Resolving “Access Denied to PowerShell ExecutionPolicy Registry Key” in Windows Server Environments


1 views

When attempting to modify PowerShell's execution policy on Windows Server 2008 (or newer versions), administrators often encounter this registry access denial error. The problem stems from insufficient permissions to modify the PowerShell configuration registry keys, even when running as Administrator.

First, verify your current execution policy and permissions:

# Check current execution policy
Get-ExecutionPolicy -List

# Test registry access
Test-Path -Path "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell"

Method 1: Using the -Scope Parameter

For current user only (avoids HKLM modification):

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

Method 2: PowerShell Run As Administrator

Even if you're logged in as admin, explicitly run PowerShell elevated:

Start-Process powershell -Verb RunAs -ArgumentList "Set-ExecutionPolicy RemoteSigned -Force"

Method 3: Manual Registry Modification

For advanced cases requiring HKLM changes:

# Take ownership first
Takeown /F "C:\Windows\System32\WindowsPowerShell\v1.0" /A /R
icacls "C:\Windows\System32\WindowsPowerShell\v1.0" /grant Administrators:F /T

# Then modify registry
$regPath = "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell"
Set-ItemProperty -Path $regPath -Name ExecutionPolicy -Value "RemoteSigned"

In domain environments, Group Policy might override local settings. Check with:

Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name ExecutionPolicy -ErrorAction SilentlyContinue
  • Disable UAC temporarily if the above methods fail
  • Check for antivirus software blocking registry access
  • Verify no PowerShell processes are running during policy change

When attempting to modify PowerShell's execution policy on Windows Server 2008, you might encounter the registry access denied error even when running as Administrator. This typically occurs because:

  • The PowerShell session isn't elevated properly
  • Group Policy restrictions are in place
  • The registry key has specific permissions set
  • UAC (User Account Control) is interfering

Try these commands in sequence:

Start-Process powershell -Verb runAs
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
Get-ExecutionPolicy -List

Method 1: Run PowerShell as Elevated Administrator

  1. Right-click PowerShell shortcut
  2. Select "Run as administrator"
  3. Verify elevation with: [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()
  4. Retry the ExecutionPolicy command

Method 2: Modify Registry Permissions

$regPath = "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell"
$acl = Get-Acl $regPath
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("BUILTIN\Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $regPath -AclObject $acl

If the issue persists, check for:

# Check Group Policy settings
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell"

# Alternative execution policy scope
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force

# Verify PowerShell version compatibility
$PSVersionTable.PSVersion

For domain-joined servers, consider deploying via Group Policy:

  1. Open Group Policy Management Console
  2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
  3. Enable "Turn on Script Execution" and set preference level