    I wrote a techdoc recently that might help:

     

    https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1240022.html 

     

    Basically because we are a 32 bit software, we might not always put Registry and Windows system files in the correct location.

     

    Plus since we are running as Local Admin and not as current user, like when you run it manually so it also might put items in different location ..... for example HKLM instead or HKCU



  • 8.  Re: Using ITCM to set Power Shell Execution Policy

    Posted 04-05-2017 05:33 PM

    Hi Gordon,

     

    Thanks for the reply. I went back and took your advise and tried to be more specific to where I wanted the keys to go. There is an entry for the standard registry as well as the Wow6432 node.

     

     

    @echo off

    reg add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"

    reg add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"

    reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"

    reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"

     

    It seems when I run this bat file I am able to get the Wow node to change but not the standard 64 bit registry. Any idea why only one of the registry locations will change?



  • 9.  Re: Using ITCM to set Power Shell Execution Policy

    Broadcom Employee
    Posted 04-05-2017 05:42 PM


  • 10.  Re: Using ITCM to set Power Shell Execution Policy

    Posted 04-06-2017 10:44 AM

    This ended up being the fix for me. I didnt even think about the agents being 32 bit running on a 64 bit OS. I went back and modified the bat file and I can confirm success on 147 test servers. I think I am in the clear. Thanks so much everyone! Also, here is the script in case any one else might need it.

     

     

    @echo off

     

    %windir%\sysnative\reg.exe add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"

     

    %windir%\sysnative\reg.exe add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"

     

    reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"

     

    reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"



  • 11.  Re: Using ITCM to set Power Shell Execution Policy

    Broadcom Employee
    Posted 04-06-2017 10:51 AM

    This assumes all your machines are 64 bit If not you may want to check if exist wow6432node then…

     

    Richard Lechner

    Principal Engineering Services Architect

     

    CA Technologies

    Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

     

    <mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>



  • 12.  Re: Using ITCM to set Power Shell Execution Policy

    Posted 04-06-2017 11:08 AM

    I already had a procedure for 32 bit machines that worked fine. All I needed was the variables for 64 bit. I cant thank you enough for the help!



  • 13.  Re: Using ITCM to set Power Shell Execution Policy

    Broadcom Employee
    Posted 04-06-2017 07:11 AM

    An alternative could be to use setmode64 function in dmscript and then either issue the command or add registry keys. The script has to be saved with a .dms file extension.

     

    For example:

     

    setmode64(true)

    Exec("PowerShell -NoProfile -ExecutionPolicy Bypass -Command ""& {Start-Process PowerShell -ArgumentList 'Set-ExecutionPolicy Unrestricted -Force' -Verb RunAs}"")

     

    Regards,

    Mansur Farooq