PowerShell: Execution Policy

The Restricted execution policy is a default setting for all computers with PowerShell installed. It isn’t intended to be something that PowerShell users live with forever. It’s a safe default that protects non PowerShell users from being impacted by PowerShell-based malware. For example, many home users had never used VBScript, but still got bitten by the flurry of WSH-based viruses that got mailed to them. PowerShell’s Restricted execution policy solves this. To an attacker, a computer that has never used PowerShell is the same as a computer that doesn’t have PowerShell installed at all.

Whenever you work with scripts, you need to keep in mind the current execution policy and whether signed scripts are required. The current execution policy for Windows PowerShell controls whether and how you can run configuration files and scripts. Execution policy is a built-in security feature of Windows PowerShell that is set on a per-user basis in the Windows registry. Although the default configuration depends on which operating system and edition is installed, you can determine the execution policy by entering Get-Executionpolicy at the PowerShell prompt.

The available execution policies are:

  • Restricted Does not load configuration files or scripts. This means all configuration files and scripts, regardless of whether they are signed or unsigned. Because a profile is a type of script, profiles are not loaded either.
  • AllSigned Requires all configuration files and scripts from all sources – whether local or remote – to be signed by a trusted publisher. Because of this requirement, configuration files and scripts on the local computer must be signed as configuration files, and scripts from remote computers must be signed. PowerShell prompts you before running scripts from trusted publishers.
  • RemoteSigned Requires all configuration files and scripts from remote sources to be signed by a trusted publisher. Configuration files and scripts on the local computer do not need to be signed. PowerShell does not prompt you before running scripts from trusted publishers.
  • Unrestricted Allows all configuration files and scripts to run whether they are from local or remote sources and regardless of whether they are signed or unsigned. However, if you run a configuration file or script from a remote resource, you are prompted with a warning that the file comes from a remote resource before the configuration file is loaded or the script runs.

Execution policy determines whether you can load configuration files and run scripts as well as whether scripts must be digitally signed before they will run. When an execution policy prevents loading a file or running a script, a warning is displayed explaining applicable restrictions.

You can use Set-ExecutionPolicy to change the preference for the execution policy. Changes to the policy are written to the registry. However, if the Turn On Script Execution setting in Group Policy is enabled for the computer or user, the user preference is written to the registry, but it is not effective, and Windows PowerShell displays a message explaining the conflict. You cannot use Set-ExecutionPolicy to override a group policy, even if the user preference is more restrictive than the policy setting.

To set the execution policy so that scripts downloaded from the Web execute only if they are signed by a trusted source, enter:

set-executionpolicy remotesigned

The change occurs immediately and is applied to the local console or application session. Because the change is written to the registry, the new execution policy will be used whenever you work with PowerShell. As only administrators are allowed to change the execution policy on Windows Vista or later, you must run Windows PowerShell with the Run As Administrator option.

Set-Execution Policy

Syntax

Set-ExecutionPolicy [-ExecutionPolicy] {<Unrestricted> | <RemoteSigned>
| <AllSigned> | <Restricted> | <Default> | <Bypass> | <Undefined>}
[[-Scope] {<Process> | <CurrentUser> | <LocalMachine> | <UserPolicy>
| <MachinePolicy>}] [-Force] [-Confirm] [-WhatIf] [<CommonParameters>]

Parameters

ExecutionPolicy <ExecutionPolicy>

Specifies the new execution policy. Valid values are:

  • Restricted: Does not load configuration files or run scripts. Restricted is the default execution policy.
  • AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
  • RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
  • Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
  • Bypass: Nothing is blocked and there are no warnings or prompts.
  • Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.

Force

Suppresses all prompts. By default, Set-ExecutionPolicy displays a warning whenever you change the execution policy.

Scope <ExecutionPolicyScope>

Specifies the scope of the execution policy. The default is LocalMachine. Valid values are:

  • Process: The execution policy affects only the current Windows PowerShell process.
  • CurrentUser: The execution policy affects only the current user.
  • LocalMachine: The execution policy affects all users of the computer.

To remove an execution policy from a particular scope, set the execution policy for that scope to Undefined.

Confirm

Prompts you for confirmation before executing the command.

WhatIf

Describes what would happen if you executed the command without actually executing the command.

<CommonParameters>

This command supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable, WarningAction, and WarningVariable.

Notes

When you use Set-ExecutionPolicy in any scope other than Process, the new user preference is saved in the registry and remains unchanged until you change it. When the value of the Scope parameter is Process, the user preference is stored in the  environment variable PSExecutionPolicyPreference ($env:PSExecutionPolicyPreference), instead of the registry, and it is deleted when the session in which it is effective is closed. You cannot change the execution policy of the process by editing the variable.

If the Turn on Script Execution Group Policy is enabled for the computer or user, the user preference is saved, but it is not effective, and Windows PowerShell displays a message explaining the conflict. You cannot use Set-ExecutionPolicy to override a Group Policy, even if the user preference is more restrictive than the policy.

