PowerShell scripts for Exchange can't be executed, but execution policy is set

Question

I don't know what happened, but I execute the HealthChecker for Exchange on a regular base.

But now I get an error. Even my execution policy is RemoteSigned.

Even setting the execution policy to unrestricted it show the same error.

Is it possible that script from Microsoft are blocked on my machine? Can I unblock this? I used a different profile and it worked. What in my other profile can block specific scripts?**

[PS] C:\temp>Get-ExecutionPolicy -list                                                      
Scope                                             ExecutionPolicy
-----                                             ---------------
MachinePolicy                                                   Undefined
 UserPolicy                                                   Undefined
    Process                                                   Undefined
CurrentUser                                                   Undefined
LocalMachine                                                RemoteSigned
[PS] C:\temp>.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection
.\ExchangeExtendedProtectionManagement.ps1 : Die Datei "C:\temp\ExchangeExtendedProtectionManagement.ps1" kann nicht
geladen werden, da der Vorgang durch Richtlinien für die Softwareeinschränkung, z. B. die von der Gruppenrichtlinie
erstellten Richtlinien, blockiert wird.
In Zeile:1 Zeichen:1

.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection
  + CategoryInfo          : Sicherheitsfehler: (:) [], PSSecurityException
  + FullyQualifiedErrorId : UnauthorizedAccess



[PS] C:\temp>.\HealthChecker.ps1
.\HealthChecker.ps1 : Die Datei "C:\temp\HealthChecker.ps1" kann nicht geladen werden, da der Vorgang durch
Richtlinien für die Softwareeinschränkung, z. B. die von der Gruppenrichtlinie erstellten Richtlinien, blockiert wird.
In Zeile:1 Zeichen:1

.\HealthChecker.ps1
  + CategoryInfo          : Sicherheitsfehler: (:) [], PSSecurityException
  + FullyQualifiedErrorId : UnauthorizedAccess

EDIT: For some reason it seams that the signature of Microsoft is no longer trusted: Bestätigung Möchten Sie diese Aktion wirklich ausführen?

Ausführen des Vorgangs "Update script to latest version" für das Ziel "HealthChecker.ps1".
[J] Ja  [A] Ja, alle  [N] Nein  [K] Nein, keine  [H] Anhalten  [?] Hilfe (Standard ist "J"): J
WARNUNG: Signature is not trusted by machine as Valid, status: NotTrusted.
WARNUNG: AutoUpdate: Signature could not be verified: C:\Users\MartinAdmin\AppData\Local\Temp\HealthChecker.ps1.
WARNUNG: AutoUpdate: Update was not applied.
Exchange Health Checker version 22.08.09.0638

Answer 1

The problem was that the Microsoft certificate was placed in the Untrusted publishers.

After removing the certificate form the untrusted publishers I was able to launch all scripts as before.

Answer 2

As the script worked when the execution policy is set to Bypass, this means that somehow some policy is still restricting the execution.

Although the Unrestricted policy seems like it allows everything, this is not the case. For example, it may warn you and ask for the correct permissions before executing an unsigned script. You could try to sign your script to see if this is the problem.

To truly run in an unrestricted manner, this requires the Bypass policy.

I can't guess what has changed in your profile that suddenly caused the error. It might even be some profile corruption, which sometimes happens with Windows. You could keep on using Bypass if nothing is found to explain the problem.

Answer 3

The PowerShell script is likely blocked if it was downloaded from the internet. Either right-click the file and tick Unblock, then OK, or run Unblock-File:

Unblock-File -Path <filepath>

Description of Unblock-File seems to match your scenario:

The Unblock-File cmdlet lets you open files that were downloaded from the internet. It unblocks PowerShell script files that were downloaded from the internet so you can run them, even when the PowerShell execution policy is RemoteSigned. By default, these files are blocked to protect the computer from untrusted files.