What is powershell execution policy?
The PowerShell execution policy was created with the goal of being administrator-friendly while also being accessible to end users. The latter goal, more than the former, was a little more difficult to achieve, given that convenience is typically inversely proportionate to security.
Malicious VBS (Visual Basic Script) files disguised as useful bits of software have been sent around in emails on occasion. Unsuspecting users double-clicked the script files, falling for scams ranging from letting the script’s creator know you executed the script to giving the script’s creator entire access over your machine.
The script can be run by double-clicking it. Before running the script, there was no need to open it and read it.
Any script might be run from anywhere.
By not loading the PowerShell engine to run the script, the PowerShell execution policy overcomes the first issue. The script opens in Notepad by default, not even in the PowerShell Integrated Scripting Environment. (If the script is open in the PowerShell ISE, you can still run it by pressing the F5 key.) Opening the script in Notepad is harmless; however, running the script requires considerable effort. Even if the user is able to right-click the script and select Run with PowerShell, or if PowerShell ISE is loaded to the F5 key below error is seen
File C:\Users\Vamshi\Downloads\CleanupScript.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.
There are a variety of PowerShell execution policies. They’re set at different levels to regulate how PowerShell scripts perform on the PC. Microsoft’s own documentation (or Get-Help about Execution Policies to learn more about these rules) will provide you a good understanding of the different execution policies.
Summary of the various PowerShell execution policies
Starting with Windows Server 2012, PowerShell comes with Restricted as the default execution policy (or Windows 8). As a result, you won’t be able to run a script straight away unless you first modify the policy to something different.
On the PowerShell console, you can perform individual commands. Even scripts written by you cannot run with this policy set on your computer.
If scripts are allowed to run on the computer, this is the safest policy available. When you enable this policy, your machine will only run PowerShell scripts that are signed with a valid digital signature (signed using a code signing certificate).
Your computer should trust the certificate used to sign the script. The script will not run if this is not done. It also means that scripts that have been altered with after they’ve been digitally signed won’t run.
This condition also applies to scripts you’ve written, even if they’re being run on the same computer.
In any enterprise setting, this is a safe PowerShell Execution policy to implement. The certificate could have been issued by your domain’s certification authority, or from an external certification authority like Verisign etc..
In an enterprise environment, this is also a safe PowerShell Execution policy to set. This policy states that any script that was not generated on the system on which it is now running must be signed. As a result, you’ll be able to write and run your own script. You wouldn’t be able to run a script you acquired on the Internet or from a buddy who authored it on his account or on a different machine. Using the file information, PowerShell can tell the difference between a script you developed on that computer and one that comes from somewhere else.
This policy is dangerous in any situation and should only be used when you know what you’re doing. Also, keep in mind the breadth of the policy you’ve created. I’ll go into more detail about this later in the article.
You can run PowerShell scripts with no constraints using the Unrestricted Execution Policy.
This policy should be avoided at all costs. This policy should only be used if you already have an alternate permission mechanism in place and don’t want PowerShell to get in the way of the execution.
Setting the Execution Policy to Undefined removes policy restrictions from the scope/level where Set-ExecutionPolicy Undefined is executed. Remember that if you set the Execution Policy to Undefined at all levels, PowerShell will set the machine policy to Restricted, which is the default.
Execution Policies Take Priority order
One thing to keep in mind while using PowerShell Execution Policies is the scopes at which they can be configured. The different scopes at which you can set an Execution Policy are as follows:
The registry stores the Execution Policies established at the CurrentUser and LocalMachine levels. Let’s look at how implementing a PowerShell Execution Policy at the local machine level affects registry variables. First time normally when the Execution Policy is checked “Undefined” is the status.
You can change or set in registry value on the computer or use Group policy to set the policy for all devices on a domain.