Powershell – How to get windows to trust the the powershell profile

powershell

In this answer, Sam states that in order to get Windows to trust my Powershell profile for execution, every time that I open a PowerShell shell, I should be able to and click "Properties." At the bottom of the dialogue box click "Unblock"; when I do so, I don't see any unblock checkbox at all.

I also don't want to just be able to run any old script by setting Set-ExecutionPolicy Unrestricted. I want to just have the functions in my PowerShell profile loaded automatically when I open a PowerShell prompt on select machines on the network.

Instead when I load it I get the following error:

. : File \\redirected.domain.org\Redirected\yy-xxx\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot
be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . '\\redirected.domain.org\Redirected\yy-xxx\My Documents\WindowsPowerShell\Microsof ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

It seems to be Microsofts way of preventing you from knowing that you're using a computer and not some glorified piece of paper.

Is there a way to have my powershell profile load up by simply opening Powershell without opening myself to other vulnerabilities?

Best Answer

I think there are two problems.

You can use:

Set-ExecutionPolicy RemoteSigned

which tells PowerShell to execute local scripts, but not any non-local scripts.

A non-local script can be one that is stored on the local machine, but had been downloaded from the internet and has a :Zone.Identifier:$DATA 26 in it's NTFS alternate data stream. The unblock in the file properties dialog removes that data stream and makes a file 'truly' local. After you've done that you can run it in PowerShell.

But it seems your profile is located on a remote server, so it is never local.

You could either copy the profile file to your local machine, and make sure it is unblocked, you can use the Unblock-File cmdlet for that.

Or you keep your profile file remote but sign it with a digital signature, but for that you need a code-signing certificate that your workstation trusts.

Related Topic