November 30, 2011

Getting the PowerShell execution policy for a remote device

Sometimes I’m at a customer where an end-user calls while testing the newly build environment and reports that some settings are not applied. Often these settings are applied through Group Policy or PowerShell scripts.
For the PowerShell part, the first thing I check is the execution policy.

Although I could ask the user to provide me the output of the Get-ExecutionPolicy command, they will probably not appreciate me for asking this.
Next to that, most of the times I get a incident ticket with the message and no contact with the end-user myself.
Because of this, I’ve written this PowerShell function to get the execution policy for a remote computer:

#Usage: Get-RemoteExecutionPolicy Laptop1
function Get-RemoteExecutionPolicy ($TargetName)
{
$RegKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $TargetName)
$PSRegKey= $RegKey.OpenSubKey(“SOFTWARE\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell”)
$Policy = ($PSRegKey.getvalue(“ExecutionPolicy”)).tostring()
Return $Policy
}

It is also possible to invoke a command on the remote machine… like this:

Invoke-Command –Computer Laptop1 –ScriptBlock {Get-ExecutionPolicy}

Another way of doing this, is by using a remote PowerShell session… like this:

New-PSSession –Computer Laptop1 | Get-ExecutionPolicy

For more information about the commands to get the execution policy for specific scopes you can read one of my previous posts: PowerShell and the execution policies explained

4 comments

  1. Andrew Morgan says:
    November 30, 2011 at 15:23

    Correct me if I’m wrong, but I think this is dependent on the remote registry service. For a WMI based query, try this:

    function get-RemoteExecutionPolicy{
        param(
       [string]$computer=”.”)

        $executionpolicy=([WMIClass]”\$computerROOTDEFAULT:StdRegProv”).GetStringValue(“2147483650”, “SOFTWARE\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell”, “Executionpolicy”).svalue
        return $executionpolicy
     }

  2. Jeff Wouters says:
    November 30, 2011 at 17:00

    Hi Andrew,
    Correct, my first option depends on the remote registry service… The second and third do not.
    Thanks for your WMI version, good one! 🙂
    Jeff.

  3. David Homer says:
    January 21, 2015 at 12:02

    Hi, there are a couple of caveats to reading the execution policy from the registry such as when Group Policy is used or if an invalid value it set. I’ve documented them here…
    http://david-homer.blogspot.co.uk/2015/01/using-regedit-to-view-and-set.html

  4. Jeff Wouters says:
    January 26, 2015 at 11:32

    Hi David,
    Thanks for sharing!
    Jeff.

Leave a Reply

Your email address will not be published. Required fields are marked *