Share via


Set-ExecutionPolicy

Applies To: Windows PowerShell 2.0

Changes the user preference for the Windows PowerShell execution policy.

Syntax

Set-ExecutionPolicy [-ExecutionPolicy] {<Unrestricted> | <RemoteSigned> | <AllSigned> | <Restricted> | <Default> | <Bypass> | <Undefined>} [[-Scope] {<Process> | <CurrentUser> | <LocalMachine> | <UserPolicy> | <MachinePolicy>}] [-Force] [-Confirm] [-WhatIf] [<CommonParameters>]

Description

The Set-ExecutionPolicy cmdlet changes the user preference for the Windows PowerShell execution policy.

The execution policy is part of the security strategy of Windows PowerShell. It determines whether you can load configuration files (including your Windows PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run. For more information, see about_Execution_Policies.

NOTE: In Windows Vista, Windows Server 2008, and later versions of Windows, to change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the "Run as administrator" option.

Parameters

-ExecutionPolicy <ExecutionPolicy>

Specifies the new execution policy. Valid values are:

-- Restricted: Does not load configuration files or run scripts. "Restricted" is the default execution policy.

-- AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.

-- RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.

-- Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.

-- Bypass: Nothing is blocked and there are no warnings or prompts.

-- Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.

Required?

true

Position?

1

Default Value

Accept Pipeline Input?

true (ByValue)

Accept Wildcard Characters?

false

-Force

Suppresses all prompts. By default, Set-ExecutionPolicy displays a warning whenever you change the execution policy.

Required?

false

Position?

named

Default Value

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Scope <ExecutionPolicyScope>

Specifies the scope of the execution policy. The default is LocalMachine.

Valid values are:

-- Process: The execution policy affects only the current Windows PowerShell process.

-- CurrentUser: The execution policy affects only the current user.

-- LocalMachine: The execution policy affects all users of the computer.

To remove an execution policy from a particular scope, set the execution policy for that scope to Undefined.

When the value of Scope is Process, the execution policy is saved in the PSExecutionPolicyPreference environment variable ($env:PSExecutionPolicyPreference), instead of the registry, and the variable is deleted when the process is closed. You cannot change the execution policy of the process by editing the variable.

Required?

false

Position?

2

Default Value

LocalMachine

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before executing the command.

Required?

false

Position?

named

Default Value

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required?

false

Position?

named

Default Value

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This command supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable, WarningAction, and WarningVariable. For more information, see about_CommonParameters.

Inputs and Outputs

The input type is the type of the objects that you can pipe to the cmdlet. The return type is the type of the objects that the cmdlet returns.

Inputs

Microsoft.PowerShell.ExecutionPolicy, System.String

You can pipe an execution policy object or a string that contains the name of an execution policy to Set-ExecutionPolicy.

Outputs

None

This cmdlet does not return any output.

Notes

When you use Set-ExecutionPolicy in any scope other than Process, the new user preference is saved in the registry and remains unchanged until you change it. When the value of the Scope parameter is Process, the user preference is stored in the PSExecutionPolicyPreference environment variable ($env:PSExecutionPolicyPreference), instead of the registry, and it is deleted when the session in which it is effective is closed.

If the "Turn on Script Execution" Group Policy is enabled for the computer or user, the user preference is saved, but it is not effective, and Windows PowerShell displays a message explaining the conflict. You cannot use Set-ExecutionPolicy to override a Group Policy, even if the user preference is more restrictive than the policy.

Example 1

C:\PS>set-executionpolicy remotesigned

Description
-----------
This command sets the user preference for the shell execution policy to RemoteSigned.





Example 2

C:\PS>Set-ExecutionPolicy Restricted

Set-ExecutionPolicy : Windows PowerShell updated your local preference successfully, but the setting is overridden by the group policy applied to your system. Due to the override, your shell will retain its current effective execution policy of "AllSigned". Contact your group policy administrator for more information.
At line:1 char:20
+ set-executionpolicy  <<<< restricted

Description
-----------
This command attempts to set the execution policy for the shell to "Restricted." The "Restricted" setting is written to the registry, but because it conflicts with a Group Policy, it is not effective, even though it is more restrictive than the policy.





Example 3

C:\PS>invoke-command -computername Server01 -scriptblock {get-executionpolicy} | set-executionpolicy -force

Description
-----------
This command gets the execution policy from a remote computer and applies that execution policy to the local computer.

The command uses the Invoke-Command cmdlet to send the command to the remote computer. Because you can pipe an ExecutionPolicy (Microsoft.PowerShell.ExecutionPolicy) object to Set-ExecutionPolicy, the Set-ExecutionPolicy command does not need an ExecutionPolicy parameter.

The command does have a Force parameter, which suppresses the user prompt.





Example 4

C:\PS>set-executionpolicy -scope CurrentUser -executionPolicy AllSigned -force

C:\PS> get-executionpolicy -list

        Scope   ExecutionPolicy
        -----   ---------------
MachinePolicy         Undefined
   UserPolicy         Undefined
      Process         Undefined
  CurrentUser         AllSigned
 LocalMachine      RemoteSigned

C:\PS> get-executionpolicy
AllSigned

Description
-----------
This example shows how to set an execution policy for a particular scope.

The first command uses the Set-ExecutionPolicy cmdlet to set an execution policy of AllSigned for the current user. It uses the Force parameter to suppress the user prompts.

The second command uses the List parameter of Get-ExecutionPolicy to get the execution policies set in each scope. The results show that the execution policy that is set for the current user differs from the execution policy set for all users of the computer. 

The third command uses the Get-ExecutionPolicy cmdlet without parameters to get the effective execution policy for the current user on the local computer. The result confirms that the execution policy that is set for the current user takes precedence over the one set for all users.





Example 5

C:\PS>set-executionpolicy -scope CurrentUser -executionPolicy Undefined

Description
-----------
This command uses an execution policy value of Undefined to effectively remove the execution policy that is set for the current user scope. As a result, the execution policy that is set in Group Policy or in the LocalMachine (all users) scope is effective.

If you set the execution policy in all scopes to Undefined and the Group Policy is not set, the default execution policy, Restricted, is effective for all users of the computer.





Example 6

C:\PS>set-executionpolicy -scope Process -executionpolicy AllSigned

Description
-----------
This command sets an execution policy of AllSigned for only the current Windows PowerShell session. This execution policy is saved in the PSExecutionPolicyPreference environment variable ($env:PSExecutionPolicyPreference), so it does not affect the value in the registry. The variable and its value are deleted when the current session is closed.





See Also

Concepts

Get-ExecutionPolicy
Set-AuthenticodeSignature
Get-AuthenticodeSignature
about_Execution_Policies
about_Signing