The Restricted execution policy does not permit any scripts to run. The

1. The Restricted execution policy does not permit any scripts to run.
2. The AllSigned and RemoteSigned execution policies prevent Windows
3. PowerShell from running scripts that do not have a digital signature.
4.  
5. This topic explains how to run selected scripts that are not signed,
6. even while the execution policy is RemoteSigned, and how to sign
7. scripts for your own use.
8.  
9. For more information about Windows PowerShell execution policies,
10. see about_Execution_Policy.
11.  
12.  
13. TO PERMIT SIGNED SCRIPTS TO RUN
14. -------------------------------
15. When you start Windows PowerShell on a computer for the first time, the
16. Restricted execution policy (the default) is likely to be in effect.
17.  
18. The Restricted policy does not permit any scripts to run.
19.  
20. To find the effective execution policy on your computer, type:
21.  
22. get-executionpolicy
23.  
24. To run unsigned scripts that you write on your local computer and signed
25. scripts from other users, use the following command to change the execution
26. policy on the computer to RemoteSigned:
27.  
28. set-executionpolicy remotesigned
29.  
30. For more information, see Set-ExecutionPolicy.
31.  
32.  
33. RUNNING UNSIGNED SCRIPTS (REMOTESIGNED EXECUTION POLICY)
34. --------------------------------------------------------
35. If your Windows PowerShell execution policy is RemoteSigned, Windows
36. PowerShell will not run unsigned scripts that are downloaded from the
37. Internet, including unsigned scripts you receive through e-mail and instant
38. messaging programs.
39.  
40. If you try to run a downloaded script, Windows PowerShell displays the
41. following error message:
42.  
43. The file <file-name> cannot be loaded. The file
44. <file-name> is not digitally signed. The script
45. will not execute on the system. Please see "Get-Help
46. about_signing" for more details.
47.  
48. Before you run the script, review the code to be sure that you trust it.
49. Scripts have the same effect as any executable program.
50.  
51. To run an unsigned script:
52.  
53. 1. Save the script file on your computer.
54. 2. Click Start, click My Computer, and locate the saved script file.
55. 3. Right-click the script file, and then click Properties.
56. 4. Click Unblock.
57.  
58. If a script that was downloaded from the Internet is digitally signed, but
59. you have not yet chosen to trust its publisher, Windows PowerShell displays
60. the following message:
61.  
62. Do you want to run software from this untrusted publisher?
63. The file <file-name> is published by CN=<publisher-name>. This
64. publisher is not trusted on your system. Only run scripts
65. from trusted publishers.
66.  
67. [V] Never run [D] Do not run [R] Run once [A] Always run
68. [?] Help (default is "D"):
69.  
70. If you trust the publisher, select "Run once" or "Always run."
71. If you do not trust the publisher, select either "Never run" or
72. "Do not run." If you select "Never run" or "Always run," Windows
73. PowerShell will not prompt you again for this publisher.
74.  
75.  
76. METHODS OF SIGNING SCRIPTS
77. --------------------------
78. You can sign the scripts that you write and the scripts that you obtain
79. from other sources. Before you sign any script, examine each command
80. to verify that it is safe to run.
81.  
82. For best practices about code signing, see "Code-Signing
83. Best Practices" at http://go.microsoft.com/fwlink/?LinkId=119096.
84.  
85. For more information about how to sign a script file, see
86. Set-AuthenticodeSignature.
87.  
88. To add a digital signature to a script, you must sign it with a code
89. signing certificate. Two types of certificates are suitable for signing
90. a script file:
91.  
92. -- Certificates that are created by a certification authority:
93.  
94. For a fee, a public certificate authority verifies your
95. identity and gives you a code signing certificate. When
96. you purchase your certificate from a reputable certification
97. authority, you are able to share your script with users
98. on other computers that are running Windows because those other
99. computers trust the certification authority.
100.  
101. -- Certificates that you create:
102.  
103. You can create a self-signed certificate for which
104. your computer is the authority that creates the certificate.
105. This certificate is free of charge and enables you to write,
106. sign, and run scripts on your computer. However, a script
107. signed by a self-signed certificate will not run on other
108. computers.
109.  
110. Typically, you would use a self-signed certificate only to sign
111. scripts that you write for your own use and to sign scripts that you get
112. from other sources that you have verified to be safe. It is not
113. appropriate for scripts that will be shared, even within an enterprise.
114.  
115. If you create a self-signed certificate, be sure to enable strong
116. private key protection on your certificate. This prevents malicious
117. programs from signing scripts on your behalf. The instructions are
118. included at the end of this topic.
119.  
120.  
121. CREATE A SELF-SIGNED CERTIFICATE
122. --------------------------------
123. To create a self-signed certificate, use the Certificate Creation
124. tool (MakeCert.exe). This tool is included in the Microsoft .NET Framework
125. SDK (versions 1.1 and later) and in the Microsoft Windows SDK.
126.  
127. For more information about the syntax and the parameter descriptions of the
128. MakeCert.exe tool, see "Certificate Creation Tool (MakeCert.exe)" in the
129. MSDN (Microsoft Developer Network) library at
130. http://go.microsoft.com/fwlink/?LinkId=119097.
131.  
