Clarification on Setting Execution Policy for Microsoft 365 DSC

Question

Clarification on Setting Execution Policy for Microsoft 365 DSC

ArtemPozharovDNSBelgium opened this issue a month ago · 2 comments

ArtemPozharovDNSBelgium commented a month ago

Description of the issue

Hello,

I would like to suggest an update to the Microsoft 365 DSC documentation to include a recommendation for setting the execution policy on new Windows servers. Specifically, running the command:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

This command is necessary when using Export Microsoft 365 DSC to ensure that scripts downloaded from the internet are allowed to run, provided they are signed by a trusted publisher. Setting the execution policy to RemoteSigned enhances security by preventing the execution of potentially harmful unsigned scripts while allowing the functionality needed for Microsoft 365 DSC operations.

It’s important to note that this command is not cross-platform and is specifically applicable to Windows PowerShell. Including this step in the documentation will help administrators automate and manage their Microsoft 365 configurations more smoothly, without encountering interruptions or security risks.

Thank you for your consideration.

Best regards,
Artem Pozharov
Corporate ICT Manager
DNS Belgium

Microsoft 365 DSC Version

1.24.605.1

Which workloads are affected

other

The DSC configuration

No response

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

Answer 1 · 2024-06-11T07:36:52.000Z

It is for sure good to document that this setting is needed. RemoteSigned is the default Execution Policy for Windows servers, so if you had to change it to RemoteSigned, there has been a change on your side to set it to something different:

Default

Sets the default execution policy.
Restricted for Windows clients.
RemoteSigned for Windows servers.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4#powershell-execution-policies

Can you explain a little more on what system you had to run this command and what the old value was that was configured?

Answer 2 · 2024-06-12T12:21:47.000Z

Thank you all for your responses. We are using Windows Server 2019 with the standard PowerShell 5.1. We don't recall disabling the RemoteSigned policy; usually, we document such changes, but I don't see any references to this in our records.

Off-topic: Could you please review the workaround we found for connecting to PnP here #3933 (comment) ?
We would appreciate any comments or suggestions you might have on this approach.

Thank you!