six demon bag

Wind, fire, all that kind of thing!

2015-01-05

PowerShell Execution Policy Scopes

Sometimes when you try to change the PowerShell execution policy you'll get an error message that the setting was applied, but will be overridden by a setting in another scope:

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of XXX. …

Execution policies can be defined in five different scopes, from LocalMachine (least specific) to MachinePolicy (most specific), where settings in more specific scopes take precedence over settings in less specific scopes. Use Get-ExecutionPolicy -List to see which scope has which setting.


PS C:\> Get-ExecutionPolicy -List

        Scope    ExecutionPolicy
        -----    ---------------
MachinePolicy          Undefined
   UserPolicy          Undefined
      Process          Undefined
  CurrentUser       RemoteSigned
 LocalMachine       RemoteSigned

Setting a policy in a less specific scope will generate the abovementioned error if a policy in a more specific scope has been set before:

PS C:\> Set-ExecutionPolicy Restricted -Scope Process -Force
PS C:\> Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a more
specific scope.  Due to the override, your shell will retain its current
effective execution policy of Restricted. Type "Get-ExecutionPolicy -List"
to view your execution policy settings. ...
PS C:\> Get-ExecutionPolicy -List

        Scope    ExecutionPolicy
        -----    ---------------
MachinePolicy          Undefined
   UserPolicy          Undefined
      Process         Restricted
  CurrentUser       Unrestricted
 LocalMachine       RemoteSigned

PS C:\> .\test.ps1
.\test.ps1 : File C:\test.ps1 cannot be loaded because running scripts is
disabled on this system. ...
PS C:\> Set-ExecutionPolicy Unestricted -Scope Process -Force
PS C:\> Set-ExecutionPolicy Restricted -Scope CurrentUser -Force
Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a more
specific scope.  Due to the override, your shell will retain its current
effective execution policy of Restricted. Type "Get-ExecutionPolicy -List"
to view your execution policy settings. ...
PS C:\> Get-ExecutionPolicy -List

        Scope    ExecutionPolicy
        -----    ---------------
MachinePolicy          Undefined
   UserPolicy          Undefined
      Process       Unrestricted
  CurrentUser         Restricted
 LocalMachine       RemoteSigned

PS C:\> .\test.ps1
Hello World!

As you can see, both settings were defined despite the error, but the setting in the more specific scope (Process) still takes precedence, either preventing or allowing script execution.

Since the default scope is LocalMachine an error from running the cmdlet without a specific scope could be caused by a setting in the CurrentUser or Process scope. However, a more common reason is that script execution was configured via a group policy (either local or domain).

A local group policy can be modified by a local administrator via gpedit.msc (Local Group Policy Editor).

A domain group policy cannot be superseded by local settings/policies and must be changed by a domain admin via gpmc.msc (Group Policy Management) on a domain controller.

For both local and domain policies the setting can be defined as a computer setting:

Computer Configuration
└─ Administrative Templates
   └─ Windows Components
      └─ Windows PowerShell → Turn on Script Execution

or as a user setting:

User Configuration
└─ Administrative Templates
   └─ Windows Components
      └─ Windows PowerShell → Turn on Script Execution

The former are applied to computer objects, whereas the latter are applied to user objects. For local polices there is no significant difference between user and computer policies, because user policies are automatically applied to all users on the computer.

A policy can have one of three states (or five states if you count the 3 settings available for the state Enabled separately):

  • Not Configured: policy does not control PowerShell script execution.
  • Enabled: allow PowerShell script execution.
    • Allow only signed scripts: allow execution of signed scripts only (same as Set-ExecutionPolicy AllSigned).
    • Allow local scripts and remote signed scripts: allow execution of all local scripts (signed or not) and of signed scripts from remote locations (same as Set-ExecutionPolicy RemoteSigned).
    • Allow all scripts: allow execution of local and remote scripts regardless of whether they're signed or not (same as Set-ExecutionPolicy Unrestricted).
  • Disabled: disallow PowerShell script execution (same as Set-ExecutionPolicy Restricted).

Changes made via Set-ExecutionPolicy as well as settings defined via the -ExecutionPolicy parameter of powershell.exe only become effective when local and domain policies are set to Not Configured (execution policy Undefined in the scopes MachinePolicy and UserPolicy).

Posted 22:46 [permalink]