Privacy and Security Change PowerShell Script Execution Policy in Windows 11


  • Staff
PS1_banner.png

This tutorial will show you different ways on how to set the PowerShell script execution policy for the current user, local machine, or current process in Windows 11.

PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

On a Windows computer you can set an execution policy for the local computer, for the current user, or for a particular session. You can also use a Group Policy setting to set execution policies for computers and users.

Execution policies for the local computer and current user are stored in the registry. You don't need to set execution policies in your PowerShell profile. The execution policy for a particular session is stored only in memory and is lost when the session is closed.

The execution policy isn't a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.

Enforcement of these policies only occurs on Windows platforms. The PowerShell execution policies are as follows:

Execution Policy​
Description​
AllSigned
  • Scripts can run.
  • Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
  • Prompts you before running scripts from publishers that you haven't yet classified as trusted or untrusted.
  • Risks running signed, but malicious, scripts.
Bypass
  • Nothing is blocked and there are no warnings or prompts.
  • This execution policy is designed for configurations in which a PowerShell script is built in to a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.
Default
  • Sets the default execution policy.
  • Restricted for Windows clients.
  • RemoteSigned for Windows servers.
RemoteSigned
  • The default execution policy for Windows server computers.
  • Scripts can run.
  • Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the internet which includes email and instant messaging programs.
  • Doesn't require digital signatures on scripts that are written on the local computer and not downloaded from the internet.
  • Runs scripts that are downloaded from the internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
  • Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.
Restricted
  • The default execution policy for Windows client computers.
  • Permits individual commands, but does not allow scripts.
  • Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).
Undefinded
  • There is no execution policy set in the current scope.
  • If the execution policy in all scopes is Undefined, the effective execution policy is Restricted for Windows clients and RemoteSigned for Windows Server.
Unrestricted
  • The default execution policy for non-Windows computers and cannot be changed.
  • Unsigned scripts can run. There is a risk of running malicious scripts.
  • Warns the user before running scripts and configuration files that are not from the local intranet zone.

You can set an execution policy that is effective only in a particular scope.

The valid values for Scope are MachinePolicy, UserPolicy, Process, CurrentUser, and LocalMachine. LocalMachine is the default when setting an execution policy.

The Scope values are listed in precedence order. The policy that takes precedence is effective in the current session, even if a more restrictive policy was set at a lower level of precedence.

Scope​
Description​
MachinePolicySet by a Group Policy for all users of the computer. Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > "Turn on Script Execution"
UserPolicySet by a Group Policy for the current user of the computer. User Configuration > Administrative Templates > Windows Components > Windows PowerShell > "Turn on Script Execution"
ProcessThe Process scope only affects the current PowerShell session. The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the PowerShell session is closed, the variable and value are deleted.
CurrentUserThe execution policy affects only the current user. It's stored in the HKEY_CURRENT_USER registry subkey.
LocalMachineThe execution policy affects all users on the current computer. It's stored in the HKEY_LOCAL_MACHINE registry subkey.

Reference:
learn.microsoft.com

about Execution Policies - PowerShell

Describes the PowerShell execution policies and explains how to manage them.
learn.microsoft.com

If you set the execution policy for the scopes LocalMachine or the CurrentUser, the change is saved in the registry and remains effective until you change it again.

If you set the execution policy for the Process scope, it's not saved in the registry. The execution policy is retained until the current process and any child processes are closed.


Contents

  • Option One: See All Current PowerShell Script Execution Policies
  • Option Two: Set PowerShell Script Execution Policy to "RemoteSigned" or "Restricted" for Current User in Settings
  • Option Three: Set PowerShell Script Execution Policy for Current User in PowerShell
  • Option Four: Set PowerShell Script Execution Policy for Current User using REG file
  • Option Five: Set PowerShell Script Execution Policy for Local Machine in PowerShell
  • Option Six: Set PowerShell Script Execution Policy for Local Machine using REG file
  • Option Seven: Set PowerShell Script Execution Policy for Process in PowerShell




Option One

See All Current PowerShell Script Execution Policies


1 Open Windows Terminal, and select Windows PowerShell.

2 Copy and paste the command below into Windows Terminal, and press Enter. (see screenshot below)

Get-ExecutionPolicy -List

3 You will now see all execution policies listed in precedence order.

Get-ExecutionPolicy-List.png





Option Two

Set PowerShell Script Execution Policy to "RemoteSigned" or "Restricted" for Current User in Settings


1 Open Settings (Win+I).

2 Click/tap on Privacy & security on the left side, and click/tap on For developers on the right side. (see screenshot below)

Starting with Windows 11 version 22H2 KB5030310 Build 22621.2361, For developers is now in Settings > System.



