PowerShell Execution Policy issue with Management Hub #729
Description
When using Management Hub to Test or Request Certificate with Namecheap DNS API (via Posh-ACME), the operation fails due to how the PowerShell execution policy is being handled internally.
In my environment, execution policy is enforced via GPO as:
- Scope:
MachinePolicy - Policy:
Bypass
Even though Bypass is the least restrictive policy, Management Hub attempts to override it to Unrestricted, which PowerShell refuses because the policy is already enforced at a more specific scope. This causes the request to fail before the DNS update runs.
Expected behavior
If the effective execution policy is already Bypass, Management Hub should not attempt to modify it and should proceed normally.
Actual behavior
Management Hub attempts to set execution policy to Unrestricted, which fails due to GPO enforcement and aborts the request.
Suggested improvement
Before changing execution policy, detect the effective policy and skip modification if it is already Bypass or Unrestricted.
Error from log:
2026-01-19 21:58 [ERR] DNS update failed: Namecheap DNS API (using Posh-ACME) :: Error - CmdletInvocationException: PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of Bypass. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information please see "Get-Help Set-ExecutionPolicy".
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.Runspaces.Pipeline.Invoke()
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Certify.Management.PowerShellManager.InvokePowershell(CertificateRequestResult result, String executionPolicy, String scriptFile, Dictionary`2 parameters, String scriptContent, PowerShell shell, Boolean autoConvertBoolean, String[] ignoredCommandExceptions, Int32 timeoutMinutes) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Shared.Extensions\Utils\PowerShellManager.cs:line 469
at Certify.Management.PowerShellManager.RunScript(String powershellExecutionPolicy, CertificateRequestResult result, String scriptFile, Dictionary`2 parameters, String scriptContent, Dictionary`2 credentials, String logonType, String[] ignoredCommandExceptions, Int32 timeoutMinutes, Boolean launchNewProcess) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Shared.Extensions\Utils\PowerShellManager.cs:line 136
EDIT: I found the line PowershellExecutionPolicy in serviceconfig.json and was able to set this to Bypass and restarted the service. Tests and requests work as expected now, but I believe if the default is Unrestricted and the MachinePolicy or LocalMachine scopes are set to that or anything less restrictive (e.g. Bypass) then it should skip trying to set the execution policy and proceed as normal.
As an alternative, add this to the documentation so admins know how to change the execution policy that Management Hub tries to set.