Re: Exchange Management Powershell raise an Error with AllSigned Execution Policy



Hi

I tried to reproduce the error and found this:

1. I set the execution policy to AllSigned
2. Launched EMS


Do you want to run software from this untrusted publisher?
File C:\Program Files\Microsoft\Exchange Server\bin\Exchange.format.ps1xml is
published by CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond,
S=Washington, C=US and is not trusted on your system. Only run scripts from
trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help
(default is "D"):v

I entered V for "Never run", and got this:


There were errors in loading the format data file:
Microsoft.Exchange.Management.PowerShell.Admin, C:\Program Files\Microsoft\Excha
nge Server\bin\Exchange.format.ps1xml : File skipped because of validation excep
tion: "File C:\Program Files\Microsoft\Exchange Server\bin\Exchange.format.ps1xm
l cannot be loaded because you have elected to never run software from this publ
isher.".


## this errors 'considered OK' becuase the Profile file is not signed

File C:\Documents and Settings\Administrator.domain\My Documents\Windo
wsPowerShell\Microsoft.PowerShell_profile.ps1 cannot be loaded. The file C:\Doc
uments and Settings\Administrator.domain\My Documents\WindowsPowerShel
l\Microsoft.PowerShell_profile.ps1 is not digitally signed. The script will not
execute on the system. Please see "get-help about_signing" for more details..
At line:1 char:2
+ . <<<< 'C:\Documents and Settings\Administrator.domain\My Documents
\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'

## this is not

File C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1 is published b
y CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C
=US. This publisher is explicitly untrusted on your system. The script will not
execute on the system. Please see "get-help about_signing" for more details.
At line:1 char:2
+ . <<<< 'C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1'


Then I issued:

PS > dir cert:\CurrentUser\Disallowed

Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\Disallowed


Thumbprint Subject
---------- -------
564E01066387F26C912010D06BD78D3CF1E845AB CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington...
7D7F4414CCEF168ADF6BF40753B5BECD78375931 OU=Microsoft Corporation, CN=Microsoft Corporation, L=Redmond, S=Washingto...
637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 OU=Software, CN=Microsoft Corporation, L=Washington, S=DC, C=US, OU=Digita...


PS > dir cert:\LocalMachine\Disallowed

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Disallowed


Thumbprint Subject
---------- -------
7D7F4414CCEF168ADF6BF40753B5BECD78375931 OU=Microsoft Corporation, CN=Microsoft Corporation, L=Redmond, S=Washingto...
637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 OU=Software, CN=Microsoft Corporation, L=Washington, S=DC, C=US, OU=Digita...



Try to right click the PS1 files in Windows Explorer > Properties > Digital Signature Tab.
Double click the certificate in the Signature list box. I get a red X saying that:

"A certificate was explicitly REVOKED by its issuer" (Thumbprint: 564E01066387F26C912010D06BD78D3CF1E845AB)


Checking the same procedure on my XP machine (not exchange) returns:

The digital certificate is OK.



Could it be that Microsoft signed the Exchange files with a Revoked certificate???

P.S. your error message includes "...may have been tampered...", I didn't find that on mine.




-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

Hi Together

In our Exchange 2007 SP1 Environment we applied over Group Policy
Management(Machine Policy) a AllSigned Execution Policy for
Powershell.

After then, when we open the Exchange Management Shell we get the
following Error from Powershell:

There were errors in loading the format data file:

Microsoft.Exchange.Management.PowerShell.Admin, D:\Program Files
\Microsoft Exchange\bin\Exchange.format.ps1xml : File skipped because
of validation exception: "
File D:\Program Files\Microsoft Exchange\bin\Exchange.format.ps1xml
cannot be loaded. The contents of file D:\Program Files\Microsoft
Exchange\bin\Exchange.format.ps1xml may have been tampered because the
hash of the file does not match the hash stored in the digital
signature. The script will not execute on the system. Please see "get-
help about_signing" for more details..".

Welcome to the Exchange Management Shell!
......
Here are the basic helptext from the Management Shell as we expect.
......
The other delivered Scripts from Microsoft works fine. It looks like
this is a lack in the Signature from the Exchange specific Formatting
Rules.

Can someone reproduce this Problem?

Thank in Advance.

Ivo Looser



.