six demon bag
Wind, fire, all that kind of thing!
2015-01-05
PowerShell Execution Policy Scopes
Sometimes when you try to change the PowerShell execution policy you'll get an error message that the setting was applied, but will be overridden by a setting in another scope:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of XXX. …
Execution policies can be defined in five different scopes, from LocalMachine
(least specific) to MachinePolicy
(most specific), where settings in more specific scopes take precedence over settings in less specific scopes. Use Get-ExecutionPolicy -List
to see which scope has which setting.
PS C:\> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser RemoteSigned
LocalMachine RemoteSigned
Setting a policy in a less specific scope will generate the abovementioned error if a policy in a more specific scope has been set before:
PS C:\> Set-ExecutionPolicy Restricted -Scope Process -Force
PS C:\> Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a more
specific scope. Due to the override, your shell will retain its current
effective execution policy of Restricted. Type "Get-ExecutionPolicy -List"
to view your execution policy settings. ...
PS C:\> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Restricted
CurrentUser Unrestricted
LocalMachine RemoteSigned
PS C:\> .\test.ps1
.\test.ps1 : File C:\test.ps1 cannot be loaded because running scripts is
disabled on this system. ...
PS C:\> Set-ExecutionPolicy Unestricted -Scope Process -Force
PS C:\> Set-ExecutionPolicy Restricted -Scope CurrentUser -Force
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a more
specific scope. Due to the override, your shell will retain its current
effective execution policy of Restricted. Type "Get-ExecutionPolicy -List"
to view your execution policy settings. ...
PS C:\> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Unrestricted
CurrentUser Restricted
LocalMachine RemoteSigned
PS C:\> .\test.ps1
Hello World!
As you can see, both settings were defined despite the error, but the setting in the more specific scope (Process
) still takes precedence, either preventing or allowing script execution.
Since the default scope is LocalMachine
an error from running the cmdlet without a specific scope could be caused by a setting in the CurrentUser
or Process
scope. However, a more common reason is that script execution was configured via a group policy (either local or domain).
A local group policy can be modified by a local administrator via gpedit.msc
(Local Group Policy Editor).
A domain group policy cannot be superseded by local settings/policies and must be changed by a domain admin via gpmc.msc
(Group Policy Management) on a domain controller.
For both local and domain policies the setting can be defined as a computer setting:
Computer Configuration
└─ Administrative Templates
└─ Windows Components
└─ Windows PowerShell → Turn on Script Execution
or as a user setting:
User Configuration
└─ Administrative Templates
└─ Windows Components
└─ Windows PowerShell → Turn on Script Execution
The former are applied to computer objects, whereas the latter are applied to user objects. For local polices there is no significant difference between user and computer policies, because user policies are automatically applied to all users on the computer.
A policy can have one of three states (or five states if you count the 3 settings available for the state Enabled separately):
- Not Configured: policy does not control PowerShell script execution.
- Enabled: allow PowerShell script execution.
- Allow only signed scripts: allow execution of signed scripts only (same as
Set-ExecutionPolicy AllSigned
). - Allow local scripts and remote signed scripts: allow execution of all local scripts (signed or not) and of signed scripts from remote locations (same as
Set-ExecutionPolicy RemoteSigned
). - Allow all scripts: allow execution of local and remote scripts regardless of whether they're signed or not (same as
Set-ExecutionPolicy Unrestricted
).
- Allow only signed scripts: allow execution of signed scripts only (same as
- Disabled: disallow PowerShell script execution (same as
Set-ExecutionPolicy Restricted
).
Changes made via Set-ExecutionPolicy
as well as settings defined via the -ExecutionPolicy
parameter of powershell.exe
only become effective when local and domain policies are set to Not Configured (execution policy Undefined
in the scopes MachinePolicy
and UserPolicy
).
Posted 22:46 [permalink]