132. To use the MakeCert.exe tool to create a certificate, run the following
133. commands in an SDK Command Prompt window.
134.  
135. Note: The first command creates a local certification authority for
136. your computer. The second command generates a personal
137. certificate from the certification authority.
138.  
139. Note: You can copy or type the commands exactly as they appear.
140. No substitutions are necessary, although you can change the
141. certificate name.
142.  
143. makecert -n "CN=PowerShell Local Certificate Root" -a sha1 `
144. -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer `
145. -ss Root -sr localMachine
146.  
147. makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 `
148. -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
149.  
150.  
151. The MakeCert.exe tool will prompt you for a private key password. The
152. password ensures that no one can use or access the certificate without
153. your consent. Create and enter a password that you can remember. You will
154. use this password later to retrieve the certificate.
155.  
156. To verify that the certificate was generated correctly, use the
157. following command to get the certificate in the certificate
158. store on the computer. (You will not find a certificate file in the
159. file system directory.)
160.  
161. At the Windows PowerShell prompt, type:
162.  
163. get-childitem cert:\CurrentUser\my -codesigning
164.  
165. This command uses the Windows PowerShell Certificate provider to view
166. information about the certificate.
167.  
168. If the certificate was created, the output shows the thumbprint
169. that identifies the certificate in a display that resembles the following:
170.  
171.  
172. Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
173.  
174. Thumbprint Subject
175. ---------- -------
176. 4D4917CB140714BA5B81B96E0B18AAF2C4564FDF CN=PowerShell User ]
177.  
178.  
179. SIGN A SCRIPT
180. -------------
181.  
182. After you create a self-signed certificate, you can sign scripts. If you
183. use the AllSigned execution policy, signing a script permits you to run
184. the script on your computer.
185.  
186. The following sample script, Add-Signature.ps1, signs a script. However,
187. if you are using the AllSigned execution policy, you must sign the
188. Add-Signature.ps1 script before you run it.
189.  
190. To use this script, copy the following text into a text file, and
191. name it Add-Signature.ps1.
192.  
193. Note: Be sure that the script file does not have a .txt file name
194. extension. If your text editor appends ".txt", enclose the file name
195. in quotation marks: "add-signature.ps1".
196.  
197.  
198. ## add-signature.ps1
199. ## Signs a file
200. param([string] $file=$(throw "Please specify a filename."))
201. $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
202. Set-AuthenticodeSignature $file $cert
203.  
204.  
205. To sign the Add-Signature.ps1 script file, type the following commands at
206. the Windows PowerShell command prompt:
207.  
208. $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
209.  
210. Set-AuthenticodeSignature add-signature.ps1 $cert
211.  
212.  
213. After the script is signed, you can run it on the local computer.
214. However, the script will not run on computers on which the Windows
215. PowerShell execution policy requires a digital signature from a
216. trusted authority. If you try, Windows PowerShell displays the following
217. error message:
218.  
219. The file C:\remote_file.ps1 cannot be loaded. The signature of the
220. certificate cannot be verified.
221. At line:1 char:15
222. + .\ remote_file.ps1 <<<<
223.  
224. If Windows PowerShell displays this message when you run a
225. script that you did not write, treat the file as you would treat any
226. unsigned script. Review the code to determine whether you can trust the
227. script.
228.  
229.  
230. ENABLE STRONG PRIVATE KEY PROTECTION FOR YOUR CERTIFICATE
231. ---------------------------------------------------------
232.  
233. If you have a private certificate on your computer, malicious
234. programs might be able to sign scripts on your behalf, which
235. authorizes Windows PowerShell to run them.
236.  
237. To prevent automated signing on your behalf, use Certificate
238. Manager (Certmgr.exe) to export your signing certificate to
239. a .pfx file. Certificate Manager is included in the Microsoft
240. .NET Framework SDK, the Microsoft Windows SDK, and in Internet
241. Explorer 5.0 and later versions.
242.  
243. To export the certificate:
244.  
245. 1. Start Certificate Manager.
246.  
247. 2. Select the certificate issued by PowerShell Local Certificate Root.
248.  
249. 3. Click Export to start the Certificate Export Wizard.
250.  
251. 4. Select "Yes, export the private key", and then click Next.
252.  
253. 5. Select "Enable strong protection."
254.  
255. 6. Type a password, and then type it again to confirm.
256.  
257. 7. Type a file name that has the .pfx file name extension.
258.  
259. 8. Click Finish.
260.  
261.  
262. To re-import the certificate:
263.  
264. 1. Start Certificate Manager.
265.  
266. 2. Click Import to start the Certificate Import Wizard.
267.  
268. 3. Open to the location of the .pfx file that you created during the
269. export process.
270.  
271. 4. On the Password page, select "Enable strong private key protection",
272. and then enter the password that you assigned during the export
273. process.
274.  
275. 5. Select the Personal certificate store.
276.  
277. 6. Click Finish.
278.  
279.  
280.  
281. PREVENT THE SIGNATURE FROM EXPIRING
282. -----------------------------------
283. The digital signature in a script is valid until the signing certificate
284. expires or as long as a time stamp server can verify that the script was
285. signed while the signing certificate was valid.
286.  
287. Because most signing certificates are valid for one year only, using a
288. time stamp server ensures that users can use your script for many years
289. to come.