One of the first steps to working successfully with PowerShell scripts is to correctly select the Execution Policy. If the Execution Policy is too strict, the scripts you find on sites like WindowsITPro and myITforum will not run. If it is too lenient, you leave yourself wide open for potential security issues.
Here's the list of Execution Policy parameters for PowerShell with brief explanations of each:
Restricted– This is the default execution policy on installation. When this policy is in effect, script execution is disabled. PowerShell itself is not disabled. It may still be used as an interactive command interpreter. While this is the most secure policy, it severely impacts our ability to use PowerShell for automation.AllSigned– When the execution policy is AllSigned, scripts can be executed, but they must be Authenticode-signed before they will run. When running a signed script, you will be asked if you want to trust the signer of the script.
RemoteSigned– RemoteSigned requires that all scripts that are downloaded from a remote location must be Authenticode-signed before they can be executed.
Unrestricted– When the execution policy is unrestricted, PowerShell will run any script. It will still prompt the user when it encounters a script that has been downloaded however, this is the least secure setting.
If you've just installed a new version of Windows on your computer or have never opened a PowerShell window before, PowerShell's Execution Policy will probably be set to the default, which is the Restricted policy. To find out for sure which Execution Policy has been selected, run the following PowerShell one-liner in the PowerShell CMD window:
Get-ExecutionPolicy
As shown in the screen capture below, PowerShell will act on the command and return with the currently enabled Execution Policy. As you can see, mine is set to RemoteSigned.
There's arguments back and forth about which Execution Policy is the best. RemoteSigned works for me. In What To Do / Not to Do in PowerShell: Part 9, Don Jones made the argument that ALL PowerShell scripts should be signed. In a perfect world I would agree. But, to me, it takes some extra effort and time when all I want to do is test a script.
So, how do you set the Execution Policy? You can use another simple PowerShell command to change the Execution Policy at any time.
Run this one-liner in the PowerShell CMD window:
Set-ExecutionPolicy parameter
So for example, if I wanted to change the Execution Policy to AllSigned, my command would look like this:
Set-ExecutionPolicy AllSigned
Changing PowerShell Execution Policies are serious business – serious enough to warrant Microsoft embedding an "Are you sure?" prompt (shown below) during the policy change, making the change a two-step process.
