Getting PowerShell scripts to run with no prompts

I am currently experimenting with Windows Server 2012, System Center Virtual Machine Manager 2012 SP1, and automation of various processes related to creating/building Server 2012 virtual machines.

I have a script that will create a new Server 2012 VM, customise it, join it to my Active Directory in a “Build” OU, log it on and then try and run a PowerShell script to further configure the server.

Except that the script fails to run for a variety of reasons. Which has been most annoying, and has taken the best part of a day to resolve.

To save you the hassle:

  1. Create a GPO (Group Policy Object) with the following settings, link it to the OU where your server will appear:
    • Computer Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page – Site to Zone Assignment List: Enabled: Value name: *.rcmtech.co.uk Value: 2
    • Computer Configuration – Policies – Administrative Templates – Windows Components – Windows PowerShell – Turn on Script Execution: Enabled: Allow all scripts
    • User Configuration – Preferences – Control Panel Settings – Scheduled Tasks – Scheduled Task (Windows Vista and later):
      • General:
        • Action: Replace
        • Name: Server Build Launcher
        • When running the task, use the following user account: %LogonDomain\%LogonUser%
        • Run only when the user is logged on
        • Run with highest privileges
        • Configure for: Windows 7
      • Trigger:
        • Begin the task: At log on
        • Any user
        • Enabled
      • Action:
        • Action: Start a program
        • Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        • Add arguments: -NoExit -File \\ad.rcmtech.co.uk\netlogon\config\serverbuild\serverbuildlauncher.ps1
      • Settings:
        • Allow task to be run on demand
      • Common:
        • Remove this item when it is no longer applied.
  2. I disabled Internet Explorer Enhanced Security Configuration. I did this by using Microsoft-Windows-IE-ESC in the specialize section, and setting IEHardenAdmin to false. I did this by using the following bit of PowerShell talking to SCVMM to modify the temporary template that the new VM is built from:
$Template = Get-SCVMTemplate -Name $TempTemplateName
$Unattend = $Template.UnattendSettings
$Unattend.Add("3/Microsoft-Windows-IE-ESC/IEHardenAdmin","false")
Set-SCVMTemplate -VMTemplate $Template -UnattendSettings $Unattend | Out-Null

The important bit is: all of it, really. The IE ESC and the Trusted Sites bits need doing or you’ll get:

Security warning
Run only scripts that you trust. While scripts from the internet can be useful,
this script can potentially harm your computer. Do you want to ru
\\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1?
[D] Do not run  [R] Run Once  [S] Suspend  [?] Help (default is "D"):

If you don’t set the PowerShell Script Execution policy to Allow all you’ll get an error:

File
\\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1 cannot be loaded. The file
\\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1 is not digitally signed. The script will
not execute on the system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ \\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

…at least if your PowerShell execution policy is set to RemoteSigned. Check what it is with:

Get-ExecutionPolicy -List

Enjoy.

 

This entry was posted in PowerShell, Scripting, Windows and tagged , , , , , , , , . Bookmark the permalink.

2 Responses to Getting PowerShell scripts to run with no prompts

  1. Pingback: No HTML5 video in IE11 on RDSH 2012 R2 | Robin CM's IT Blog

  2. Thank you! You were the only one with this answer that I could find. We were seeing the stupid Security Warning even after -ExecutionPolicy Bypass, but only if we were using UAC to run a script as admin. Crazy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s