Hi,

I'm not sure if this is at all possible & I can't find any documentation that suggests it is, so I'm hoping someone here might be able to answer the questions.

I've created a PowerShell toolkit that I want to install on production servers, this toolkit contains a series of diagnostic utilities to do things like take memory dumps and upload them to a shared storage location.

I can register a restricted PS-Session configuration, using Register-PSSessionConfiguration, which includes a custom script that restricts the cmdlets available, but loads the utilities. This all works perfectly and we're very happy with the solution.

The issue I have is that a user can enter this restricted environment by using:

Enter-PsSession REMOTEHOST -ConfigurationName "MyConfiguration"

But they can also access an unrestricted remote shell by just using:

Enter-PsSession REMOTEHOST

Is there any way to configure the default PSSessionConfiguration to use my restricted environment script?

Many thanks,

What script are you talking about.  An environment is just an end point.  Are you asking how to have it start the script.  By using the config name it does that.  Without the name the user gets access to the default session.  If you don't want users to access the default session then do not make them administrators or set the restrictions on the default session to a special group of admins that does not include those you want to revoke access for.

Hi Howard,

Agree with Jrv, you can restrict the psession Configuration by changing permission.

In addition, Whenever you run a remoting cmdlet without specifying a session configuration, Windows PowerShell uses the session configuration defined in the preference variable $PSSessionConfigurationName. The session configuration that is used on the server side is controlled by the client side. This makes sense, the caller can choose which session configuration you need.

You can change the preference variable $PSSessionConfigurationName on clients:

$PSSessionConfigurationName = 'http://schemas.microsoft.com/powershell/MyConfiguration'

If there is anything else regarding this issue, please feel free to post back.

If you have any feedback on our support, please click here.

Best Regards,

Anna Wang

TechNet Community Support

Script is the Startup Script when you create a PS Session Configuration

Register-PSSessionConfiguration -Name "MyConfig" -StartupScript "MyScript.ps1"

A bit more detail - the remove machines are actually Azure Cloud Service Worker Roles. The only users on the machine is the Remote Desktop user that can be specified at deployment time. This user does have local admin privilidges - so they can do anything - but what I would like to do is set the default WinRM endpoint to execute our StartUp Script which restricts the environment to just the set of diagnostic cmdlets.

Does that make more sense?

Hi Anna,

so is there no way, on the server side, to force all remote connections to run a specific startup script that we can use to restrict the environment? I've replied to Jrv with a little more contextual information.

Many thanks,

Howard