PowerShell_script_execution_policy_Settings-1.png

3 Click/tap on PowerShell to expand it open. (see screenshot below step 4)

4 Turn On (RemoteSigned) or Off (default - Restricted) Change execution policy to allow local PowerShell scripts to run without signing. Require signing for remote scripts for what you want. (see screenshot below)

PowerShell_script_execution_policy_Settings-2.png

5 You can now close Settings if you like.




Option Three

Set PowerShell Script Execution Policy for Current User in PowerShell


1 Open Windows Terminal, and select Windows PowerShell.

2 Copy and paste the command below for the execution policy your want to set into Windows Terminal, and press Enter. (see screenshot below)

AllSigned: Set-ExecutionPolicy AllSigned -Scope CurrentUser -Force

Bypass: Set-ExecutionPolicy Bypass -Scope CurrentUser -Force

Default: Set-ExecutionPolicy Default -Scope CurrentUser -Force

RemoteSigned: Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

Restricted: Set-ExecutionPolicy Restricted -Scope CurrentUser -Force

Undefined: Set-ExecutionPolicy Undefined -Scope CurrentUser -Force

Unrestricted: Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force

3 You can now close Windows Terminal if you like.

PowerShell_execution_policy_for_CurrentUser_command.png





Option Four

Set PowerShell Script Execution Policy for Current User using REG file


1 Do step 2 (Restricted), step 3 (AllSigned), step 4 (RemoteSigned), step 5 (Unrestricted), step 6 (Bypass), or step 7 (Undefined) below for what you would like to do.


 2. Set PowerShell Script Execution Policy to "Restricted" for Current User

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

CurrentUser_Restricted_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Restricted"


 3. Set PowerShell Script Execution Policy to "AllSigned" for Current User

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

CurrentUser_AllSigned_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="AllSigned"


 4. Set PowerShell Script Execution Policy to "RemoteSigned" for Current User

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

CurrentUser_RemoteSigned_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="RemoteSigned"


 5. Set PowerShell Script Execution Policy to "Unrestricted" for Current User

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

CurrentUser_Unrestricted_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Unrestricted"


 6. Set PowerShell Script Execution Policy to "Bypass" for Current User

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

CurrentUser_Bypass_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Bypass"


 7. Set PowerShell Script Execution Policy to "Undefined" for Current User

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

CurrentUser_Undefined_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"=-

8 Save the .reg file to your desktop.

9 Double click/tap on the downloaded .reg file to merge it.

10 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

11 You can now delete the downloaded .reg file if you like.




Option Five

Set PowerShell Script Execution Policy for Local Machine in PowerShell


You must be signed in as an administrator to use this option.

If you get a message in red like below when setting a PowerShell execution policy, then it just means that your (current user) set execution policy will be used instead of this local machine setting. If you like, you can set your (current user) execution policy to Undefined to no longer see this message in red when setting the local machine policy.

message.png


1 Open Windows Terminal (Admin), and select Windows PowerShell.

2 Copy and paste the command below for the execution policy your want to set into Windows Terminal, and press Enter. (see screenshot below)

AllSigned: Set-ExecutionPolicy AllSigned -Scope LocalMachine -Force

Bypass: Set-ExecutionPolicy Bypass -Scope LocalMachine -Force

Default: Set-ExecutionPolicy Default -Scope LocalMachine -Force

RemoteSigned: Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force

Restricted: Set-ExecutionPolicy Restricted -Scope LocalMachine -Force

Undefined: Set-ExecutionPolicy Undefined -Scope LocalMachine -Force

Unrestricted: Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force

3 You can now close Windows Terminal (Admin) if you like.

PowerShell_execution_policy_for_LocalMachine_command.png





Option Six

Set PowerShell Script Execution Policy for Local Machine using REG file


1 Do step 2 (Restricted), step 3 (AllSigned), step 4 (RemoteSigned), step 5 (Unrestricted), step 6 (Bypass), or step 7 (Undefined) below for what you would like to do.


