PowerShell execution policies

In some cases (such as when the default execution policy is AllSigned or RemoteSigned), the following message may be seen:

Do you want to run software from this untrusted publisher?
<script name> is published by CN=HP Inc., OU=HP Cybersecurity, O=HP Inc., L=Palo Alto, S=California, C=US and is not trusted on your system. Only run scripts from trusted
publishers.
[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"):

Explanation

This is occurring because Windows PowerShell does not trust HP Inc as a publisher by default, and the execution policy is set to value causing the signature check to be executed. For more information see the Microsoft page on Execution Policies.

To bypass the prompt, add HP Inc as a trusted publisher.

Procedure

Use the following steps to add HP as a trusted publisher:

  1. Locate the module of interest (e.g. HP.Softpaq in %ProgramFiles%\WindowsPowerShell\Modules). All client library module directories start with the prefix "HP.".
  2. Right-click on the psd1 file within the folder and select Properties.
  3. Switch to the Digital Signature page on the Properties window.
  4. Select the HP.Inc signature and click the Details button, which will bring the Digital Signature Details window.
  5. Select the View Certificate button which will bring up the Certificate window.
  6. On the General tab select Install Certificate... which will bring up the Certificate Import Wizard.
  7. On the wizard pages, proceed as follows:
    1. Select either Current User or Local Machine, depending on the trust scope and click Next.
    2. Select Place all certificates in the following store and click Browse
    3. On the list of certificate stores, select Trusted Publishers and close the window.
    4. Verify Trusted Publishers is now listed in the Certificate Store window, and click Next then Finish.

If you intend to distribute the extracted certificate to client machine, use the management tool of choice and insert the extracted certificate into the Trusted Publishers repository on the target systems.

Alternate solution - Change execution mode

An alternate solution which may be acceptable during development or evaluation is to change the execution policy (via Set-ExecutionPolicy) in order to avoid the aforementioned prompt.

This is not a recommended production solution, as it may expose the system to malicious scripts, and should only be implemented with utmost care and limited scope.

Example:

$ Set-ExecutionPolicy -policy RemoteSigned

See also