PowerShell with a Purpose Blog

How to enable scripts and scripting in PowerShell

One of the neat things about running anad campaign is that Google lets you know what keywords people are using in searches - which basically helps me figure out what, in part, to write about. "powershell enable scripts" comes up a LOT - which isn't surprising, I guess, since PowerShell disables script execution by default.

So, the quick and dirty answer, in the event that you've run across this post looking for such an answer: Run Set-ExecutionPolicy RemoteSigned in the shell. You'll need to be a local admin, and be running the shell as admin (make sure it says "Administrator" in the window's title bar) for this to work. Pay attention to the output, too: If the local settings are being overridden by a Group Policy object, then you'll get a warning about that, letting you know that the command worked but won't do any good.

Now, you should probably read a few of the gory details. There are actually five execution policy levels you can set (run Help Set-ExecutionPolicy for a brief list, or help about_signing for a complete explanation). They are, in order of most-secure to least-secure:

  • Restricted: The default. Scripts don't run, although you can use the shell interactively to run commands.
  • AllSigned: Scripts will run if they've been digitally signed using a certificate issued by a trusted Certification Authority. You'll need a Class 3, or code-signing, certificate - that's not the same as the Class 1 you'd use to sign an e-mail. 
  • RemoteSigned: Local scripts will run, but anything "remote" - coming from an Internet path, downloaded from IE or Outlook, or potentially sitting on a UNC path, must be signed. Microsoft suggests this policy as a good balance between security and convenience. 
  • Unrestricted: All scripts will run without a signature. This isn't recommended - it provides a little too much room for a malicious script to be run unintentionally.
  • Bypass: This is meant for software products that are hosting PowerShell and providing their own layer of security. You're not meant to set the shell-wide policy to this on your own.
So there you have it: A brief overview of the possible settings, and a fast path for getting scripts running in your copy of the shell. Running help about_signing will reveal all the other little details, like how to sign a script, how to make a self-signed certificate for use on your local machine, and so on. 
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish