- Use PowerShell splatting and PSBoundParameters to pass parameters - Wed, Nov 9 2022
- Using PowerShell with $PSStyle - Mon, Jan 24 2022
- Clean up user profiles with PowerShell - Mon, Jun 9 2014
In a previous article I explained about PowerShell’s execution policy and demonstrated how to set it from an elevated PowerShell session.
PS C:\> Set-ExecutionPolicy RemoteSigned -Force
The default policy is Restricted so if you only need to configure a policy on a handful of machines you could run the command interactively. You could even use a remoting command.
PS C:\> Invoke-Command {Set-ExecutionPolicy RemoteSigned –Force} –computername $computersBut the smarter way is to use a Group Policy object. The primary benefit is that policies applied by a GPO can’t be overwritten, even by an administrator. To configure such a policy open the Group Policy Management Editor and edit or create a new GPO. Mine is called PowerShell Configuration.
Group Policy Management Editor
To configure, navigate under Computer Configuration to Policies\Administrative Templates\Windows Components\Windows PowerShell. You should see a setting called Turn on Script Execution like in figure 2.
Turn on Script Execution
Double-click the setting. You will want to enable it and select an option from the drop down.
Enable PowerShell execution policy
The policy descriptions correspond to AllSigned, RemoteSigned and Unrestricted. I’m going to pick the policy to allow local and remote signed scripts. Click OK to set it. The dialog suggest you need at least Windows 7 but I am pretty sure that even with PowerShell 2 running on older systems you can use this policy. I unfortunately no longer have any such legacy systems to verify that. But this setting will apply to PowerShell 2.0 and later.
I can verify my setting in the Group Policy Editor.
Group Policy Editor
Of course the benefit is that you can apply different settings to different organizational units so servers, user desktops and admin desktops can all have different settings that will be enforced. Remember, this policy is per machine so it will apply to your administrator desktops as well.
Now, when the policy is in place, users (and administrators) can’t override your script execution policy.
PowerShell execution policy overridden
In theory, this should also protect you from any future PowerShell-centric malware that might try alter your script execution policy.
As I mentioned before, this doesn’t prevent someone from copying and pasting the contents of a script into a PowerShell session, but at least they can’t simply run the script.
This policy also doesn’t have any effect on cmdlets, like Invoke-Command, that have a parameter to specify a script path. The machine running Invoke-Command should have a policy to allow script execution. But any remote machines can have restricted execution policies. When you specify a script from your machine, the script itself doesn’t run remotely, only the contents. Think of this as the equivalent of copying and pasting the script commands into a PowerShell session. The end result is that servers can be locked down yet you can still take advantage of PowerShell scripts.
One thing to be aware of is that if you are using a Group Policy to define a PowerShell logon, logoff or computer script, that script will disregard any execution policy set locally or through a GPO. These scripts execute with a Bypass execution policy. The assumption is that you have created the script, know what it does and have taken precautions to secure it.
I encourage you to test these Group Policy settings in a non-production environment so that you can fully understand the implications and how it might affect your PowerShell management practices.
Thank you. I prefer the UserPolicy level.
Thank you for this – very helpful and straightforward.
Hi Jeff.
Iam trying to set the executionpolicy to “remotesigned” throught the windows default GPO.
these are the scopes:
Scope ExecutionPolicy
MachinePolicy Unrestricted
UserPolicy RemoteSigned
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
But i cant find the setting for “machine policy” in the GPO?
When you configure GPO settings under this path, it will essentially be affective machine-wide:
Surender Kumar, have you actually tested that and know that it is true? In my testing, I can still change the execution policy for other scopes. Group policy appears to only change the Machine Policy from what I am seeing. Is there an updated ADMX that is needed?