{"id":8461,"date":"2022-02-03T23:26:48","date_gmt":"2022-02-03T22:26:48","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=8461"},"modified":"2022-02-08T09:19:43","modified_gmt":"2022-02-08T08:19:43","slug":"powershell-execution-policy-shortly-explained","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/powershell-execution-policy-shortly-explained\/","title":{"rendered":"Powershell: Execution policy shortly explained"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_8461 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_8461')){$('.twoclick_social_bookmarks_post_8461').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Powershell%3A%20Execution%20policy%20shortly%20explained\",\"the_excerpt\":\"Hi%2C%20%0D%0A%0D%0Ahere%20is%20a%20short%20explantation%20about%20the%20Powershell%20execution%20policies.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/powershell-execution-policy-shortly-explained\\\/\",\"post_id\":8461,\"post_title_referrer_track\":\"Powershell%3A+Execution+policy+shortly+explained\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi, <\/p>\n<p>here is a short explantation about the Powershell execution policies.<br \/>\n<!--more--><br \/>\nThe execution policy has 5 scopes which could affect the execution of scripts. <\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; get-executionpolicy -list\r\n        Scope ExecutionPolicy\r\n        ----- ---------------\r\nMachinePolicy    RemoteSigned\r\n   UserPolicy       Undefined\r\n      Process       Undefined\r\n  CurrentUser       Undefined\r\n LocalMachine       AllSigned\r\n<\/pre>\n<p>two are user based (UserPolicy, CurrentUser), two are computer\/system wide based and one is process based. <\/p>\n<p>The affected policy is the first in the list which hasn&#8217;t a state undefined. Here the MachinePolicy. All other policies are ignored. The command let <strong>Get-ExecutionPolicy<\/strong> shows the effective policy which is in place.<\/p>\n<p>The MachinePolicy and UserPolicy can either set by a local or a domain policy and have a higher priority then the others.<\/p>\n<p>If no policy is set then the &#8220;Process&#8221; scope is evaluated.<\/p>\n<p>The policy of the process scope can be set by a command line parameter when starting powershell.exe. Example:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; powershell.exe -ExecutionPolicy Allsigned -command &quot;&amp; {get-executionpolicy -list}\r\n\r\n        Scope ExecutionPolicy\r\n        ----- ---------------\r\nMachinePolicy    RemoteSigned\r\n   UserPolicy       Undefined\r\n      Process       AllSigned\r\n  CurrentUser       Undefined\r\n LocalMachine       AllSigned\r\n<\/pre>\n<p>Or in powershell window<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Set-ExecutionPolicy -Scope Process remotesigned\r\nPS D:\\&gt; Get-ExecutionPolicy -l\r\n\r\n        Scope ExecutionPolicy\r\n        ----- ---------------\r\nMachinePolicy       Undefined\r\n   UserPolicy       Undefined\r\n      Process    RemoteSigned\r\n  CurrentUser       Undefined\r\n LocalMachine       AllSigned\r\n<\/pre>\n<p>The Process scope policy is stored nowhere. Means it is only valid for this powershell window\/process and is lost when the window is closed.<br \/>\n<!-- \n<strong>Imported: The process scope can overwrite the (local) policy ?!?!?!<\/strong>. For example this open an unrestricted shell\n[powershell]\nD:\\&gt; powershell.exe -noexit -Command &quot;&amp; {Get-ExecutionPolicy -l; Set-ExecutionPolicy -Scope Process unrestricted;Get-ExecutionPolicy -l} &quot;\n[\/powershell]\nThis executes a script independed from any policy... (Get-ExecutionPolicy -l can omitted, only for debug purposes) and <strong>bypasses really<\/strong> the execution policy even a policy is set, respectively a defined policy can set for D:\\temp\\test.ps1.