When installing the HP Anyware PCoIP Agent I get a Powershell execution policy error
Problem
When installing HP Anyware PCoIP Agent for Windows you receive the error "The Powershell (x86) execution policy is currently set to Restricted. PCoIP Standard Agent requires the ability to run Powershell scripts; adjust the Powershell (x86) execution policy to allow at least signed scripts to run."
Note: HP Anyware PCoIP Agent 2.12 and newer will attempt to modify the powershell execution policy settings automatically on install. If there is domain group policy set controlling the powershell execution policy, the change by the installer may fail and group policy will need to be changed.
Cause
By default the Powershell execution policy in Windows is set to "Restricted". Microsoft: About Execution Policies. The PCoIP Agent uses Powershell (x86) during the installation process and to manage licensing. At a minimum HP Anyware requires the policy be set at "AllSigned"
Resolution
Note: Windows has both a x86 and x64 version of Windows Powershell. When running the following commands ensure you are using Windows Powershell (x86) and not Windows Powershell
There are multiple ways to change the current Windows Powershell (x86) execution policy. They include, domain group policy, local group policy, registry editing and the Windows Powershell prompt. Each method will modify the Windows Powershell execution policy but some methods will override others.
To find the current Windows Powershell (x86) execution policy of the machine that HP Anyware PCoIP Agent will be installed on open a elevated (Run As Administrator) powershell (x86) prompt. Type the command
Get-ExecutionPolicy -List
And you will get a list of the current policies in place.
PS C:\WINDOWS\system32> Get-ExecutionPolicy -List
Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine Undefined
In this example all execution policies are undefined which is the default state. This also means the current execution policy in place is Restricted.
The list is in precedence order. I.E. Machine Policy overrides all policies below.
The location each execution policy is set is:
- MachinePolicy - Group Policy: Computer Configuration
- User Policy - Group Policy: User Configuration
- Process - Execution Policy: Process (or
powershell.exe -ExecutionPolicy
) - Set for one Powershell.exe process either at launch or inside the session and is only valid as long as that process is running. - CurrentUser - Execution Policy: CurrentUser is set either from Powershell, the local group policy of the machine or the registry
- LocalMachine - Execution Policy: LocalMachine is set either from Powershell, the local group policy of the machine or the registry
Note: If Machine Policy or User Policy is not Undefined, the local or domain group policy has been modified. The policy willl need to be modified to allow Machine Policy - All Signed. To find out where the policy is current set, use the Resultant Set of Policy tool by executing rsop.msc with elevated permissions. Close and re-open an elevated Windows Powershell when validating changes to domain group policy.
Set the Policy via Elevated Windows PowerShell (x86) prompt
This method is the simplest to use if you are only changing the setting on a small number of machines. This change is effective immediately and modifies the LocalMachine setting. The setting is changed in the registry and will remain effective until the setting is changed again.
- Open the Window Powershell (x86) with elevated permissions (Run As Administrator).
- At the Powershell Prompt type:
Get-ExecutionPolicy -List
- Verify the Execution Policy is Undefined for all values as per the example.
- To change the Policy to AllSigned type:
Set-ExecutionPolicy -ExecutionPolicy AllSigned
- This changed the LocalMachine policy to All Signed. Verify this by typing:
Get-ExecutionPolicy -List
-
The output should now be the following:
Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine AllSigned
Set the Policy via Group Policy
When using this method the setting can be either modified on the local group policy which applies to only the local machine or the domain group policy which can apply to many machines. For changes to the domain group policy please contact your System Administrator.
- Open the local group policy editor, gpedit.msc or the domain group policy management snap in and edit the required policy.
- Expand Computer Configuration, Administrative Templates, Windows Components, Windows Powershell.
- Double click on Turn on Script execution.
- Set the Policy to Enabled.
- Select the Execution Policy Allow only signed scripts.
- Click ok and close the group policy editor.
- If setting the domain group policy allow time for domain replication and the machine to pick up the setting. Application of domain group policy can take up to 4 hours.
- Open a new elevated Powershell
- The MachinePolicy should now be AllSigned. Validate this with the command:
Get-ExecutionPolicy -List
-
The output should now be the following:
Scope ExecutionPolicy ----- --------------- MachinePolicy AllSigned UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine Undefined
Pertains to:
- HP Anyware 2.11.0
- PCoIP Graphics Agent 2.11.0
- PCoIP Standard Agent 2.11.0