Home > Powershell > Powershell Execution Policies

Powershell Execution Policies

Windows Powershell execution polices let you determine the conditions under which Powershell loads configuration files (.ps1xml), module script files (.psm1) and scripts (.ps1).    By defaut Powershell doesn’t permit any of these files as it’s default execution policy is set to Restricted.  The available execution policies are as follows and can be found by running Help About_Execution_Policies

There are 5 available scopes that can be configured using the policies above and they can viewed by running Get-Executionpolicy -List.

Powershell evaluates the current execution policy based on scope  precedence, with MachinePolicy being the highest and LocalMachine the lowest.   Both MachinePolicy and UserPolicy can only be configured via Group Policy and are located in Computer or Users Configuration\Policies\Administrative Templates\Windows Components\Windows Powershell.   Both GPO scopes can only be configured to use Unrestricted, RemoteSigned and AllSigned which makes them more restricted.  The remaining scopes can take advantage of all policies with Bypass being the most lenient.   By default all scopes are Undefined which set’s the execution policy to Restricted thereby no scripts are allowed to run.   The execution policy can be configured for the current scope by using Set-Executionpolicy which defines the LocalMachine scope.

As you can ssee I’ve changed the default scope to RemoteSigned, which permits local scripts to run but requires scripts downloaded from the Internet to be digitally signed.  It’s possible to change the CurrentUser scope by using the -Scope parameter.  Below I’ve changed the scope for the CurrentUser to Bypass.

This now permits the current user the ability to run all scripts but all other users will need to have remote scripts digitaly signed.   I recently needed to execute a powershell script in the All Programs\Startup folder on a machine that is running the default execution policy of Restricted.   This was possible by creating a .bat file that included the following line of code:

Powershell -executionpolicy bypass -file “C:\test\install.ps1”

This runs the in the Process scope and affects only the current Powershell session.  The execution policy is stored in the $PSExecutionPolicyPreference Environmental variable.  This value is deleted when the session in which the policy is set is closed.

Categories: Powershell Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: