Here, I attempt to answer the rhetoric question, “Why does Microsoft PowerShell suck so badly?” Where to begin…? It has such promise, it’s clear that someone has spent much time coding everything. Ultimately, there appears to be power under that shell and it’s probably truthful to its name. But if you can’t use the tool in the real world, it should be renamed to Microsoft PowerlessShell.
“But if you can’t use the tool in the real world, it should be renamed to Microsoft PowerlessShell.”
It’s almost like a group of scientists in a desert setting somewhere—think “Manhattan Project”—created a collection of methods useful for annihilating the planet and then as almost an afterthought, enough preventive controls were placed upon its use that literally nobody could in fact blow anything up.
Today’s task is to automate the creation of a VPN button for Windows 10—based remote users here at the office. End-users then in theory can just double-click a PowerShell script that I’ve placed on a SharePoint server. I would then individually share the link with them which would remotely install the new VPN profile. Sounds easy enough. In fact, it sounds much easier than the two-page long tutorial in a Word document which attempts to educate them how to do all this manually. Have you ever seen how long an L2TP shared key phase can be? It’s pretty bad. Just think of all the support calls I’m going to get if I can’t script this.
Is the PowerShell documentation easy to use? Hell no, it’s not. I’ve just spent a full hour trying to piece together the script required from this hobbled-together documentation on
Add-VpnConnection. Does my script work under a test rig? I wish I knew, because at the moment I can’t actually run the script in any form or fashion because Microsoft doesn’t want me to.
“Does my script work under a test rig? I wish I knew, because at the moment I can’t actually run the script in any form or fashion because Microsoft doesn’t want me to.”
Now granted, I’m an Administrative user on my newly-upgraded Windows 10 laptop. The script fails with some terse error message which suggests that I need to run the PowerShell command as Administrator. Well, that would foil things here in the real world because I’m trying to have the end-users run this script remotely so that I—the administrator—don’t have to be there in the first place.
So I doggedly trudge ahead and end my session and open up PowerShell by right-mouse clicking it and choosing Run As Administrator. And yet, this still doesn’t work. This time it fails with another terse error message which suggests that
Set-ExecutionPolicy might help. I then research this to find that “Unrestricted” is the probable attribute but when attempting to run this, I get another terse error message suggesting that I can’t change the policy. Seriously?
I could now go back to my earlier research and re-learn how to digitally sign a script so that I can run it. But the process to create and to troubleshoot a script usually requires multiple iterations before the script works perfectly. And this is especially true since nobody yet on the Internet has provided a good example for creating a VPN tunnel to a SonicWall over L2TP/Ipsec with a pre-shared secret and authenticating to the firewall instead of the domain controller. Designing a script like this takes trial and error. Adding a signing phase between each script attempt effectively means: I’m not going to do this.
“Adding a signing phase between each script attempt effectively means: I’m not going to do this.”
In short, this is why Microsoft PowerShell sucks. If you have to sign scripts just to run them while testing then it’s not worth the effort. Why not include a button in the PowerShell IDE which allows me to “Sign & Execute” my script attempt? And if I don’t have a digital certificate then open a dialog box to gather the information to magically make this happen. Or even better, just allow me to create and run scripts without all the nonsense. How about a big toggle that says “Unsafe Mode” versus “Safe Mode”?