Is your execution policy Unrestricted for the entire machine?

Sometimes I see customers that for simplicity set the Powershell Execution Policy to Unrestricted. Well, I often wonder why, the usual reply is because it just doesn’t work otherwise. Well I say its time reconsider. Powershell allows for a much more granular solution using scopes. Did you know that there are 5 different scopes for the Execution policy?

Scope
Process
CurrentUser
LocalMachine
UserPolicy
MachinePolicy

So armed with this knowledge we can allow the current process to run as unrestricted while maintaining a rather secure machine around it. But if there were options to the scope what different execution policies are there? Well there are 7, well kind of..

Execution Policy
Unrestricted  No restrictions; all Windows PowerShell scripts can be run.
RemoteSigned Downloaded scripts must be signed by a trusted publisher before they can be run.
AllSigned Only scripts signed by a trusted publisher can be run.
Restricted No scripts can be run. Windows PowerShell can be used only in interactive mode.
Default Return execution policy to normal. (Restricted)
Bypass Nothing is blocked and there are no warnings or prompts.
Undefined Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.

So if you need to run powershell scripts as unrestricted, why change the entire machine.

So now that we know that we can do it just for the user.

Change the Execution Policy for just a process

What if you only want to run a single script. Do we really need to change the Execution policy before and after? No now we have two choices. We can use Set-ExecutionPolicy or fix it when we invoke Powershell.

from a command line windows (cmd.exe)

So what does these to ways have in common? Both alter the environment variable PSExecutionPolicyPreference, you can inspect it from within PS by looking at $env:PSExecutionPolicyPreference.

So what is clear is that many persons change the execution policy in vary broad strokes just because they dont know how to do it in smaller strokes.

Sources:

ExecutionPolicy Enumeration

Leave a Reply