Set-ExecutionPolicy - PowerShell - SS64.com (2024)

  • SS64
  • PowerShell
  • How-to

Change the user preference for the execution policy of the shell.

Syntax Set-ExecutionPolicy [-executionPolicy] Policy { Unrestricted | RemoteSigned | AllSigned | Restricted | Default | Bypass | Undefined} [[-Scope] ExecutionPolicyScope ] [-Force] [-whatIf] [-confirm] [CommonParameters]Key -ExecutionPolicy Policy A new execution policy for the shell. Valid values: Restricted Do not load configuration files or run scripts. This is the default. AllSigned Require that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer. RemoteSigned Require that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher. Unrestricted Load all configuration files and run all scripts. If you run an unsigned script that was downloaded from the internet, you are prompted for permission before it runs. Bypass Nothing is blocked and there are no warnings or prompts. Undefined Remove the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope. -Force Suppress all prompts. By default, Set-ExecutionPolicy displays a warning whenever the execution policy is changed. -Scope ExecutionPolicyScope The scope of the execution policy. Valid values: Process Affect only the current PowerShell process. CurrentUser Affect only the current user. LocalMachine Affect all users of the computer. To remove an execution policy from a particular scope, set the execution policy for that scope to Undefined. -WhatIf Describe what would happen if you executed the command without actually executing the command. -Confirm Prompt for confirmation before executing the command.

In order to change the Execution policy, you must be running PowerShell As Adminstrator.

ExecutionPolicy is like a baby door. The ExecutionPolicy keeps babies safe but every grown-up surpasses it easily. There are over 20 ways to surpass the ExecutionPolicy as a standard user. Therefore you should set it via GPO as you like it. (e.g. RemoteSigned)
It may prevent some people using PowerShell scripts from the internet but you should not count on it.

System-wide PowerShell Execution Policies have never been a way to prevent the user from doing something they want to do. That job is left to the Windows Account Model, which is a security boundary. [x]

Runing unsigned scripts

Even if the PowerShell execution policy is set to RemoteSigned it is still possible to run unsigned scripts:

Save the script file on your computer, Right-click the file, and click "Properties."
At the bottom of the dialogue box click "Unblock."

Alternatively copy the text into a brand new text file and save it with a .ps1 extension.

Bypass Execution policy completely

Microsoft never intended Execution policies to be a complete security control, so there are several ways to bypass them completely:

Pipe the contents of a script file to PowerShell.exe Std in:
Get-Content .demo.ps1 | PowerShell.exe -noprofile -

Or launch a one liner with invoke-command:
Invoke-Command -computername Server64 -scriptblock {Write-Host "demo"}

Several other methods can be found on the NetSPI blog here.

Change Execution policy once only...

To run a single PowerShell session with a different execution policy, use powershell.exe -ExecutionPolicy this will not affect the default policy setting for any future sessions.

64 bit vs 32 bit Execution policies

These will include both the 64bit and 32bit version of PowerShell, they each can have different execution policies, so you may wish to set both.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe = 64bit version
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe = 32bit version

Examples

Set the user preference for the shell execution policy to RemoteSigned and then display the effective execution policy. The commands are separated by a semicolon (;)

PS C:\> Set-ExecutionPolicy remotesigned; Get-ExecutionPolicy

Get the execution policy from a remote computer, server64 and apply that execution policy to the local computer:

PS C:\> Invoke-Command -computername Server64 -scriptblock {Get-ExecutionPolicy} |
Set-ExecutionPolicy -force

Set an execution policy of AllSigned for the current user, then the execution policies set in each scope:

PS C:\> Set-ExecutionPolicy -scope CurrentUser -executionPolicy AllSigned -force
PS C:\> Get-ExecutionPolicy -list

Set an execution policy value of Undefined to effectively remove the execution policy that is set forthe current user scope. As a result, the execution policy that is set in Group Policy or in the LocalMachine (all users) scope is effective:

PS C:\> Set-ExecutionPolicy -scope CurrentUser -executionPolicy Undefined

If the execution policy in all scopes is set to Undefined and the Group Policy is not set, the default execution policy, Restricted, is effective for all users of the computer.

“Laughing on the way to your execution is not generally understood by less-advanced life forms, and they call you crazy” ~ Richard Bach

Related PowerShell Cmdlets

Set-AuthenticodeSignature - Sign a PowerShell script.
Get-ExecutionPolicy - Get the execution policy for the shell.

Copyright © 1999-2024 SS64.com
Some rights reserved

Set-ExecutionPolicy - PowerShell - SS64.com (2024)

References

Top Articles
Latest Posts
Article information

Author: Carlyn Walter

Last Updated:

Views: 5929

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.