Powershell Execution Policy

Powershell Execution Policy Explained

Powershell execution policy is misunderstood and often looked upon as a security feature that stops you from running your scripts. But it’s not intended as a security feature, and it was not designed to make your life hard. In this post I will explain what Powershell execution policy is, how to set it, and finally how to bypass it.

Powershell Execution Policies

  • AllSigned: Requires every script and configuration file, downloaded or locally created, to be signed by a trusted publisher.
  • Bypass: Everything can run and there are no warnings or pop-ups.
  • RemoteSigned: This setting requires all scripts and configurations that are downloaded from the Internet to be signed by a trusted publisher.
  • Undefined: Removes any execution policy set on the current scope. Execution policy set by Group Policy is still active.
  • Unrestricted: Run all scripts and configuration files. Unsigned scripts downloaded from the internet asks for permission before it is allowed to run.

Setting Powershell Execution Policy

Call Set-ExecutionPolicy followed by the specific policy you want to set. This example sets the execution policy to RemoteSigned.

Set-ExecutionPolicy -RemoteSigned

Not a security feature

The AllSigned parameter was not designed as a security system to prevent malicious scripts from running, it was intended as verification that you only run scripts you have signed and approved. As a security feature, the AllSigned execution policy can easily be bypassed by starting Powershell with the -ExecutionPolicy Bypass parameter. Nice to know when you need to run a Powershell script during a deployment but don’t want to interfere with the customers Execution Policy.

AppLocker is a better way of securing your systems and managing which applications are allowed and not allowed to run. AppLocker also works if you want to block your users from running Powershell scripts on their clients. If you like to learn more about securing your systems with Powershell, check out Michael Greene’s blog post on Technet: https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-step

Reference Technet article: Using the Set-ExecutionPolicy Cmdlet

Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I have passed 17 Microsoft certifications since then. My main expertise is on client management with Microsoft Endpoint Manager: Intune and Configuration Manager. I also do a lot of work on the security side with Microsoft Defender for Endpoint. In addition to my Microsoft certification, I also have an ITIL v3 Foundation certification. This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.