TechQA.

BPA - Best Practices Analyzer is failing to run despite having 'Unrestricted' process execution

147 views Asked by At

OS: Windows Server 2016 -- ver 1607 (OS Build 14393.6452) PowerShell: 5.1.14393.6343

When attempting to run a BPA scan, it returns an error of...

get-bpamodel : There has been an error while trying to set the process wide execution policy. (Inner Exception:
Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a
more specific scope.  Due to the override, your shell will retain its current effective execution policy of
Unrestricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information please see
"Get-Help Set-ExecutionPolicy".)
At line:1 char:1
+ get-bpamodel
+ ~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-BpaModel], CommandLetException
    + FullyQualifiedErrorId : SetExecutionPolicyError,Microsoft.BestPractices.Cmdlets.GetModelCommand

This occurs when running a BPA scan from Server Manager and Powershell.

Working on a test server, I've removed the machine from enterprise GPO policies that impact PowerShell script execution and confirmed with RSOP.msc- rebooted and confirmed the policy was set to 'Unconfigured'. Manually, I've set everything to Bypass for testing purposes.

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy    Unrestricted
   UserPolicy    Unrestricted
      Process          Bypass
  CurrentUser          Bypass
 LocalMachine          Bypass

Running 'get-bpadmodel' from an elevated PowerShell window or Server Manager (both elevated and not) returns the above error message, but when run from Powershell it also changes the execution policy for 'Process' to 'RemoteSigned' (below). If I close that window and relaunch an elevated PowerShell it will revert to the ExecutionPolicy above.

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy    Unrestricted
   UserPolicy    Unrestricted
      Process    RemoteSigned
  CurrentUser          Bypass
 LocalMachine          Bypass

I've attempted to run things as a local admin instead of a network admin: same error. Set GPO policy to allow all scripts to run, ie 'Unrestricted': same error. I've tried piping the command through a separate script (below): same error.

powershell.exe -executionpolicy bypass C:\Users\Public\bpagit.ps1

I'm not sure what I'm missing, but any advice would be helpful!

powershell windows-server-2016 gpo servermanager executionpolicy
Original Q&A
1

There are 1 answers

0
BraveITMan On

Solution:

I set an enterprise GPO policy for the test machine for "AllSigned" and was able to run the scan through the GUI which is good enough for my needs.

Note that this did NOT work with an enterprise GPO policy of "Unrestricted" or unconfigured.

Related Questions in POWERSHELL

Related Questions in WINDOWS-SERVER-2016

Related Questions in GPO

Related Questions in SERVERMANAGER

Related Questions in EXECUTIONPOLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions