Powershell execution policy is misunderstood and often looked upon as a security feature that stops you from running your scripts. But it’s not intended as a security feature, and it was not designed to make your life hard. In this post I will explain what Powershell execution policy is, how to set it, and finally how to bypass it.
Powershell Execution Policies
- AllSigned: Requires every script and configuration file, downloaded or locally created, to be signed by a trusted publisher.
- Bypass: Everything can run and there are no warnings or pop-ups.
- RemoteSigned: This setting requires all scripts and configurations that are downloaded from the Internet to be signed by a trusted publisher.
- Undefined: Removes any execution policy set on the current scope. Execution policy set by Group Policy is still active.
- Unrestricted: Run all scripts and configuration files. Unsigned scripts downloaded from the internet asks for permission before it is allowed to run.
Setting Powershell Execution Policy
Call Set-ExecutionPolicy followed by the specific policy you want to set. This example sets the execution policy to RemoteSigned.
Not a security feature
The AllSigned parameter was not designed as a security system to prevent malicious scripts from running, it was intended as verification that you only run scripts you have signed and approved. As a security feature, the AllSigned execution policy can easily be bypassed by starting Powershell with the -ExecutionPolicy Bypass parameter. Nice to know when you need to run a Powershell script during a deployment but don’t want to interfere with the customers Execution Policy.
AppLocker is a better way of securing your systems and managing which applications are allowed and not allowed to run. AppLocker also works if you want to block your users from running Powershell scripts on their clients. If you like to learn more about securing your systems with Powershell, check out Michael Greene’s blog post on Technet: https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-step
Reference Technet article: Using the Set-ExecutionPolicy Cmdlet