 2. Set PowerShell Script Execution Policy to "Restricted" for Local Machine

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

LocalMachine_Restricted_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Restricted"


 3. Set PowerShell Script Execution Policy to "AllSigned" for Local Machine

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

LocalMachine_AllSigned_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="AllSigned"


 4. Set PowerShell Script Execution Policy to "RemoteSigned" for Local Machine

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

LocalMachine_RemoteSigned_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="RemoteSigned"


 5. Set PowerShell Script Execution Policy to "Unrestricted" for Local Machine

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

LocalMachine_Unrestricted_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Unrestricted"


 6. Set PowerShell Script Execution Policy to "Bypass" for Local Machine

A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

LocalMachine_Bypass_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)

Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Bypass"


 7. Set PowerShell Script Execution Policy to "Undefined" for Local Machine

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 8 below.​

LocalMachine_Undefined_PowerShell_ExcutionPolicy.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"=-

8 Save the .reg file to your desktop.

9 Double click/tap on the downloaded .reg file to merge it.

10 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

11 You can now delete the downloaded .reg file if you like.




Option Seven

Set PowerShell Script Execution Policy for Process in PowerShell


The execution policy set using this option only affects the current PowerShell session for the current process until you close the current PowerShell window.


1 Open Windows Terminal, and select Windows PowerShell.

2 Copy and paste the command below for the execution policy your want to set into Windows Terminal, and press Enter. (see screenshot below)

AllSigned: Set-ExecutionPolicy AllSigned -Scope Process -Force

Bypass: Set-ExecutionPolicy Bypass -Scope Process -Force

Default: Set-ExecutionPolicy Default -Scope Process -Force

RemoteSigned: Set-ExecutionPolicy RemoteSigned -Scope Process -Force

Restricted: Set-ExecutionPolicy Restricted -Scope Process -Force

Undefined: Set-ExecutionPolicy Undefined -Scope Process -Force

Unrestricted: Set-ExecutionPolicy Unrestricted -Scope Process -Force

3 You can now close Windows Terminal if you like.

PowerShell_execution_policy_for_Process_command.png



That's it,
Shawn Brink


Related Tutorials

 

Attachments

  • PS1.png
    PS1.png
    10.6 KB · Views: 46
  • CurrentUser_AllSigned_PowerShell_ExcutionPolicy.reg
    650 bytes · Views: 129
  • CurrentUser_Bypass_PowerShell_ExcutionPolicy.reg
    640 bytes · Views: 127
  • CurrentUser_RemoteSigned_PowerShell_ExcutionPolicy.reg
    652 bytes · Views: 115
  • CurrentUser_Restricted_PowerShell_ExcutionPolicy.reg
    648 bytes · Views: 146
  • CurrentUser_Undefined_PowerShell_ExcutionPolicy.reg
    630 bytes · Views: 110
  • CurrentUser_Unrestricted_PowerShell_ExcutionPolicy.reg
    652 bytes · Views: 140
  • LocalMachine_AllSigned_PowerShell_ExcutionPolicy.reg
    652 bytes · Views: 103
  • LocalMachine_Bypass_PowerShell_ExcutionPolicy.reg
    642 bytes · Views: 114
  • LocalMachine_RemoteSigned_PowerShell_ExcutionPolicy.reg
    654 bytes · Views: 107
  • LocalMachine_Restricted_PowerShell_ExcutionPolicy.reg
    654 bytes · Views: 115
  • LocalMachine_Undefined_PowerShell_ExcutionPolicy.reg
    632 bytes · Views: 115
  • LocalMachine_Unrestricted_PowerShell_ExcutionPolicy.reg
    654 bytes · Views: 131
Last edited:
Click to expand...
Now we need a tutorial, how to restrict PowerShell to Constrained Language mode. :wink:
teamt5.org

A Deep Dive into PowerShell's Constrained Language Mode - TeamT5

## What is Constrained Language Mode and Why it Matters When PowerShell was [first announced in 2006](https://betanews.com/2006/11/14/windows-powershell-1-0-released/), it was meant to be a flexible command-line shell that features an easy-to-understand yet advanced scripting engine for IT...
teamt5.org teamt5.org

Powershell Constrained Language Mode Bypass - Red Team Notes

Understanding ConstrainedLanguageMode
www.ired.team www.ired.team
Code: 
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "__PSLockDownPolicy" /t REG_SZ /d "4" /f
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz & FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge (No FB/Google) & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article
Personalization Add "Edit or Run with" to PS1 File Context Menu in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
System Enable or Disable Create Dev Drive in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
Personalization Add or Remove "Open PowerShell window here" Context Menu in Windows 11
Replies
9
Views
4K
andrew129260
andrew129260
  • Article
Accounts Enable or Disable Microsoft Accounts in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
Apps Enable or Disable "Pin to taskbar" for Microsoft Store app in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article
General Reset Windows Search in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
Personalization Add or Remove "Open in Terminal Preview" context menu in Windows 11
Replies
0
Views
826
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom