477

When I try to execute my PowerShell script I get this error:

File C:\Common\Scripts\hello.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.
At line:1 char:13
+ .\hello.ps1 <<<<
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException

Pavel Chuchuva
  • 11,769
  • 5
  • 22
  • 24
  • 1
    I know this thread is dated but a couple of guys from the community wrote a couple of posts that go into this answer in depth here. https://adamtheautomator.com/run-powershell-script/ – Adam Bertram Jan 12 '21 at 20:50

15 Answers15

660

  1. Start Windows PowerShell with the "Run as Administrator" option. Only members of the Administrators group on the computer can change the execution policy.

  2. Enable running unsigned scripts by entering:

    set-executionpolicy remotesigned

This will allow running unsigned scripts that you write on your local computer and signed scripts from Internet.

See also Running Scripts at Microsoft TechNet Library.

Pavel Chuchuva
  • 11,769
  • 5
  • 22
  • 24
  • 5
    Will this change the policy permanently or do I have to do this every time I restart my computer? – Ray Jan 14 '17 at 18:11
  • 5
    @Ray This will change the policy permanently. – Pavel Chuchuva Jan 14 '17 at 22:15
  • 2
    @Ray See [the documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy). By default, it sets it for the `LocalMachine`. To set for other scopes (`CurrentUser` or `Process`), pass `-Scope` explicitly. – jpmc26 Jul 17 '18 at 18:38
  • @PavelChuchuva should I add this line on top of my script you meant – FabioSpaghetti Jul 16 '19 at 10:14
  • @FabioSpaghetti No need to add anything to your scripts. Just execute that command once by following the steps. – Pavel Chuchuva Jul 17 '19 at 03:21
  • @Pavel where? In cmd prompt? – FabioSpaghetti Jul 17 '19 at 04:37
  • @FabioSpaghetti Yes or in a PowerShell console – TylerH Sep 24 '19 at 19:42
  • 5
    I would mention you need to do that two times, in normal power shell, and once more in `Windows PowerShell (x86)` It’s very unexpected but the 2 have different set of policies. – Soonts Oct 29 '19 at 23:30
  • 9
    I hate that there's like 15 answers like this, or whatever. This is a very dangerous and generally speaking undesirable thing to ever do. Add something like `-Scope Process` at the end, so that it doesn't change execution policy globally and permanently. Have it be the current session, that's good enough. Even if someone uses this a lot and doesn't remember the command, bookmark the answer - don't change the policy for everyone and forever. – Kalec Jun 17 '21 at 13:50
140

The Default Execution Policy is set to restricted, you can see it by running Get-ExecutionPolicy:

Get-ExecutionPolicy

Run Set-ExecutionPolicy like this to switch to the unrestricted mode:

Set-ExecutionPolicy unrestricted
Cristian Ciupitu
  • 5,513
  • 2
  • 37
  • 47
William Hilsum
  • 116,650
  • 19
  • 182
  • 266
  • 18
    The requiring signing make sense if you expect the user to copy&paste malicious scripts from the internet. If you assume the user isn't stupid, then "remotesigned" doesn't add any security and makes life difficult. – Guss Nov 11 '12 at 10:41
  • 1
    @Guss: On testing this I found that RemoteSigned no longer requires locally generated .ps1 files to be signed, and it treats git source control as a local source. – Joshua Jun 11 '19 at 21:14
  • 1
    @Joshua - yes, my point exactly. If `RemoteSigned` doesn't block copy & paste, doesn't block git or other non-IE download methods, then what is it good for? Say it with me: "absolutely nothing!". I think requiring scripts to be signed with $100 code signing certificate is useless, stupid and negates all the good that a decent scripting language can do for Windows. That being said, if the way forward is to get users to understand what they're doing in order to use PS scripts, then we may be on too sth... Nahhhh, that will never work ;-) – Guss Jun 11 '19 at 23:23
  • 1
    @Guss: I already got a good scripting language on Windows. Cygwin works great on Windows 10; like literally so much better than it's been on any prior version of Windows. I only ever want to run scrips somebody else already wrote. – Joshua Jun 11 '19 at 23:36
95

On my machine that I use to dev scripts, I will use -unrestricted as above. When deploying my scripts however, to an end user machine, I will just call powershell with the -executionpolicy switch:

powershell.exe -noprofile -executionpolicy bypass -file .\script.ps1
MDMoore313
  • 5,956
  • 1
  • 27
  • 31
35

We can get the status of current ExecutionPolicy by the command below:

Get-ExecutionPolicy;

By default it is Restricted. To allow the execution of PowerShell Scripts we need to set this ExecutionPolicy either as Bypass or Unrestricted.

We can set the policy for Current User as Bypass or Unrestricted by using any of the below PowerShell command:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force;

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;

Unrestricted policy loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.

Whereas in Bypass policy, nothing is blocked and there are no warnings or prompts during script execution. Bypass ExecutionPolicy is more relaxed than Unrestricted.

Pratik Patil
  • 449
  • 4
  • 5
10

Depending on the Windows version and configuration, you may have the following warning, even in Unrestricted mode:

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this
script can potentially harm your computer. If you trust this script, use the 
Unblock-File cmdlet to allow the script to run without this warning message. 
Do you want to run?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D")

The solution is to use the "bypass" policy, enabled with the following command: 

Set-ExecutionPolicy Bypass

From the documentation:

Bypass: Nothing is blocked and there are no warnings or prompts.

This is obviously insecure, please understand the risks involved.

Benoit Blanchon
  • 295
  • 3
  • 8
  • this was the only way I was able to get my script to run in a WINE environment with powershell 2.0. Thank you. – Wyatt Ward Oct 25 '16 at 01:39
  • @Wyatt8740: Because wine presents all drives as network drives. – Joshua Jun 11 '19 at 23:37
  • @Joshua I had no idea. can you give me a source for that statement? i tried a casual google, but I obviously am looking wrong. – Wyatt Ward Jun 12 '19 at 08:25
  • @Wyatt8740: Source: Wine OpenFileName common dialog box. Look a the drive icons. – Joshua Jun 12 '19 at 14:59
  • @Joshua I meant a source code source; icons are possibly arbitrary. But I'd not thought of that; I guess that's a good place to start (edit: [doesn't look like they are here](https://i.imgur.com/r38hMUG.png).) – Wyatt Ward Jun 12 '19 at 18:38
  • @Wyatt8740: It's actually configurable with network being the default (or at least at one time), to minimize compatibility problems. Software that actually checks drive type behaves the best when it gets network back. I had to look it up once to tell it the CD drive was another type. – Joshua Jun 12 '19 at 18:42
  • @Joshua everything except for one drive that I explicitly set to CD-ROM is set to autodetect. Still not seeing [anything](https://i.imgur.com/weZJPHA.png) suggesting network. – Wyatt Ward Jun 12 '19 at 18:46
  • A warning prompt is not a security boundary. Having permissions is the security boundary. If i'm an Administrator then i can administrate. Warning prompts and hoops are a safety mechanism (like a cover over the eject button in an airplane). Disabling all warning prompts in PowerShell does not make anything insecure; it is still completely secure. – Ian Boyd Apr 30 '20 at 04:43
6

A .reg file with: 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell]
"EnableScripts"=dword:00000001 "ExecutionPolicy"="Bypass"

and:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell]
"EnableScripts"=dword:00000001 "ExecutionPolicy"="Unrestricted"

works indeed too.

Community
  • 1
Giesbert Schipper
  • 61
  • 1
  • 1
2

For some reason the PowerShell cmdlet did not enable local execution globally, just for the local user context. If I tried to start a Powershell script from inside CygWin's bash prompt, for example, which runs under its own user context, it would not run, giving the "is not digitally signed" error. The answer was to go into the Local Group Policy Editor -> Local Computer Policy -> Administrative Templates -> Windows Components -> Windows PowerShell and double-click on 'Turn on Script Execution'. This then let me change it to 'Enabled' and then execution policy of "Allow local scripts and remote signed scripts" and have it work globally regardless of user context.

