Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closes #4005. Added info to Set-ExecutionPolicy for non-Windows platforms #4054

Merged
merged 5 commits into from
Mar 25, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Large diffs are not rendered by default.

186 changes: 117 additions & 69 deletions reference/3.0/Microsoft.PowerShell.Security/Get-ExecutionPolicy.md
Original file line number Diff line number Diff line change
@@ -1,120 +1,171 @@
---
ms.date: 06/09/2017
ms.date: 3/22/2019
schema: 2.0.0
locale: en-us
keywords: powershell,cmdlet
online version: http://go.microsoft.com/fwlink/?LinkID=113315
external help file: Microsoft.PowerShell.Security.dll-Help.xml
title: Get-ExecutionPolicy
---

# Get-ExecutionPolicy

## SYNOPSIS

Gets the execution policies for the current session.

## SYNTAX

### All

```
Get-ExecutionPolicy [[-Scope] <ExecutionPolicyScope>] [-List] [<CommonParameters>]
```

## DESCRIPTION

The **Get-ExecutionPolicy** cmdlet gets the execution policies for the current session.
To display the execution policies for each scope in the order of precedence, use
`Get-ExecutionPolicy -List`. To see the effective execution policy for your PowerShell session use
`Get-ExecutionPolicy` with no parameters.

The execution policy is determined by execution policies that you set by using Set-ExecutionPolicy and the Group Policy settings for the Windows PowerShell execution policy.
The default value is "Restricted."
The effective execution policy is determined by execution policies that are set by
`Set-ExecutionPolicy` and Group Policy settings.

Without parameters, **Get-ExecutionPolicy** gets the execution policy that is effective in the session.
You can use the **List** parameter to get all execution policies that affect the session or the Scope parameter to get the execution policy for a particular scope.

For more information, see about_Execution_Policies (http://go.microsoft.com/fwlink/?LinkID=135170).
For more information, see [about_Execution_Policies](../Microsoft.PowerShell.Core/about/about_Execution_Policies.md).

## EXAMPLES

### Example 1
### Example 1: Get all execution policies

This command displays the execution policies for each scope in the order of precedence.

```powershell
Get-ExecutionPolicy -List
```
PS> Get-ExecutionPolicy
Restricted

```Output
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser AllSigned
LocalMachine Undefined
```

This command gets the current execution policy for the computer.
The `Get-ExecutionPolicy` cmdlet uses the **List** parameter to display each scope's execution
policy.

### Example 2: Set an execution policy

### Example 2
This example shows how to set an execution policy for the local computer.

```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Get-ExecutionPolicy -List
```
PS> Set-ExecutionPolicy RemoteSigned
PS> Get-ExecutionPolicy
RemoteSigned

```Output
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser AllSigned
LocalMachine RemoteSigned
```

These commands set a new user preference for the execution policy and then display the effective execution policy.
The commands are separated by a semicolon (;).
In this example, because there is no Group Policy setting, the user preference is the effective policy for the computer.
The `Set-ExecutionPolicy` cmdlet uses the **ExecutionPolicy** parameter to specify the
**RemoteSigned** policy. The **Scope** parameter specifies the default scope value,
**LocalMachine**. To view the execution policy settings, use the `Get-ExecutionPolicy` cmdlet with
the **List** parameter.

### Example 3: Get the effective execution policy

### Example 3
This example shows how to display the effective execution policy for a PowerShell session.

```
PS> Get-ExecutionPolicy -List

Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser AllSigned
LocalMachine RemoteSigned
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser AllSigned
LocalMachine RemoteSigned

PS> Get-ExecutionPolicy

AllSigned
```

These commands get all execution policies in the current session and the effective execution policy.
The `Get-ExecutionPolicy` cmdlet uses the **List** parameter to display each scope's execution
policy. The `Get-ExecutionPolicy` cmdlet is run without a parameter to display the effective
execution policy, **AllSigned**.

The first command gets all execution policies that affect the current session.
The policies are listed in precedence order.
### Example 4: Unblock a script to run it without changing the execution policy

The second command gets only the effective execution policy, which is the one set in the CurrentUser scope.
This example shows how the **RemoteSigned** execution policy prevents you from running unsigned
scripts.

### Example 4
A best practice is to read the script's code and verify it's safe **before** using the
`Unblock-File` cmdlet. The `Unblock-File` cmdlet unblocks scripts so they can run, but doesn't
change the execution policy.

```
The first command uses the **Get-ExecutionPolicy** cmdlet to get the effective execution policy in the current session.
PS> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

PS> Get-ExecutionPolicy

RemoteSigned

The second command shows what happens when you run a blocked script in a Windows PowerShell session in which the execution policy is **RemoteSigned**. The **RemoteSigned** policy prevents you from running scripts that are downloaded from the Internet unless they are digitally signed.
PS> .\Start-ActivityTracker.ps1

.\Start-ActivityTracker.ps1 : File .\Start-ActivityTracker.ps1 cannot be loaded. The file .\Start-ActivityTracker.ps1 is not digitally signed. The script will not execute on the system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
.\Start-ActivityTracker.ps1 : File .\Start-ActivityTracker.ps1 cannot be loaded.
The file .\Start-ActivityTracker.ps1 is not digitally signed.
The script will not execute on the system.
For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\Start-ActivityTracker.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

PS> Unblock-File -Path .\Start-ActivityTracker.ps1

The third command uses the Unblock-File cmdlet to unblock the script so it can run in the session.Before running an **Unblock-File** command, read the script contents and verify that it is safe.
PS> Unblock-File -Path Start-ActivityTracker.ps1

This command shows the effect of the **Unblock-File** command. The command does not change the execution policy. However, it unblocks the script so it will run in Windows PowerShell.
PS> Get-ExecutionPolicy

RemoteSigned
PS> Start-ActivityTracker.ps1

PS> .\Start-ActivityTracker.ps1

Task 1:
```

This example shows the effect of the **RemoteSigned** execution policy, which prevents you from running unsigned scripts that were downloaded from the Internet.
It also shows how to use the Unblock-File cmdlet to unblock scripts, so that you can run them without changing the execution policy.
The `Set-ExecutionPolicy` uses the **ExecutionPolicy** parameter to specify the **RemoteSigned**
policy. The policy is set for the default scope, **LocalMachine**.

The `Get-ExecutionPolicy` cmdlet shows that **RemoteSigned** is the effective execution policy for
the current PowerShell session.

The **Start-ActivityTracker.ps1** script is executed from the current directory. The script is
blocked by **RemoteSigned** because the script isn't digitally signed.

For this example, the script's code was reviewed and verified as safe to run. The `Unblock-File`
cmdlet uses the **Path** parameter to unblock the script.

To verify that `Unblock-File` didn't change the execution policy, `Get-ExecutionPolicy` displays the
effective execution policy, **RemoteSigned**.

The script, **Start-ActivityTracker.ps1** is executed from the current directory. The script begins
to run because it was unblocked by the `Unblock-File` cmdlet.

## PARAMETERS

### -List

Gets all execution policy values for the session listed in precedence order.
By default, **Get-ExecutionPolicy** gets only the effective execution policy.
Gets all execution policy values for the session listed in precedence order. By default,
`Get-ExecutionPolicy` gets only the effective execution policy.

```yaml
Type: SwitchParameter
Expand All @@ -130,62 +181,59 @@ Accept wildcard characters: False

### -Scope

Gets the execution policy in the specified scope.
By default, **Get-ExecutionPolicy** gets the effective execution policy for the current session.
Specifies the scope that is affected by an execution policy.

Valid values are:
The effective execution policy is determined by the order of precedence as follows:

- MachinePolicy: The execution policy set by a Group Policy for all users of the computer.
- UserPolicy: The execution policy set by a Group Policy for the current user of the computer.
- Process: The execution policy that is set for the current Windows PowerShell process.
- CurrentUser: The execution policy that is set for the current user.
- LocalMachine: The execution policy that is set for all users of the computer.
- **MachinePolicy**. Set by a Group Policy for all users of the computer.
- **UserPolicy**. Set by a Group Policy for the current user of the computer.
- **Process**. Affects only the current PowerShell session.
- **CurrentUser**. Affects only the current user.
- **LocalMachine**. Default scope that affects all users of the computer.

```yaml
Type: ExecutionPolicyScope
Parameter Sets: (All)
Aliases:
Accepted values: CurrentUser, LocalMachine, MachinePolicy, Process, UserPolicy

Required: False
Position: 1
Position: 0
Default value: Effective execution policy
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
```

### CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose,
-WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).

## INPUTS

### None

You cannot pipe input to this cmdlet.
`Get-ExecutionPolicy` doesn't accept input from the pipeline.

## OUTPUTS

### Microsoft.PowerShell.ExecutionPolicy

## NOTES

- The execution policy is part of the security strategy of Windows PowerShell. It determines whether you can load configuration files (including your Windows PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run.
An execution policy is part of the PowerShell security strategy. Execution policies determine
whether you can load configuration files, such as your PowerShell profile, or run scripts. And,
whether scripts must be digitally signed before they are run.

The effective execution policy is determined by the policies that you set by using the Set-ExecutionPolicy cmdlet and the "Turn on Script Execution" group policies for computers and users.
The precedence order is Computer Group Policy \> User Group Policy \> Process (session) execution policy \> User execution policy \> Computer execution policy.
## RELATED LINKS

For more information about Windows PowerShell execution policy, including definitions of the Windows PowerShell policies, see about_Execution_Policies (http://go.microsoft.com/fwlink/?LinkID=135170).
[about_Execution_Policies](../Microsoft.PowerShell.Core/about/about_Execution_Policies.md)

## RELATED LINKS
[about_Group_Policy_Settings](../Microsoft.PowerShell.Core/About/about_Group_Policy_Settings.md)

[Get-AuthenticodeSignature](Get-AuthenticodeSignature.md)

[Set-AuthenticodeSignature](Set-AuthenticodeSignature.md)

[Set-ExecutionPolicy](Set-ExecutionPolicy.md)

[Unblock-File](../Microsoft.PowerShell.Utility/Unblock-File.md)

[about_Execution_Policies](../Microsoft.PowerShell.Core/About/about_Execution_Policies.md)

[about_Signing](../Microsoft.PowerShell.Core/About/about_Signing.md)
Loading