\n[powershell]\nD:\\&gt; powershell -Command &quot;&amp; {Get-ExecutionPolicy -l; Set-ExecutionPolicy -Scope Process unrestricted; Get-ExecutionPolicy -l; . D:\\temp\\test.ps1} &quot;\n[\/powershell]\nUnstrict in a open session\n[powershell]\nPS D:\\&gt; Get-ExecutionPolicy -l\n\n        Scope ExecutionPolicy\n        ----- ---------------\nMachinePolicy    RemoteSigned\n   UserPolicy       Undefined\n      Process       Undefined\n  CurrentUser       Undefined\n LocalMachine       AllSigned\nPS D:\\&gt; Set-ExecutionPolicy -scope process unrestricted\nPS D:\\&gt; Get-ExecutionPolicy -l\n\n        Scope ExecutionPolicy\n        ----- ---------------\nMachinePolicy       Undefined\n   UserPolicy       Undefined\n      Process    Unrestricted\n  CurrentUser       Undefined\n LocalMachine       AllSigned\n[\/powershell]\n--><br \/>\nIf no group policy or process execution policy is set then user or machine settings gets active. Policies can be set straightforward and is saved to the registry. For the localmachine scope administrator permissions are requiered.<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Set-ExecutionPolicy -Scope CurrentUser remotesigned\r\nPS D:\\&gt; Set-ExecutionPolicy -Scope LocalMachine remotesigned\r\n<\/pre>\n<p>And here the list of possible policies <\/p>\n<ul>\n<li>AllSigned &#8211; All scripts must be signed and the certificate chain must be valid.<\/li>\n<li>Bypass &#8211; All scripts are allowed<\/li>\n<li>Default &#8211; For Windows 10 its Restricted and for Windows Server RemoteSigned<\/li>\n<li>Restricted &#8211; Only command line allowed. No scripts<\/li>\n<li>Undefined &#8211; Not set<\/li>\n<li>Unrestricted &#8211; All scripts are allowed. Except scripts from the internet. A prompt will be shown before execution. See Zone.Identifier below.<\/li>\n<li>RemoteSigned &#8211; This is a little bit special and needs an detailed description<\/li>\n<\/ul>\n<p>RemoteSigned are all scripts:<\/p>\n<ul>\n<li>Locally stored on a computer with no Zone identifier<\/li>\n<li>On a Network drive and the domain or hostname are part of the internet explorer &#8220;local intranet&#8221; zone and the script is started by the UNC path, i.e. \\\\myNetworkDrive\\&#8230;.. <\/li>\n<\/ul>\n<p>RemoteSigned are not:<\/p>\n<ul>\n<li>Scripts on a network drive where the domain and hostname are of the internet explorer &#8220;local intranet&#8221; zone and mapped to a network drive letter<\/li>\n<li>Scripts download from the internet (Internet Explorer, Edge) with an alternate data stream &#8220;Zone identifier&#8221; with ID 3\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Get-Item .\\MyDownloadedScript.ps1 -Stream Zone.Identifier\r\n...\r\nStream        : Zone.Identifier\r\nLength        : 204\r\nPS D:\\&gt; Get-Content .\\MyDownloadedScript.ps1 -Stream Zone.Identifier\r\n&#x5B;ZoneTransfer]\r\nZoneId=3\r\nReferrerUrl=https:\/\/michlstechblog.info\/blog\/myPost\/MyDownloadedScript.ps1\r\nHostUrl=https:\/\/michlstechblog.info\/blog\/download\/powershell\/MyDownloadedScript.ps1\r\n<\/pre>\n<p>To reset Zone.Identifier use unblock-file<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; unblock-file .\\MyDownloadedScript.ps1\r\n<\/pre>\n<\/li>\n<\/ul>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, here is a short explantation about the Powershell execution policies.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[344,5],"tags":[1800,1802,1803,733,1801,133,1570,1301,1804,1299],"class_list":["post-8461","post","type-post","status-publish","format-standard","hentry","category-powershell-scripting","category-windowsknowhow","tag-execution","tag-explained","tag-ie","tag-internet-explorer","tag-policy","tag-powershell","tag-tutorial","tag-unblock-file","tag-zone","tag-zone-identifier"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=8461"}],"version-history":[{"count":25,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8461\/revisions"}],"predecessor-version":[{"id":8475,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8461\/revisions\/8475"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=8461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=8461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=8461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}