Summary: Microsoft Scripting Guy, Ed Wilson, talks about using a DSC resource to configure the Windows PowerShell execution policy.
Microsoft Scripting Guy, Ed Wilson, is here. I am sipping a cup of mint tea and munching on a piece of fruitcake. I may be one of the few people in the world who actually likes fruitcake, and I am not afraid to admit it. I like fruitcake—especially if it is a good one, and not one of those Technicolor doorstops that seem to be regifted year after year after year, until eventually they look like some sort of bizarre biology experiment gone horribly wrong. The best fruitcake, of course, is probably one that you make yourself. But around here, there are some fine ones made with fresh organic ingredients by local bakeries. They are quite nice.
The xPowerShellExecutionPolicy DSC resource
One of the new resources from the DSC Resource Kit Wave 9 release is the xPowerShellExecutionPolicy resource. This permits me to configure the Windows PowerShell execution policy by using a DSC configuration.
Note For more information, see PowerShell DSC Resource Kit Wave 9.
To use DSC to configure the Windows PowerShell execution policy, I first create a configuration script, and specify the target nodes. I then import the xPowerShellExecutionPolicy module. I have to explicitly import the module because the DSC Resource Kit providers are not standard DSC resources. It is a good idea to validate input, so I specify the permissible Windows PowerShell execution policies by using the [ValidateSet] tag. Here is this portion of my script:
Configuration SetPowerShellExecutionPolicy
{
Param
(
#Target nodes to apply the configuration
[String[]]$NodeName = ((Get-ADComputer -Filter *).name),
#Changes the user preference for the Windows PowerShell execution policy.
[Parameter(Mandatory)]
[ValidateSet("Bypass","Restricted","AllSigned","RemoteSigned","Unrestricted")]
[String]$SetExecutionPolicy
)
Import-DSCResource -ModuleName xPowerShellExecutionPolicy
Now I specify the array of node names that I retrieved by using the Get-ADComputer cmdlet.
Note The Get-ADComputer cmdlet comes from the Active Directory module, which is available via the Remote Server Administration Tools (RSAT).
It is pretty easy to set the execution policy. I simply call ExecutionPolicy from the xPowerShellExecutionPolicy resource, and I specify my desired Windows PowerShell execution policy. This is shown here:
Node $NodeName
{
xPowerShellExecutionPolicy ExecutionPolicy
{
ExecutionPolicy = $SetExecutionPolicy
}
}
}
Now I need to create the MOF files, so I call my configuration. As shown here, I also pass my desired policy setting as a parameter when calling the configuration:
SetPowerShellExecutionPolicy -output C:\serverConfig -SetExecutionPolicy "RemoteSigned"
The last thing I need to do is start the DSC configuration. To do this, I specify the path to my MOF files, and I call Start-DSCConfiguration:
Start-DscConfiguration -Path C:\serverConfig -Wait -Force -Verbose
Here is what the script looks like while it is running:
After the configuration script runs, I like to quickly check to see if it worked properly. My previous Windows PowerShell execution policies were varied, but now they should all be set to RemoteSigned. I use the Invoke-Command cmdlet (ICM is an alias) to check. Here is the command and the results:
Yep, they are all set the same now. Here is the complete script:
#Requires -version 4.0
Configuration SetPowerShellExecutionPolicy
{
Param
(
#Target nodes to apply the configuration
[String[]]$NodeName = ((Get-ADComputer -Filter *).name),
#Changes the user preference for the Windows PowerShell execution policy.
[Parameter(Mandatory)]
[ValidateSet("Bypass","Restricted","AllSigned","RemoteSigned","Unrestricted")]
[String]$SetExecutionPolicy
)
Import-DSCResource -ModuleName xPowerShellExecutionPolicy
Node $NodeName
{
xPowerShellExecutionPolicy ExecutionPolicy
{
ExecutionPolicy = $SetExecutionPolicy
}
}
}
SetPowerShellExecutionPolicy -output C:\serverConfig -SetExecutionPolicy "RemoteSigned"
Start-DscConfiguration -Path C:\serverConfig -Wait -Force –Verbose
That is all there is to using DSC to configure the Windows PowerShell execution policy. DSC Week will continue tomorrow when I will talk about more cool DSC stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy