PowerShell Execution Policy
In this tutorial we will see about PowerShell Execution Policy. PowerShell execution policy specifies the conditions that PowerShell will load the configuration files and run the scripts. You are able to set the execution policy for the below:
- Local Computer
- Current User
- A specific session
PowerShell execution policy for local computer and current user is stored in the registry. Therefore you are able to use Group Policy to set the execution policy for user and computers. The execution policy for a specific session is stored only in the memory. So there is no need to set execution policies in you PowerShell profile. The execution policy for a specific session will be lost after the session will close.
PowerShell execution policy is not able to restrict user actions. You cannot consider execution policy as a security system It will not stop the user from running code but will prevent unintentional actions. If a users is not able to run a script on a computer due to execution policy, by typing or copying the code into the console or PowerShell ISE and then run the code, it will run normally.
PowerShell Execution Policy Modes
Now lets see the modes that are available for us to set in PowerShell. For each of the modes, I will provide some points as they are provided by Microsoft. The default execution policy is Restricted.
- Default execution policy in Windows 8, Windows Server 2012, Windows 8.1 and Windows 10.
- Permits individual commands, but will not run scripts.
- Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).
- Scripts can run.
- Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
- Prompts you before running scripts from publishers that you have not yet classified as trusted or untrusted.
- Risks running signed, but malicious, scripts.
- Scripts can run. This is the default execution policy in Windows Server 2012 R2, Windows Server 2016.
- Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the Internet (including e-mail and instant messaging programs).
- Does not require digital signatures on scripts that you have written on the local computer (not downloaded from the Internet).
- Runs scripts that are downloaded from the Internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
- Risks running unsigned scripts from sources other than the Internet and signed, but malicious, scripts.
- Unsigned scripts can run. (This risks running malicious scripts.)
- Warns the user before running scripts and configuration files that are downloaded from the Internet.
- Nothing is blocked and there are no warnings or prompts.
- This execution policy is designed for configurations in which a PowerShell script is built in to a a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.
- There is no execution policy set in the current scope.
- If the execution policy in all scopes is Undefined, the effective execution policy is Restricted, which is the default execution policy.
Execution Policy Scopes
PowerShell execution policies as we have mentioned before, can be set on different scopes. An execution policy can be effective only in one scope. The available scopes are:
The order of the scopes are above are in precedence order. The default scope when we set the execution policy is LocalMachine.
When we set the execution policy scope to Process, it will affect only the current session. By this, we mean that it will affect only the current PowerShell process. Execution policy, that affects only the current session, is stored in the $env:PSExecutionPolicyPreference environment variable. The execution policy will be deleted when the session will close. You will not be able to find this policy in registry as it is not stored in it. You cannot change the policy by editing the variable value.
When the execution policy scope is set to CurrentUser, it affects only the current user. This execution policy is stored in the HKEY_CURRENT_USER registry subkey.
When the execution policy scope is set to LocalMachine, it affects all users on the current computer. This execution policy is stored in the HKEY_LOCAL_MACHINE registry subkey.
If different execution policies are set with different scopes, the effective policy will be the one with Process scope, as it has the highest precedence. It does not matter if you have set a policy with more restrictions on lower level. It will not affect anything.
Get the Execution Policy
In this section we will see how we are able to find the execution policy that is in effect and what are the current execution policies for each scope.
In order to see the current execution policy that is in effect you need to use the below cmdlet:
If you like to see the current execution policies for each scope, then you need to use
-List parameter of the cmdlet.
The above screenshot shows my current execution policies on my computer.
In case you need to see the current execution policy for a specific scope only, then by using the
-Scope parameter of the cmdlet will provide you the information.
Get-ExecutionPolicy -Scope <Scope Name>
Get-ExecutionPolicy -Scope CurrentUser Get-ExecutionPolicy -Scope LocalMachine Get-ExecutionPolicy -Scope Process
Set your Execution Policy
You are able to change your PowerShell execution policy. When you change your execution policy, the effect is immidiate. You do not need to restart PowerShell to take effect. If the change is on LocalMachine or CurrentUser, then then change is stored in the registry as we have mentioned before, and it will remain until you will change it again. If you change the execution policy for the current session, then the policy will be removed as soon as you close the session. In order to change the PowerShell execution policy you need to use the below command:
Set-ExecutionPolicy -ExecutionPolicy <Execution Policy Name>
Get-ExecutionPolicy Set-ExecutionPolicy -ExecutionPolicy Unrestricted Get-ExecutionPolicy
Please note that from Windows Vista and later version, in order to change the execution policy for LocalMachine, you need to run PowerShell as Administrator. If you do not run PowerShell as Administrator then you will see the below error.
If you want to change the execution policy to a specific scope, then you need to use
-Scope parameter of the cmdlet.
Set-ExecutionPolicy -ExecutionPolicy <Execution Policy Name> -Scope <Scope Name>
Get-ExecutionPolicy -Scope Process Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Get-ExecutionPolicy -Scope Process
Remove Execution Policy
You are able to remove the execution policy from a scope. In order to do that you need to set your execution policy to Undefined.
Set-ExecutionPolicy -ExecutionPolicy Undefined
If you set the execution policy to all scopes to Undefined, then the execution policy that will be in effect is Restricted, which is the default execution policy.
Set execution policy for one session
-ExecutionPolicy of powershell.exe, allows you to set a different execution policy for the new session. This execution policy will be applied only to the current session and any child sessions. The execution policy will be stored in
$env:PSExecutionPolicyPreference environment variable. After you will close the session and all child sessions, the variable will be deleted. You are not able to change the value of variable. During the session, the execution policy that is set for the session takes precedence over an execution policy that is set in the registry for the local computer or current user. However, it does not take precedence over the execution policy set by using a Group Policy setting.
In order to set a different execution policy for one session only you need to start PowerShell through cmd.exe or PowerShell by using the below:
powershell.exe -ExecutionPolicy Unrestricted
Manage Execution Policy with Group Policy
You are able to manage PowerShell Execution Policy by using Group Policy. In Group Policy you can change “Turn on Script Execution” setting to manage the execution policy on your computers in your enterprise environment. The Group Policy setting overrides the execution policies set in Windows PowerShell in all scopes.
The available option for the “Turn on Script Execution” setting are below:
- Disabled – Scripts do not run. This is equivalent to the “Restricted” execution policy.
- Enabled – You can select an execution policy. The Group Policy settings are equivalent to the following execution policy settings.
- Allow all scripts – Unrestricted Execution Policy
- Allow local scripts and remote signed scripts – RemoteSigned Execution Policy
- Allow only signed scripts – AllSigned Execution Policy
- Not Configured – It has no effect. The execution policy set in PowerShell is effective.
The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx files add the “Turn on Script Execution” policy to the Computer Configuration and User Configuration nodes in Group Policy Editor in the following paths.
For Windows XP and Windows Server 2003: Administrative Templates\Windows Components\Windows PowerShell
For Windows Vista and later versions of Windows: Administrative Templates\Classic Administrative Templates\Windows Components\Windows PowerShell
Policies set in the Computer Configuration node take precedence over policies set in the User Configuration node.
Execution Policy Precedence
When determining the effective execution policy for a session, PowerShell evaluates the execution policies in the following precedence order:
- Group Policy: Computer Configuration
- Group Policy: User Configuration
- Execution Policy: Process (or powershell.exe -ExecutionPolicy)
- Execution Policy: CurrentUser
- Execution Policy: LocalMachine
Manage Signed and Unsigned Scripts
If you set PowerShell execution policy as RemoteSigned, PowerShell will not run unsigned scripts that are downloaded from the Internet (including e-mail and instant messaging programs). You can sign the script or elect to run an unsigned script without changing the execution policy. Beginning in Windows PowerShell 3.0, you can use the Stream parameter of the
Get-Item cmdlet to detect files that are blocked because they were downloaded from the Internet, and you can use the
Unblock-File cmdlet to unblock the scripts so that you can run them in PowerShell.
I hope the tutorial about PowerShell Execution Policy is helpful.
Please let me know your comments and thoughts.
You feedback is appreciated.
- PowerShell Tutorials
- PowerShell Scripts
- About Execution Policies | Microsoft Docs
- Get-ExecutionPolicy – Microsoft Docs
- Set-ExecutionPolicy – Microsoft Docs
- Get-Item – Microsoft Docs
- Get-Item for FileSystem | Microsoft Docs
- Unblock-File – Microsoft Docs