about Execution Policies - PowerShell (2024)

  • Article

Short description

Describes the PowerShell execution policies and explains how to manage them.

Long description

PowerShell's execution policy is a safety feature that controls the conditionsunder which PowerShell loads configuration files and runs scripts. This featurehelps prevent the execution of malicious scripts.

On a Windows computer you can set an execution policy for the local computer,for the current user, or for a particular session. You can also use a GroupPolicy setting to set execution policies for computers and users.

Execution policies for the local computer and current user are stored in theregistry. You don't need to set execution policies in your PowerShell profile.The execution policy for a particular session is stored only in memory and islost when the session is closed.

The execution policy isn't a security system that restricts user actions. Forexample, users can easily bypass a policy by typing the script contents atthe command line when they cannot run a script. Instead, the execution policyhelps users to set basic rules and prevents them from violating themunintentionally.

On non-Windows computers, the default execution policy is Unrestricted andcannot be changed. The Set-ExecutionPolicy cmdlet is available, butPowerShell displays a console message that it's not supported. WhileGet-ExecutionPolicy returns Unrestricted on non-Windows platforms, thebehavior really matches Bypass because those platforms do not implement theWindows Security Zones.

PowerShell execution policies

Enforcement of these policies only occurs on Windows platforms. The PowerShellexecution policies are as follows:

  • AllSigned

    • Scripts can run.
    • Requires that all scripts and configuration files be signed by a trustedpublisher, including scripts that you write on the local computer.
    • Prompts you before running scripts from publishers that you haven't yetclassified as trusted or untrusted.
    • Risks running signed, but malicious, scripts.
  • Bypass

    • Nothing is blocked and there are no warnings or prompts.
    • This execution policy is designed for configurations in which a PowerShellscript is built into a larger application or for configurations in whichPowerShell is the foundation for a program that has its own security model.
  • Default

    • Sets the default execution policy.
    • Restricted for Windows clients.
    • RemoteSigned for Windows servers.
  • RemoteSigned

    • The default execution policy for Windows server computers.
    • Scripts can run.
    • Requires a digital signature from a trusted publisher on scripts andconfiguration files that are downloaded from the internet which includesemail and instant messaging programs.
    • Doesn't require digital signatures on scripts that are written on the localcomputer and not downloaded from the internet.
    • Runs scripts that are downloaded from the internet and not signed, if thescripts are unblocked, such as by using the Unblock-File cmdlet.
    • Risks running unsigned scripts from sources other than the internet andsigned scripts that could be malicious.
  • Restricted

    • The default execution policy for Windows client computers.
    • Permits individual commands, but does not allow scripts.
    • Prevents running of all script files, including formatting and configurationfiles (.ps1xml), module script files (.psm1), and PowerShell profiles(.ps1).
  • Undefined

    • There is no execution policy set in the current scope.
    • If the execution policy in all scopes is Undefined, the effectiveexecution policy is Restricted for Windows clients andRemoteSigned for Windows Server.
  • Unrestricted

    • The default execution policy for non-Windows computers and cannot bechanged.
    • Unsigned scripts can run. There is a risk of running malicious scripts.
    • Warns the user before running scripts and configuration files that arenot from the local intranet zone.


    On systems that do not distinguish Universal Naming Convention (UNC) pathsfrom internet paths, scripts that are identified by a UNC path might not bepermitted to run with the RemoteSigned execution policy.

Execution policy scope

You can set an execution policy that is effective only in a particular scope.

The valid values for Scope are MachinePolicy, UserPolicy,Process, CurrentUser, and LocalMachine. LocalMachine is thedefault when setting an execution policy.

The Scope values are listed in precedence order. The policy that takesprecedence is effective in the current session, even if a more restrictivepolicy was set at a lower level of precedence.

For more information, see Set-ExecutionPolicy.

  • MachinePolicy

    Set by a Group Policy for all users of the computer.

  • UserPolicy

    Set by a Group Policy for the current user of the computer.

  • Process

    The Process scope only affects the current PowerShell session. Theexecution policy is saved in the environment variable$env:PSExecutionPolicyPreference, rather than the registry. When thePowerShell session is closed, the variable and value are deleted.

  • CurrentUser

    The execution policy affects only the current user. It's stored in theHKEY_CURRENT_USER registry subkey.

  • LocalMachine

    The execution policy affects all users on the current computer. It's storedin the HKEY_LOCAL_MACHINE registry subkey.

Managing the execution policy with PowerShell

To get the effective execution policy for the current PowerShell session, usethe Get-ExecutionPolicy cmdlet.

The following command gets the effective execution policy:


To get all of the execution policies that affect the current session anddisplay them in precedence order:

Get-ExecutionPolicy -List

The result looks similar to the following sample output:

 Scope ExecutionPolicy ----- ---------------MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser RemoteSigned LocalMachine AllSigned

In this case, the effective execution policy is RemoteSigned because theexecution policy for the current user takes precedence over the executionpolicy set for the local computer.

To get the execution policy set for a particular scope, use the Scopeparameter of Get-ExecutionPolicy.

For example, the following command gets the execution policy for theCurrentUser scope:

Get-ExecutionPolicy -Scope CurrentUser

Change the execution policy

To change the PowerShell execution policy on your Windows computer, use theSet-ExecutionPolicy cmdlet. The change is effective immediately. You don'tneed to restart PowerShell.

If you set the execution policy for the scopes LocalMachine or theCurrentUser, the change is saved in the registry and remains effectiveuntil you change it again.

