How is PowerShell's RemoteSigned execution policy different from AllSigned?

  • I'm still pretty new to PowerShell, and recently read this in a blog posting about creating and using PowerShell scripts.

    To prevent the execution of malicious scripts, PowerShell enforces an execution policy. By default, the execution policy is set to Restricted, which means that PowerShell scripts will not run. You can determine the current execution policy by using the following cmdlet:

    Get-ExecutionPolicy

    The execution policies you can use are:

    • Restricted - Scripts won’t run.
    • RemoteSigned - Scripts created locally will run, but those downloaded from the Internet will not (unless they are digitally signed by a trusted publisher).
    • AllSigned - Scripts will run only if they have been signed by a trusted publisher.
    • Unrestricted - Scripts will run regardless of where they have come from and whether they are signed.

    You can set PowerShell’s execution policy by using the following cmdlet:

    Set-ExecutionPolicy <policy name>

    To me, the notation of "unless they are digitally signed by a trusted publisher" in the description of Remote Signed seems to imply that it operates the same as AllSigned. Is there a difference I'm missing somewhere?

    Interestingly on this one, there's a good Defcon presentation, here that has some interesting thoughts on bypassing execution policy restrictions.

  • Jaykul

    Jaykul Correct answer

    10 years ago

    Obviously AllSigned requires all modules/snapins and scripts to be code-signed. RemoteSigned only requires signing for remote files. What are remote files?

    The canonical answer is on the PowerShell blog: http://blogs.msdn.com/b/powershell/archive/2007/03/07/how-does-the-remotesigned-execution-policy-work.aspx

    But the bottom line is: RemoteSigned only requires code-signing on modules/snapins and scripts which are flagged as from the "Internet" zone in the 'Zone.Identifier' alternate data stream, unless you have "Internet Explorer Enhanced Security" activated, in which case it also includes "Intranet" flagged files and UNC paths.

    Note that this setting can also be exposed in File Properties dialog, as shown in this post in Microsoft forum.

    Sort-of. The file properties dialog can show you whether a file is marked with Zone.Identifier -- it doesn't show you the Execution Policy, nor does it allow you to change the effect on UNC paths...

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used