As an IT Professional using PowerShell to write scripts and automate tasks, it is important that you have a good understanding on how PowerShell execution policies work. PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts as it acts as the gate-keeper.
Are you new to working with PowerShell? Check out my comprehensive beginners guides to PowerShell 7 on my YouTube Channel.
Here is a list of execution policies supported by Windows PowerShell 7 and explanations on what they mean for us.
Restricted (default in PowerShell 5 and 6)
• Default execution policy in Windows 8, Windows Server 2012, and Windows 10.
• Permits individual commands, but will not run scripts.
• Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and Windows PowerShell profiles (.ps1).
AllSigned
• Scripts can run.
• Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
• Prompts you before running scripts from publishers that you have not yet classified as trusted or untrusted.
• Risks running signed, but malicious, scripts.
RemoteSigned (default in PowerShell 7)
• Scripts can run. This is the default execution policy in Windows Server 2012 R2, Windows Server 2019, Windows Server 2022, and Windows 11.
• Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the Internet (including e-mail and instant messaging programs).
• Does not require digital signatures on scripts that you have written on the local computer (not downloaded from the Internet).
• Runs scripts that are downloaded from the Internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
• Risks running unsigned scripts from sources other than the Internet and signed, but malicious, scripts.
Unrestricted
• Unsigned scripts can run. (This risks running malicious scripts.)
• Warns the user before running scripts and configuration files that are downloaded from the Internet.
Bypass
• Nothing is blocked and there are no warnings or prompts.
• This execution policy is designed for configurations in which a Windows PowerShell script is built in to a a larger application or for configurations in which Windows PowerShell is the foundation for a program that has its own security model.
Undefined
• There is no execution policy set in the current scope. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted, which is the default execution policy.