32

I'm still pretty new to PowerShell, and recently read this in a blog posting about creating and using PowerShell scripts.

To prevent the execution of malicious scripts, PowerShell enforces an execution policy. By default, the execution policy is set to Restricted, which means that PowerShell scripts will not run. You can determine the current execution policy by using the following cmdlet:

Get-ExecutionPolicy

The execution policies you can use are:

  • Restricted - Scripts won’t run.
  • RemoteSigned - Scripts created locally will run, but those downloaded from the Internet will not (unless they are digitally signed by a trusted publisher).
  • AllSigned - Scripts will run only if they have been signed by a trusted publisher.
  • Unrestricted - Scripts will run regardless of where they have come from and whether they are signed.

You can set PowerShell’s execution policy by using the following cmdlet:

Set-ExecutionPolicy <policy name>

To me, the notation of "unless they are digitally signed by a trusted publisher" in the description of Remote Signed seems to imply that it operates the same as AllSigned. Is there a difference I'm missing somewhere?

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 1
    Interestingly on this one, there's a good Defcon presentation, [here](http://www.secmaniac.com/august-2010/powershell_omfg/) that has some interesting thoughts on bypassing execution policy restrictions. – Rory McCune Jan 22 '11 at 10:08

2 Answers2

19

Obviously AllSigned requires all modules/snapins and scripts to be code-signed. RemoteSigned only requires signing for remote files. What are remote files?

The canonical answer is on the PowerShell blog: Link

But the bottom line is: RemoteSigned only requires code-signing on modules/snapins and scripts which are flagged as from the "Internet" zone in the 'Zone.Identifier' alternate data stream, unless you have "Internet Explorer Enhanced Security" activated, in which case it also includes "Intranet" flagged files and UNC paths.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Jaykul
  • 306
  • 1
  • 4
  • Note that this setting can also be exposed in File Properties dialog, as shown in [this post in Microsoft forum](https://social.technet.microsoft.com/Forums/ie/en-US/06d3fe24-9bc7-41a5-b551-57a10e813d07/execution-policy-remotesigned-how-does-powershell-know-if-i-downloaded-the-script#f59d9b5f-6560-490f-a4df-ee9d284c600e). – Franklin Yu Sep 17 '18 at 21:49
  • Sort-of. The file properties dialog can show you whether a file is marked with Zone.Identifier -- it doesn't show you the Execution Policy, nor does it allow you to change the effect on UNC paths... – Jaykul Sep 18 '18 at 01:27
8

The difference being that RemoteSigned will run scripts locally that aren't signed, whereas AllSigned requires all scripts to be signed regardless of their origin.

Steve
  • 15,155
  • 3
  • 37
  • 66