Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

0151T000003d4Y9QAI.jpg Welcome to this addition of the PowerShell ABC's where you'll find 26 posts detailing a component of the PowerShell scripting language, one letter at a time.  Today's letter is the letter "E".  For "E" I've picked the word that relates to how PowerShell's security model supports execution of scripts.  Today's word is ExecutionPolicy.

One of the main features of PowerShell is the ability to execute scripts.  But, scripts are not inherently "safe" and since PowerShell has no concept of sandboxing, the execution of scripts are disabled by default.  The default way to execute scripts is via the console interpreter.

But, since PowerShell's function is to execute scripts, there has to be a way to enable it in your environment.  The way to configure this is with the PowerShell Execution Policy.  The execution policy is stored in the registry and there are two handy Cmdlet's to get and set it's values.

Get-ExecutionPolicySet-ExecutionPolicy [-executionPolicy] { |  |  | }

The descriptions for the execution policies are as follows:


This is the default execution policy.  When this policy is set, script execution is completely disabled.  PowerShell can still be used to interactively interpret commands. While this is the default policy, it severely limits the user of PowerShell for automation.


When the execution policy is AllSigned, scripts can be executed, but only if they have been digitally signed.  When running a signed script, you will be asked if you trust the signer of the script before it will execute.  This is still a secure policy, but it makes script development difficult.  This is best suited for environments where scripts are to be deployed rather than created.


RemoteSigned means that all scripts that are downloaded from a remote location must be digitally signed before they can be executed.  This depends on the application downloading the script to mark it as coming from a remote location.   Anything downloaded with Internet Explorer, Outlook, or Outlook Express will be properly marked.  This is the minimum recommended execution policy setting and is the best setting for script development.


When the execution policy is unrestricted, PowerShell will run any and all scripts you give it.  It will still prompt the user when it encounters a script that has been downloaded however.  This is the least secure setting and is not recommended that you use this setting, but it may be necessary in some developer scenarios where RemoteSigned is too restrictive.

For more information on signing PowerShell scripts, see Scott Hanselman's excellent post on the topic.

Version history
Last update:
‎18-Dec-2008 12:02
Updated by: