Powershell: Execution policy shortly explained

Hi,

here is a short explantation about the Powershell execution policies.

The execution policy has 5 scopes which could affect the execution of scripts.

PS D:\> get-executionpolicy -list
        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy    RemoteSigned
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine       AllSigned

two are user based (UserPolicy, CurrentUser), two are computer/system wide based and one is process based.

The affected policy is the first in the list which hasn’t a state undefined. Here the MachinePolicy. All other policies are ignored. The command let Get-ExecutionPolicy shows the effective policy which is in place.

The MachinePolicy and UserPolicy can either set by a local or a domain policy and have a higher priority then the others.

If no policy is set then the “Process” scope is evaluated.

The policy of the process scope can be set by a command line parameter when starting powershell.exe. Example:

D:\> powershell.exe -ExecutionPolicy Allsigned -command "& {get-executionpolicy -list}

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy    RemoteSigned
   UserPolicy       Undefined
      Process       AllSigned
  CurrentUser       Undefined
 LocalMachine       AllSigned

Or in powershell window

PS D:\> Set-ExecutionPolicy -Scope Process remotesigned
PS D:\> Get-ExecutionPolicy -l

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process    RemoteSigned
  CurrentUser       Undefined
 LocalMachine       AllSigned

The Process scope policy is stored nowhere. Means it is only valid for this powershell window/process and is lost when the window is closed.

If no group policy or process execution policy is set then user or machine settings gets active. Policies can be set straightforward and is saved to the registry. For the localmachine scope administrator permissions are requiered.

PS D:\> Set-ExecutionPolicy -Scope CurrentUser remotesigned
PS D:\> Set-ExecutionPolicy -Scope LocalMachine remotesigned

And here the list of possible policies

  • AllSigned – All scripts must be signed and the certificate chain must be valid.
  • Bypass – All scripts are allowed
  • Default – For Windows 10 its Restricted and for Windows Server RemoteSigned
  • Restricted – Only command line allowed. No scripts
  • Undefined – Not set
  • Unrestricted – All scripts are allowed. Except scripts from the internet. A prompt will be shown before execution. See Zone.Identifier below.
  • RemoteSigned – This is a little bit special and needs an detailed description

RemoteSigned are all scripts:

  • Locally stored on a computer with no Zone identifier
  • On a Network drive and the domain or hostname are part of the internet explorer “local intranet” zone and the script is started by the UNC path, i.e. \\myNetworkDrive\…..

RemoteSigned are not:

  • Scripts on a network drive where the domain and hostname are of the internet explorer “local intranet” zone and mapped to a network drive letter
  • Scripts download from the internet (Internet Explorer, Edge) with an alternate data stream “Zone identifier” with ID 3
    PS D:\> Get-Item .\MyDownloadedScript.ps1 -Stream Zone.Identifier
    ...
    Stream        : Zone.Identifier
    Length        : 204
    PS D:\> Get-Content .\MyDownloadedScript.ps1 -Stream Zone.Identifier
    [ZoneTransfer]
    ZoneId=3
    ReferrerUrl=https://michlstechblog.info/blog/myPost/MyDownloadedScript.ps1
    HostUrl=https://michlstechblog.info/blog/download/powershell/MyDownloadedScript.ps1
    

    To reset Zone.Identifier use unblock-file

    PS D:\> unblock-file .\MyDownloadedScript.ps1
    

Michael

Leave a Reply