PowerShell: execution policy

The execution policy controls which configuration files and PowerShell scripts are allowed to be loaded and run.

Execution policies provide a facility to prevent the execution of malicious scripts.

However, it does not prevent a user from bypassing a policy.

Windows stores a user's execution policy in the registry under the key HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell.

Policy values

Default

The default policy is

Restricted for Windows clients
remote signed for Windows Server

Bypass

Run any script without any warning or prompts whatsoever.

AllSigned

With allSigned, scripts (including those written on local computer) can be run.

If they're not signed by a trusted publisher, the user is prompted for allowance before running the script.

RemoteSigned

With remoteSigned, scripts can be run.

Scripts that don't originate from the computer (i.e. downloaded from the internet) are required to have a digital signature from a trusted publisher.

Unsigned downloaded script can be unblocked with unblock-file.

Restricted

Only running commands entered in an interactive session are possible.

Running scripts is not possible, including

Formatting and configuration files (*.ps1xml)
Modules
profiles

Undefined

No explicit policy value is defined for the current scope. As also the policy default, undefined effects to

restricted for Windows clients and
remoteSigned for Windows Server

Unrestricted

Allows to run unsigned scripts.

Scope

Execution policies can be set in different scopes (listed in order of (descending?/ascending?) precedence:

MachinePolicy
UserPolicy
Process	Affects current session only, value is stored in environment variable `PSExecutionPolicyPreference`.
currentUser
LocalMachine	Default scope when setting an execution policy without specifying a scope.

The actual values for each scope can be determined with the get-executionPolicy -list.

Only meaningful on Windows systems

Execution policies are only meaningful on computers running Windows.

In non-Windows environments, the execution policy defaults to unrestricted and cannot be changed.

Typical error messages

Typical error messages that are encountered with a «too restrictive» policy include

File … cannot be loaded because running scripts is disabled on this system
The … command was found in the module …, but the module could not be loaded.
…(?)

Example

PS C:\Users\rene> .\create-zip.ps1
. : File C:\Users\rene\create-zip.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see
  …
  …

PS C:\Users\rene> set-executionPolicy -scope process -executionPolicy bypass
PS C:\Users\rene> write-host $env:PSExecutionPolicyPreference
Bypass
PS C:\Users\rene> .\create-zip.ps1
  …