There was a time when running scripts on Windows computers was a piece of cake. Windows computers were highly prone to remote script executions. With PowerShell, Microsoft added a safety belt that allowed the user some control over how PowerShell scripts were loaded. Some specific models of script executions got restricted, which plugged some holes in the system.
PowerShell on Windows and Windows PowerShell contain the configuration. Running PowerShell scripts on Windows is still restricted by default. On PowerShell on Linux, this doesn't work at the moment, and based on the interactions in the community, it is uncertain whether this feature would make it to PowerShell on Linux.
An execution policy determines what type of execution of scripts is allowed. Here are the six execution policies (excluding Default):
- AllSigned
- RemoteSigned
- Restricted
- Unrestricted
- Bypass
- Undefined
There are three scopes as well:
- Process
- CurrentUser
- LocalMachine
A combination of an execution policy and a scope are what determine the condition which scripts can be loaded under. Microsoft has documented in detail what each of the policies is. In general, AllSigned requires that all the scripts that run on the computer are signed using a code signing certificate by a trusted certification authority. If this policy is set, PowerShell will not run unsigned scripts even if you were the one to create them.
Restricted is the default policy: Commands can be run, but not scripts. RemoteSigned allows scripts created on your own computer to run. Scripts that are downloaded from the Internet cannot be run.
Bypass is similar to unrestricted, however, is used in specific scenarios such as when PowerShell forms the basis of a certain application, and the application has its own security implementation.
Unrestricted means that all scripts and commands can run after a simple confirmation. Undefined means that no policy has been defined for a particular scope. Let us try to understand the concepts using the following recipe.