Powershell - Try/Catch
I decided to try powershell with PDQ. On target machines I needed to change the execution policy. (Also I am using the same admin account on both machines.)
On the target machine, I ran:
PS C:\Users\PBHOps> Get-ExecutionPolicy
Restricted
PS C:\Users\PBHOps>
From PDQ I ran the following against a target. (Based on http://documentation.adminarsenal.com/PDQDeploy/9.1.0.0/index.html?powershell-error-handling.htm)
Try {
Set-ExecutionPolicy unrestricted -Force -ErrorAction Stop
}
Catch {
$_.Exception
exit 777
}
PDQ says it failed. It catches the error "Security error". However when I then go back to the target machine, it shows that it succeeded:
PS C:\Users\PBHOps> Get-ExecutionPolicy
Unrestricted
PS C:\Users\PBHOps>
If someone could tell me where my mistake is, I would appreciate it. Thanks!
Comments
From just looking at it that code looks clean, but it'd be real interesting to see what is in the log, so I can help you diagnose further.
The error log only contains the following text:
Security error.
I've attached a screenshot. Thanks.
Not very helpful.
I can confirm identical behavior in my environment.
Hello there! Long post warning!
Using $_.Exception in the catch block will only show the exception itself. If you need to see the full error, just use $_ (instead of $_.Exception) within the catch block. It will show the full error in all its glory.
The next bit has to do with how PDQ Deploy runs PowerShell on a target machine. In a Install or PowerShell step for a package, it will show you the command that's being run on the target machine inside the Command Line text box. The part that I wish to point out is, "... -ExecutionPolicy Bypass"
We are starting the Powershell.exe process scope with an Execution Policy of Bypass. This means that users don't need to worry about setting the Execution Policy for any PowerShell deployments via PDQ Deploy.
In the original issue, however, we're attempting to set the Execution Policy of a scope that is currently being overridden. To see a list of the various Execution Policy scopes, try running this command: Get-ExecutionPolicy -List
This list is in order of priority with the MachinePolicy scope having the highest priority and the LocalMachine scope having the lowest priority.
Normally, if you load an elevated PowerShell console on a machine and type Set-ExecutionPolicy Unrestricted, you're setting it for the LocalMachine scope (the lowest priority).
When PDQ Deploy runs PowerShell on the target machine, it's setting the Execution Policy at the process level (since we're setting it when starting the PowerShell.exe process).
When you attempt to change the Execution Policy for a lower scope, it gives an error letting you know that it successfully set the Execution Policy for the lower scope but the current process is retaining the current Execution Level.
I hope this helps clarify a bit.
Cheers,
To add on to this, this is a great read:
https://technet.microsoft.com/en-us/library/hh847748.aspx
Yes it is! Thanks for posting that link!
OK that makes sense. I was able to get the full error:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of "Bypass". Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information, please see "Get-Help Set-ExecutionPolicy."
At C:\Windows\AdminArsenal\PDQDeployRunner\service-1\exec\user.ps1:2 char:24
+ Set-ExecutionPolicy <<<< unrestricted -Force -ErrorAction Stop
+ CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
+ FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
Thanks guys and have a good one!
I do what I can :)