This article describes setting or changing Windows PowerShell script execution policies in Windows 11.
PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts.
On a Windows computer, you can set an execution policy for the local computer, the current user, or a particular session. The execution policies prevent the execution of malicious scripts.
The execution policy isn’t a security system that restricts user actions. For example, users can bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.
Below are steps to set or change the PowerShell execution policies via the System Settings app, Windows PowerShell app, and Windows Registry Editor.
Execution policies:
These are the PowerShell execution policies available on Windows computers by default:
AllSigned
- Scripts can run.
- Requires a trusted publisher to sign all scripts and configuration files, including scripts you write on the local computer.
- Before running scripts from publishers, it prompts you that you haven’t yet classified as trusted or untrusted.
- Risks are running signed but malicious scripts.
Bypass
- Nothing is blocked, and there are no warnings or prompts.
- This execution policy is designed for configurations in which a PowerShell script is built into a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.
Default
- Nothing is blocked and there are no warnings or prompts.
- This execution policy is designed for configurations in which a PowerShell script is built into a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.
RemoteSigned
- The default execution policy for Windows server computers.
- Scripts can run.
- Requires a digital signature from a trusted publisher on scripts and configuration files downloaded from the internet, including email and instant messaging programs.
- Doesn’t require digital signatures on scripts that are written on the local computer and not downloaded from the internet.
- Runs scripts that are downloaded from the internet and not signed if the scripts are unblocked, such as by using the Unblock-File cmdlet.
- Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.
Restricted
- The default execution policy for Windows client computers.
- Permits individual commands but does not allow scripts.
- Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).
Undefinded
- The default execution policy for Windows client computers.
- Permits individual commands but does not allow scripts.
- Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).
Unrestricted
- The default execution policy for non-Windows computers cannot be changed.
- Unsigned scripts can run. There is a risk of running malicious scripts.
- Warns the user before running scripts and configuration files that are not from the local intranet zone.
Policy Scope
You can set an execution policy that is effective only in a particular scope. The valid values for Scope are MachinePolicy, UserPolicy, Process, CurrentUser, and LocalMachine. LocalMachine is the default when setting an execution policy.
MachinePolicy
- Set by a Group Policy for all users of the computer. Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > “Turn on Script Execution“
UserPolicy
- Set by a Group Policy for the current user of the computer. User Configuration > Administrative Templates > Windows Components > Windows PowerShell > “Turn on Script Execution“
Process
- The Process scope only affects the current PowerShell session. The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the PowerShell session is closed, the variable and value are deleted.
CurrentUser
- The execution policy affects only the current user. It’s stored in the HKEY_CURRENT_USER registry subkey.
LocalMachine
- The execution policy affects all users on the current computer. It’s stored in the HKEY_LOCAL_MACHINE registry subkey.
Before setting or changing your PowerShell execution policies, you might want to know the current policies.
You can find out by running the commands below into PowerShell as administrator.
Get-ExecutionPolicy -List
The commands above will list your device’s current PowerShell execution policies.
Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine Undefined
Set PowerShell execution policies to “RemoteSigned” or “Restricted” for Current User in Windows Settings app
The Windows Settings app lets you set PowerShell execution policies to “RemoteSigned” or “Restricted.”
Here’s how to turn it on or off.
First, open the Windows Settings app.
You can do that by clicking on the Start menu and selecting Settings. Or press the keyboard shortcut (Windows key + I) to launch the Settings app.
When the Settings app opens, click the Privacy & Security button on the left menu panel.
On the right, select the For developers tile to expand it.
On the Privacy & security -> For developers settings pane, click on the PowerShell tile to expand it.
On the expanded PowerShell tile, toggle the button switch to the On position to enable the “RemoteSigned” and “Restricted” policies for the current user.
To disable it, toggle the button back to the Off position.
Exit the Settings app.
Set PowerShell Execution Policies for Current User and Local Machine in PowerShell
You can set individual PowerShell execution policies directly from PowerShell as administrator. To do that, first, open the Windows PowerShell app as administrator.
Then run the commands below to turn on each execution policy.
AllSigned
Set-ExecutionPolicy AllSigned -Scope CurrentUser -Force Set-ExecutionPolicy AllSigned -Scope LocalMachine -Force
Bypass
Set-ExecutionPolicy Bypass -Scope CurrentUser -Force Set-ExecutionPolicy Bypass -Scope LocalMachine -Force
Default
Set-ExecutionPolicy Default -Scope CurrentUser -Force Set-ExecutionPolicy Default -Scope LocalMachine -Force
RemoteSigned
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
Restricted
Set-ExecutionPolicy Restricted -Scope CurrentUser -Force Set-ExecutionPolicy Restricted -Scope LocalMachine -Force
Undefined
Set-ExecutionPolicy Undefined -Scope CurrentUser -Force Set-ExecutionPolicy Undefined -Scope LocalMachine -Force
Unrestricted
Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force
Set PowerShell scripts execution policies via Windows Registry Editor
Yet another way to set or change PowerShell script execution policies in Windows is to use the Windows Registry Editor.
First, open the Windows Registry, and navigate to the folder key path below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Suppose you don’t see Microsoft.PowerShell folder key, right-click on the ShellIds key, then create the subkey (Microsoft.PowerShell) folders.
Right-click the Microsoft.PowerShell folder key’s right pane and select New -> String Value. Next, type a new key named ExecutionPolicy.
Double-click the new key item name (ExecutionPolicy) and then enter the Value data for each policy you want to enable:
- Restricted
- AllSigned
- RemoteSigned
- Unrestricted
- Bypass
Save your changes and restart your computer.
That should do it!
Reference:
Conclusion:
This post showed you how to change PowerShell execution policies in Windows 11. If you find any errors above or have something to add, please use the comment form below.