Attempting to run some PowerShell code through BigFix. Initially attempted using PS script in task, and that worked for most machines. Encountered some outliers.
Discovered these machines have a GPO setting MachinePolicy to Restricted.
Using this doesn’t help because MachinePolicy overrides all other ExecutionPolicy:
waithidden { pathname of file ((it as string) of value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry) } -ExecutionPolicy Bypass -File powershell.ps1
I’m looking for a way to incorporate some of the info provided here: https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/
I thought maybe option 12 - Swap out Auth Manager looked promising. He suggests implementing using option 5 command. I’m trying to work out how I can do that in ActionScript. It would be something like this I think:
waithidden { pathname of file ((it as string) of value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry) } -ExecutionPolicy Bypass -command “function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield(”_context",“nonpublic,instance”).getvalue( $executioncontext)).gettype().getfield("_authorizationManager",“nonpublic,instance”).setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager “Microsoft.PowerShell”))}
Disable-ExecutionPolicy .powershell.ps1"
Anybody else find a way around the GPO? Am I going about this all wrong? Is there a better way to accomplish this by registry edit to change the policy?
I do know that changing: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\
value ExecutionPolicy=Bypass does not work because that’s still over-ridden by the MachinePolicy defined by GPO.
Thanks!