Eric Green
  • 21
  • 1
2

The accepted answer is right, but the policy modification is only available for the currently running instance of the Powershell, meaning once the instance of the Powershell is shut down. The policy will be reset. If a user reopens another instance of Powershell, the default policy will be applied which is Restricted

For me, I need to use the VisualStudio Code console and g++ from cygwin to build things. The console is using Powershell, with the default policy, nothing can be done. One solution is changing the policy everytime the console is fired in VisualStudio Code console, maybe a script of changing the policy.

I am lazy, so another solution is when I run the Powershell in admin mode, similar to what the accepted answer does. but with an extra parameter which changes values in the Registry table. Once it been done. Other instances of Powershell will use the RemoteSigned policy by default.

set-executionpolicy remotesigned -Scope CurrentUser

r0ng
  • 825
  • 2
  • 7
  • 12
2

Setting the policy (correctly) is the best choice but on my managed systems I do not have the ability to change that policy.

For me, the simplest work-around to changing the policy is to open the script in the "PowerShell ISE", highlight the code (or part of the code) to execute and then click the "Run Selection" button (or use the F8 shortcut).

This is not the best solution & does little for automating tasks, but it does allow me the use & utility of PowerShell while not running afoul of my IS department.

DBADon
  • 473
  • 4
  • 11
0

  1. Open Start.

  2. Search for PowerShell, right-click the top-result and click the Run as administrator option.

  3. Type the following command to allow scripts to run and press Enter:

    Set-ExecutionPolicy RemoteSigned

  4. Type A and press Enter (if applicable).

  5. Type the following command to run the script and press Enter:

    & "C:\PATH\TO\SCRIPT\first_script.ps1"

    In the above command, make sure to change "PATH\TO\SCRIPT" to the location of your script.

After you complete the steps, the script will run, and if it was crafted correctly, you should see its output without issues.

phuclv
  • 26,555
  • 15
  • 113
  • 235
Arijit D
  • 1
0

Just one note:

Do not use PowerShell ISE to run set-executionpolicy remotesigned command as a script. It doesn't work in my case.

Run it in elevated PowerShell - Please follow step-by-step recommendation provided by Pavel Chuchuva.

Proxyma
  • 1
  • 2
0

If you downloaded the .ps1 from the internet right click properties might have an unblock button on it, just click that.

colin lamarre
  • 257
  • 1
  • 3
  • 8
0

On my local machine, I solved by setting the execution policy to Bypass.

  1. Start Windows PowerShell with the "Run as Administrator" option. Only members of the Administrators group on the computer can change the execution policy.

  2. Enable running unsigned scripts by entering:

    set-executionpolicy Bypass

    (type A and press Enter to accept all questions).

Starnuto di topo
  • 582
  • 1
  • 5
  • 17
0

I don't know if anyone has carefully tried and tested this or not, but even in latest updates of Windows 10 (11 could be too, but not tried), if you run these lines in the exact given order then you can easily set the ExecutionPolicy to your liking.

Open Powershell with Admin elevation(Run As Administrator) and run these lines one by one but all 3 in the exact given order is must:

powershell "Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force"
powershell "Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force"
powershell "Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy RemoteSigned -Force"

And after that, not only the current Powershell Window, but even newly opened Powershell windows by any User would be able to run .ps1 scripts.

Let me know in comments if any issues.

Vicky Dev
  • 442
  • 1
  • 6
  • 23
-2

The reason that the reg key works, is because it is doing exactly what the PS commands do. The commands write the changes to the reg keys. Commands are much quicker and easier than creating a reg key or digging into the registry.

keith
  • 1
  • 3
    That is just wrong: the keys that were mentioned in other answers change the powershells execution policy, which then enables the powershell script to run. – Patrick R. Apr 05 '18 at 14:04