CA Client Automation

Hello,

I am trying to figure out a way to use ITCM to set the configuration settings for Power Shell on my servers. I can get the config changes to happen if I run the bat file remotely but not via ITCM. Here is what I have to change the execution policy to Unrestricted:

@echo off
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList 'Set-ExecutionPolicy Unrestricted -Force' -Verb RunAs}"
exit.

I have also tried to deploy this in ps1 format but still no luck. How can I get ITCM to make this change for me?

Thanks,

Chris

#windowspowershell #caitcm

Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\PowerShell -Name ExecutionPolicy -Value unrestricted.

The command you are running sets it for current user.  Current user is system.  The above command set it for all users.

Richard Lechner

Principal Engineering Services Architect

CA Technologies

Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

<mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>

Hi Richard,

Thanks so much for your prompt response! The script you provided me did work but I ran into some issues. I noticed when I packaged the script and deployed it, the job executor services would just hang. I tried to run the script manually and it returned:

Cannot find path ‘HKLM:\Software\Policies\Microsoft\Windows\PowerShell’ because it does not exist.

I then noticed that "script execution" was not configured on the server. After I configured that, the job delivery service went away and the registry updated. 

I guess here is my next question. I know that this can bet set via GPO but that just simply is not an option currently. How would you recommend I proceed? I beginning to think a bat file is my only option. Thanks in advance!

There is a command line version of gpedit you can use to configure it.  I do know the syntax offhand.

Sent from my Verizon, Samsung Galaxy smartphone

Look at gpmc

Sent from my Verizon, Samsung Galaxy smartphone

@echo off

reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"

reg add HKLM\system32\windows\microsoft\powershell\1\shellids\microsoft.powershell /v "ExecutionPolicy" /d "unrestricted"

Try something like this.

Do it manually first using gpedit to see which keys are added then edit the above script

Richard Lechner

Principal Engineering Services Architect

CA Technologies

Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

<mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>

Chris,

I wrote a techdoc recently that might help:

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1240022.html 

Basically because we are a 32 bit software, we might not always put Registry and Windows system files in the correct location.

Plus since we are running as Local Admin and not as current user, like when you run it manually so it also might put items in different location ..... for example HKLM instead or HKCU

Hi Gordon,

Thanks for the reply. I went back and took your advise and tried to be more specific to where I wanted the keys to go. There is an entry for the standard registry as well as the Wow6432 node.

@echo off

reg add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"

reg add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"

reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"

reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"

It seems when I run this bat file I am able to get the Wow node to change but not the standard 64 bit registry. Any idea why only one of the registry locations will change?

https://communities.ca.com/thread/100964322

Richard Lechner

Principal Engineering Services Architect

CA Technologies

Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

<mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>

This ended up being the fix for me. I didnt even think about the agents being 32 bit running on a 64 bit OS. I went back and modified the bat file and I can confirm success on 147 test servers. I think I am in the clear. Thanks so much everyone! Also, here is the script in case any one else might need it.

@echo off

%windir%\sysnative\reg.exe add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\system32\windowspowershell\v1.0\powershell.exe"

%windir%\sysnative\reg.exe add "HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"

reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "Path" /d "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"

reg add "HKLM\software\wow6432Node\microsoft\powershell\1\shellids\microsoft.powershell" /f /v "ExecutionPolicy" /d "Unrestricted"

This assumes all your machines are 64 bit If not you may want to check if exist wow6432node then…

Richard Lechner

Principal Engineering Services Architect

CA Technologies

Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

<mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>

I already had a procedure for 32 bit machines that worked fine. All I needed was the variables for 64 bit. I cant thank you enough for the help!

An alternative could be to use setmode64 function in dmscript and then either issue the command or add registry keys. The script has to be saved with a .dms file extension.

For example:

setmode64(true)

Exec("PowerShell -NoProfile -ExecutionPolicy Bypass -Command ""& {Start-Process PowerShell -ArgumentList 'Set-ExecutionPolicy Unrestricted -Force' -Verb RunAs}"")

Regards,

Mansur Farooq