A Guide to Modifying the Execution Policy of PowerShell in Windows 11

|

|

The article discusses the process of setting or changing Windows PowerShell script execution policies in Windows 11. PowerShell’s execution policy is a safety feature that controls how it loads files and runs scripts to avoid the execution of malicious scripts. The text further elaborates on various execution policies and steps to modify them via System…

This article describes setting or changing Windows PowerShell script execution policies in Windows 11.

PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts.

On a Windows computer, you can set an execution policy for the local computer, the current user, or a particular session. The execution policies prevent the execution of malicious scripts.

The execution policy isn’t a security system that restricts user actions. For example, users can bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.

Below are steps to set or change the PowerShell execution policies via the System Settings app, Windows PowerShell app, and Windows Registry Editor.

Execution policies:

These are the PowerShell execution policies available on Windows computers by default:

AllSigned

  • Scripts can run.
  • Requires a trusted publisher to sign all scripts and configuration files, including scripts you write on the local computer.
  • Before running scripts from publishers, it prompts you that you haven’t yet classified as trusted or untrusted.
  • Risks are running signed but malicious scripts.

Bypass

  • Nothing is blocked, and there are no warnings or prompts.
  • This execution policy is designed for configurations in which a PowerShell script is built into a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.

Default

  • Nothing is blocked and there are no warnings or prompts.
  • This execution policy is designed for configurations in which a PowerShell script is built into a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.

RemoteSigned

  • The default execution policy for Windows server computers.
  • Scripts can run.
  • Requires a digital signature from a trusted publisher on scripts and configuration files downloaded from the internet, including email and instant messaging programs.
  • Doesn’t require digital signatures on scripts that are written on the local computer and not downloaded from the internet.
  • Runs scripts that are downloaded from the internet and not signed if the scripts are unblocked, such as by using the Unblock-File cmdlet.
  • Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.

Restricted

  • The default execution policy for Windows client computers.
  • Permits individual commands but does not allow scripts.
  • Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).

Undefinded

  • The default execution policy for Windows client computers.
  • Permits individual commands but does not allow scripts.
  • Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).

Unrestricted

  • The default execution policy for non-Windows computers cannot be changed.
  • Unsigned scripts can run. There is a risk of running malicious scripts.
  • Warns the user before running scripts and configuration files that are not from the local intranet zone.

Policy Scope

You can set an execution policy that is effective only in a particular scope. The valid values for Scope are MachinePolicyUserPolicyProcessCurrentUser, and LocalMachine. LocalMachine is the default when setting an execution policy.

MachinePolicy

  • Set by a Group Policy for all users of the computer. Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > “Turn on Script Execution

UserPolicy

  • Set by a Group Policy for the current user of the computer. User Configuration > Administrative Templates > Windows Components > Windows PowerShell > “Turn on Script Execution

Process

  • The Process scope only affects the current PowerShell session. The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the PowerShell session is closed, the variable and value are deleted.

CurrentUser

  • The execution policy affects only the current user. It’s stored in the HKEY_CURRENT_USER registry subkey.

LocalMachine

  • The execution policy affects all users on the current computer. It’s stored in the HKEY_LOCAL_MACHINE registry subkey.

Before setting or changing your PowerShell execution policies, you might want to know the current policies.

You can find out by running the commands below into PowerShell as administrator.

Get-ExecutionPolicy -List​

The commands above will list your device’s current PowerShell execution policies.

               Scope ExecutionPolicy
               ----- ---------------
           MachinePolicy       Undefined
           UserPolicy          Undefined
           Process             Undefined
           CurrentUser         Undefined
           LocalMachine        Undefined

Set PowerShell execution policies to “RemoteSigned” or “Restricted” for Current User in Windows Settings app

The Windows Settings app lets you set PowerShell execution policies to “RemoteSigned” or “Restricted.”

Here’s how to turn it on or off.

First, open the Windows Settings app.

You can do that by clicking on the Start menu and selecting Settings. Or press the keyboard shortcut (Windows key + I) to launch the Settings app.

When the Settings app opens, click the Privacy & Security button on the left menu panel.

On the right, select the For developers tile to expand it.

On the Privacy & security -> For developers settings pane, click on the PowerShell tile to expand it.

On the expanded PowerShell tile, toggle the button switch to the On position to enable the “RemoteSigned” and “Restricted” policies for the current user.

To disable it, toggle the button back to the Off position.

Exit the Settings app.

Set PowerShell Execution Policies for Current User and Local Machine in PowerShell

You can set individual PowerShell execution policies directly from PowerShell as administrator. To do that, first, open the Windows PowerShell app as administrator.

Then run the commands below to turn on each execution policy.

AllSigned

Set-ExecutionPolicy AllSigned -Scope CurrentUser -Force
Set-ExecutionPolicy AllSigned -Scope LocalMachine -Force

Bypass

Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
Set-ExecutionPolicy Bypass -Scope LocalMachine -Force

Default

Set-ExecutionPolicy Default -Scope CurrentUser -Force
Set-ExecutionPolicy Default -Scope LocalMachine -Force

RemoteSigned

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force

Restricted

Set-ExecutionPolicy Restricted -Scope CurrentUser -Force
Set-ExecutionPolicy Restricted -Scope LocalMachine -Force

Undefined

Set-ExecutionPolicy Undefined -Scope CurrentUser -Force
Set-ExecutionPolicy Undefined -Scope LocalMachine -Force

Unrestricted

Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force

Set PowerShell scripts execution policies via Windows Registry Editor

Yet another way to set or change PowerShell script execution policies in Windows is to use the Windows Registry Editor.

First, open the Windows Registry, and navigate to the folder key path below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

Suppose you don’t see Microsoft.PowerShell folder key, right-click on the ShellIds key, then create the subkey (Microsoft.PowerShell) folders.

Right-click the Microsoft.PowerShell folder key’s right pane and select New -> String Value. Next, type a new key named ExecutionPolicy.

Double-click the new key item name (ExecutionPolicy) and then enter the Value data for each policy you want to enable:

  • Restricted
  • AllSigned
  • RemoteSigned
  • Unrestricted
  • Bypass

Save your changes and restart your computer.

That should do it!

Reference:

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.3

Conclusion:

This post showed you how to change PowerShell execution policies in Windows 11. If you find any errors above or have something to add, please use the comment form below.

Like this:



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.