If you set the execution policy for the Process scope, it's not saved inthe registry. The execution policy is retained until the current process andany child processes are closed.


In Windows Vista and later versions of Windows, to run commands thatchange the execution policy for the local computer, LocalMachine scope,start PowerShell with the Run as administrator option.

To change your execution policy:

Set-ExecutionPolicy -ExecutionPolicy <PolicyName>

For example:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

To set the execution policy in a particular scope:

Set-ExecutionPolicy -ExecutionPolicy <PolicyName> -Scope <scope>

For example:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

A command to change an execution policy can succeed but still not change theeffective execution policy.

For example, a command that sets the execution policy for the local computercan succeed but be overridden by the execution policy for the current user.

Remove the execution policy

To remove the execution policy for a particular scope, set the execution policyto Undefined.

For example, to remove the execution policy for all the users of the localcomputer:

Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope LocalMachine

To remove the execution policy for a Scope:

Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser

If no execution policy is set in any scope, the effective execution policy isRestricted, which is the default for Windows clients.

Set a different policy for one session

You can use the ExecutionPolicy parameter of pwsh.exe to set an executionpolicy for a new PowerShell session. The policy affects only the currentsession and child sessions.

To set the execution policy for a new session, start PowerShell at the commandline, such as cmd.exe or from PowerShell, and then use theExecutionPolicy parameter of pwsh.exe to set the execution policy.

For example:

pwsh.exe -ExecutionPolicy AllSigned

The execution policy that you set isn't stored in the registry. Instead, it'sstored in the $env:PSExecutionPolicyPreference environment variable. Thevariable is deleted when you close the session in which the policy is set. Youcannot change the policy by editing the variable value.

During the session, the execution policy that is set for the session takesprecedence over an execution policy that is set in the registry for the localcomputer or current user. However, it doesn't take precedence over theexecution policy set by using a Group Policy.

Use Group Policy to Manage Execution Policy

You can use the Turn on Script Execution Group Policy setting to manage theexecution policy of computers in your enterprise. The Group Policy settingoverrides the execution policies set in PowerShell in all scopes.

The Turn on Script Execution policy settings are as follows:

  • If you disable Turn on Script Execution, scripts do not run. This isequivalent to the Restricted execution policy.

  • If you enable Turn on Script Execution, you can select an executionpolicy. The Group Policy settings are equivalent to the following executionpolicy settings:

    Group PolicyExecution Policy
    Allow all scriptsUnrestricted
    Allow local scripts and remote signed scriptsRemoteSigned
    Allow only signed scriptsAllSigned
  • If Turn on Script Execution is not configured, it has no effect. Theexecution policy set in PowerShell is effective.

The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx files addthe Turn on Script Execution policy to the Computer Configuration and UserConfiguration nodes in Group Policy Editor in the following paths.

For Windows XP and Windows Server 2003:

Administrative Templates\Windows Components\Windows PowerShell

For Windows Vista and later versions of Windows:

Administrative Templates\Classic Administrative Templates\Windows Components\Windows PowerShell

Policies set in the Computer Configuration node take precedence over policiesset in the User Configuration node.

For more information, see about_Group_Policy_Settings.

Execution policy precedence

When determining the effective execution policy for a session, PowerShellevaluates the execution policies in the following precedence order:

Group Policy: MachinePolicyGroup Policy: UserPolicyExecution Policy: Process (or pwsh.exe -ExecutionPolicy)Execution Policy: LocalMachineExecution Policy: CurrentUser

Manage signed and unsigned scripts

In Windows, programs like Internet Explorer and Microsoft Edge add an alternatedata stream to files that are downloaded. This marks the file as "coming fromthe Internet". If your PowerShell execution policy is RemoteSigned,PowerShell won't run unsigned scripts that are downloaded from the internetwhich includes email and instant messaging programs.

You can sign the script or elect to run an unsigned script without changing theexecution policy.

Beginning in PowerShell 3.0, you can use the Stream parameter of theGet-Item cmdlet to detect files that are blocked because they were downloadedfrom the internet. Use the Unblock-File cmdlet to unblock the scripts so thatyou can run them in PowerShell.

For more information, see about_Signing,Get-Item, andUnblock-File.


Other methods of downloading files may not mark the files as coming from theInternet Zone. Some examples include:

  • curl.exe
  • Invoke-RestMethod
  • Invoke-WebRequest

Execution policy on Windows Server Core and Window Nano Server

When PowerShell 6 is run on Windows Server Core or Windows Nano Server undercertain conditions, execution policies can fail with the following error:

AuthorizationManager check failed.At line:1 char:1+ C:\scriptpath\scriptname.ps1+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess

PowerShell uses APIs in the Windows Desktop Shell (explorer.exe) to validatethe Zone of a script file. The Windows Shell is not available on Windows ServerCore and Windows Nano Server.

You could also get this error on any Windows system if the Windows DesktopShell is unavailable or unresponsive. For example, during sign on, a PowerShelllogon script could start execution before the Windows Desktop is ready,resulting in failure.

Using an execution policy of ByPass or AllSigned does not require aZone check which avoids the problem.

See also

  • about_Environment_Variables
  • about_Group_Policy_Settings
  • about_Pwsh
  • about_Signing
  • Get-ExecutionPolicy
  • Set-ExecutionPolicy
  • Get-Item
  • Unblock-File
about Execution Policies - PowerShell (2024)


Top Articles
Latest Posts
Article information

Author: Melvina Ondricka

Last Updated:

Views: 5925

Rating: 4.8 / 5 (68 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.