Example 1

C:\PS>set-executionpolicy remotesigned

Description
-----------
This command sets the user preference for the shell execution policy to
RemoteSigned.
Example 2

C:\PS>Set-ExecutionPolicy Restricted

Set-ExecutionPolicy : Windows PowerShell updated your local preference
successfully, but the setting is overridden by the group policy applied
to your system. Due to the override, your shell will retain its current
effective execution policy of "AllSigned". Contact your group policy
administrator for more information.
At line:1 char:20
+ set-executionpolicy  <<<< restricted

Description
-----------
This command attempts to set the execution policy for the shell to
"Restricted." The "Restricted" setting is written to the registry, but
because it conflicts with a Group Policy, it is not effective, even
though it is more restrictive than the policy.
Example 3

C:\PS>invoke-command -computername Server01 -scriptblock
{get-executionpolicy} | set-executionpolicy -force

Description
-----------
This command gets the execution policy from a remote computer and
applies that execution policy to the local computer.

The command uses the Invoke-Command cmdlet to send the command to the
remote computer. Because you can pipe an ExecutionPolicy
(Microsoft.PowerShell.ExecutionPolicy) object to Set-ExecutionPolicy,
the Set-ExecutionPolicy command does not need an ExecutionPolicy
parameter.

The command does have a Force parameter, which suppresses the user
prompt.
Example 4

C:\PS>set-executionpolicy -scope CurrentUser -executionPolicy AllSigned
-force

C:\PS> get-executionpolicy -list

        Scope   ExecutionPolicy
        -----   ---------------
MachinePolicy         Undefined
   UserPolicy         Undefined
      Process         Undefined
  CurrentUser         AllSigned
 LocalMachine      RemoteSigned

C:\PS> get-executionpolicy
AllSigned

Description
-----------
This example shows how to set an execution policy for a particular scope.

The first command uses the Set-ExecutionPolicy cmdlet to set an
execution policy of AllSigned for the current user. It uses the Force
parameter to suppress the user prompts.

The second command uses the List parameter of Get-ExecutionPolicy to get
the execution policies set in each scope. The results show that the
execution policy that is set for the current user differs from the
execution policy set for all users of the computer. 

The third command uses the Get-ExecutionPolicy cmdlet without parameters
to get the effective execution policy for the current user on the local
computer. The result confirms that the execution policy that is set for
the current user takes precedence over the one set for all users.
Example 5

C:\PS>set-executionpolicy -scope CurrentUser -executionPolicy Undefined

Description
-----------
This command uses an execution policy value of Undefined to effectively
remove the execution policy that is set for the current user scope. As
a result, the execution policy that is set in Group Policy or in the
LocalMachine (all users) scope is effective.

If you set the execution policy in all scopes to Undefined and the Group
Policy is not set, the default execution policy, Restricted, is effective
for all users of the computer.
Example 6

C:\PS>set-executionpolicy -scope Process -executionpolicy AllSigned

Description
-----------
This command sets an execution policy of AllSigned for only the current
Windows PowerShell session.
This execution policy is saved in the PSExecutionPolicyPreference
environment variable ($env:PSExecutionPolicyPreference), so it does not
affect the value in the registry. The variable and its value are deleted
when the current session is closed.

Remotely Tweak PowerShell Execution Policy

When you set a execution policy in powershell it actually modifies registry value for ExecutionPolicy at the following location:

HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
   Path    REG_SZ    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
   ExecutionPolicy    REG_SZ    Unrestricted

To set it up on a local machine run:

reg add "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" `
/v ExecutionPolicy /t REG_SZ /d RemoteSigned /f

To set it up on a remote machine:

reg add "\\<machine_name>\HKLM\SOFTWARE\Microsoft\PowerShell\1\
ShellIds\Microsoft.PowerShell" /v `
ExecutionPolicy /t REG_SZ /d RemoteSigned /f

If you have a list of remote computers in a file comp.txt you can run the following script:

for /f %i in (comp.txt) do reg add `
\\%i\HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell `
/v ExecutionPolicy /t REG_SZ /d Unrestricted /f

 

Trackbacks/Pingbacks

  1. PowerShell Tools for Visual Studio 2012 problem – .ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies | rostacik.net - November 13, 2013

    […] The program ‘PowerShell Script’ has exited with code 0 (0×0) (Small side note here to make you more puzzled but this might also help you in some way : I work in a company where admins takes security seriously and our “normal” day to day accounts are restricted and don’t have access to this and that so we have another accounts to install sw, make changes to the system, etc. I need to run my VS under this account, not my own.) Great, no what? There is a link to documentation about what execution policies are and how to set them, etc, I changed it from vanilla restricted state to RemoteSigned and the very same .ps1 file worked after I set RemoteSigned for my and my admin account. It looks like PS stores policies per user in registry. More on this here : http://dusan.kuzmanovic.net/2012/01/04/powershell-execution-policy/ […]

Leave a Reply

revia in alcoholism