About Powershell Execution Policy
The Powershell Execution Policy is a security mechanism implemented in the Powershell engine that lets administrators have a tighter control on how scripts are run in the infrastructure or if they can be run at all.
Controlling this settings actually means that the administrator gets to choose if a script has to be digitally signed with a certificate or not in order to be executed. There are 4 settings that you can choose for the executio policy:
- Restricted – If this setting is active then no script can be run, not even if it’s signed.
- AllSigned – All scripts that are executed on a host have to be signed.
- ReoteSigned – Scripts run from a network path (that are not local to the server’s storage or the path is not in the form <Partition letter>:) have to be signed and the ones that reside on the server’s local storage can be executed regardless of their state. Also files can have an alternate stream of data that stores information of where the script came from; if the source is th “internet”, the script will not be executed.
- Unrestricted – Unsigned scripts can be run from any path. This setting should be avoided as it is a security risk to permit unsigned scripts to be executed from anywhere.
Configure the Powershell Execution Policy
The execution policy is configured differently by default for some Windows versions than for others. For Windows Server 2008 R2 and Windows 7 it is set to Restricted. For operating systems newer then these 2 the default value is RemoteSigned.
To see what setting you have configured just run the following Powershell command:
You will get as result the execution policy you use:
You are most likely reading this post because you wanted to run a script but got the following error message: “File <your script> cannot be loaded because the execution of scripts is disabled on this system“. If the answer is yes then I am happy to tell you the solution is simple: the Set-Execution policy command lets you set another value for the Powershell Execution Policy. For example to set it to RemoteSigned I would run:
Accept the changes ad you are ready to run scripts.
In my opinion, RemoteSigned is the best balance you can choose between security and “liberty”. Now running a script that is unsigned and located on the local host will not generate anny execution policy error.
Running the same file from the same computer but using an UNC path should not work as can be seen from the below image.
The Powershell Execution Policy command can be changed at any time using the Set-ExecutionPolicy command. The only requirement is to run Powershell in an elevated permissions mode.