The safety measure for Windows PowerShell includes the execution policy. It defines which scripts, if any, must be digitally signed before they will run, as well as whether you can import configuration files (including your Windows PowerShell profile) and run scripts.
Learn about PowerShell execution policies and how to use the Set-ExecutionPolicy cmdlet to control them. You’ll be able to employ execution policies in addition to running scripts!
What is an Execution Policy?
A security measure to prevent your system from running dangerous scripts is PowerShell execution policies. Script execution, not execution policies, is what prevents you from running PowerShell code in the console as a shell.
According to Microsoft, an execution policy is more like a gate you can open and close than it is a “security” feature. After all, it’s simple to get around an established execution policy.
Policies for execution are built on trust. A script that you trust has a good likelihood of not being malicious. Execution restrictions don’t often stop all scripts from running. Their main goal is to provide you confidence that the script you’re running is certificate-based and cryptographically signed.
What are different PowerShell execution policies?
In Windows PowerShell Script, there are basically six types of Execution policies which are discussed as under. You will learn about those policies and how to set the execution policy in a PowerShell session.
- Restricted
- AllSigned
- RemoteSigned Policy
- Unrestricted
- Bypass
- Undefined
Restricted
Run programs without loading configuration files. You cannot run Powershell scripts in restricted settings. The effective execution policy is set as default execution policy.
AllSigned
Ensure that any configuration files and scripts, even those you create locally, are signed by a trusted publisher. You can only execute scripts that have been cryptographically signed by a reliable entity using the AllSigned setting.
RemoteSigned Policy
impose the necessity of trusted publishers’ signatures on all scripts and configuration files that are obtained from the Internet. Any script you produce or receive can be run using the RemoteSigned setting as long as a reliable third party has cryptographically signed it.
Unrestricted
Launch all scripts and load all configuration files. You are prompted for authorization before an unsigned script that you downloaded from the internet. You can execute any scripts when your configuration is unrestricted.
Bypass
Nothing is banned, and no alerts or prompts are present.
Undefined
Remove the execution policy that is currently assigned from the current scope. An execution policy that has been set in a Group Policy scope will not be removed by this argument.
Methods to change or set Powershell execution policy in Script
Use the Set-ExecutionPolicy command and pass the desired policy to change the execution policy. Keep in mind that you must run this command as an administrator.
This command only has to be executed once because the registry will remember the setting. The Windows execution policy can also be set simultaneously across a large number of computers in a big Active Directory environment using Group Policy.
1. Using Set-ExecutionPolicy to set an execution policy
- Let’s start by discussing the Set-ExecutionPolicy command’s ability to modify policies. Open PowerShell as administrator to accomplish this.
- Use the ExecutionPolicy parameter of the Set-ExecutionPolicy command to specify the name of the execution policy.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
- After that, PowerShell will ask if you want to modify the execution policy. If so, enter the letters Y or A.
- Several other tasks must be running in order for some PowerShell commands to function. If you enter Y in the aforementioned example, PowerShell can ask you to proceed at each stage.
2. Unprompted Set-ExecutionPolicy Execution
- By default, Set-ExecutionPolicy will ask you if you wish to modify the execution policy before running. By including the Force parameter in your command, you can avoid this prompt.
- All confirmation requests will be suppressed if the Force option is used.
Set-ExecutionPolicy RemoteSigned -Force
3. Using the Registry to Change PowerShell Execution Policy
You can also alter policies directly through the registry because (with the exception of Process) the majority of execution policies are stored in the registry.
Through the registry, modify the execution policies:
- Launch Windows Registry Editor by typing regedit.
- Locate the registry key for the execution policy scope that you want to modify.
- LocalMachine – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
- CurrentUser – HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
- To add a new string value called ExecutionPolicy, right-click the registry key.
- Select the preferred execution policy name (Restricted, RemoteSigned, AllSigned, Unrestricted, or Undefined) by double-clicking the newly formed ExecutionPolicy string value.
- Create a Path string value and place it in the same key. The path to the PowerShell engine is represented by the Path string value.
- Make that the Windows PowerShell engine is pointed to by the Path value, which should be C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- A LocalMachine policy is overridden by the execution policy for the current user.
- PowerShell will throw an error if you attempt to change the execution policy using defined-ExecutionPolicy, which by default sets the policy at the LocalMachine scope, while the registry has a CurrentUser policy defined.
4. Setting PowerShell Execution Policy via Group Policy
You won’t want to walk around to every Windows PC in your organization with Active Directory and run the Set-ExecutionPolicy cmdlet. Instead, Group Policy allows you to manage policies in bulk.
- On your domain-connected workstation or a domain controller, launch the Group Policy Management program.
- Expand Domains then go to Group Policy Objects.
- Click New by right-clicking on Group Policy Objects.
- Give a name to your GPO. The GPO is referred to as PowerShell Execution Policy in this lesson.
- On the newly established GPO’s right-click menu, select Edit.
- Open Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell.
- Turn on Script Execution by opening the setting in the right window pane.
- Choose the Enabled selection in the Turn on Script Execution box. You can now choose any of the following choices:
- Change the Execution Policy to the one you want now.
- Allow scripts that have been signed by a trustworthy publisher only – This option permits the execution of any script.
- Scripts that are obtained from the internet should be signed by a reputable publisher, but local scripts can operate without a problem.
- Allows the execution of every script.
