How to Change PowerShell Execution Policies in Windows 11

Why does 🪟 Windows 11 block PowerShell scripts by default?

Windows 11 blocks scripts to prevent malicious code from running automatically. This PowerShell security model acts as a barrier, ensuring only trusted or verified scripts execute. By default, the system prevents unauthorized script execution. This protects your computer from potential threats and accidental damage.

What happens when you change the execution policy?

When you modify the execution policy, you change the rules for which scripts can run on your system. Altering these settings can either strengthen security or expose your computer to risks. Always make sure you understand the implications before lowering your security posture.

Understanding PowerShell Execution Policies

Execution policies are not a firewall, but they are a crucial part of the PowerShell security model. They determine if you can load configuration files or run scripts. Let’s look at the common modes you’ll encounter:

• Restricted: Default setting. No scripts allowed.
• RemoteSigned: Scripts created locally run; downloaded scripts must be signed by a trusted publisher.
• AllSigned: Every script must be signed by a trusted publisher.
• Bypass: Nothing is blocked. Use only for specific, trusted automation tasks.
• Unrestricted: All scripts run. This is a major security risk.

How to Check and Change Policies

To see your current settings, open PowerShell and run: Get-ExecutionPolicy -List. This command displays the policy for each ExecutionPolicyScope.

Note: Changing system-wide policies requires Administrator privileges.

To set a policy for the current user, use: Set-ExecutionPolicy RemoteSigned -Scope CurrentUser. To change it for the entire machine, you must run PowerShell as an administrator and use: Set-ExecutionPolicy RemoteSigned -Scope LocalMachine.

Safer Alternatives: Unblock-File

Instead of changing your global policy, you can unblock a specific script. This is a best practice for security. Use this command:

Unblock-File -Path "C:\Scripts\MyScript.ps1"

Troubleshooting and Group Policy

If you encounter a PowerShell script error stating that execution is disabled, check if a Group Policy Object (GPO) is enforcing a stricter policy. Group Policy Objects (GPOs) override your local changes. You can view GPO-applied policies by checking the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell.

Registry Editor Method

Requires Administrator privileges.

1. Open the Windows Registry Editor.
2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
3. Create a new String Value named ExecutionPolicy.
4. Set the value to RemoteSigned.

Summary

Managing your PowerShell execution policy is essential for Windows 11 security. In this guide, you learned how to check your policies with Get-ExecutionPolicy, use Unblock-File for safer script execution, and handle Group Policy Object (GPO) overrides. Always choose the policy that best balances security and your need for automation. For advanced parameters, refer to the official Microsoft documentation.