Execution Policy and Downloaded Script Files

by Apr 3, 2018

When you download a file from the internet, it may be tagged by Windows (via NTFS stream), and PowerShell may refuse to execute it:

PS> & "$home\desktop\Rick.ps1"
& : File C:\Users\tobwe\desktop\Rick.ps1 cannot be loaded. The file C:\Users\tobwe\desktop\Rick.ps1 is not digitally signed. You cannot run this script on the 
current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at 
At line:1 char:3
+ & "$home\desktop\Rick.ps1"
+   ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess 

Typically, this occurs when your execution policy is either not set at all, or set to “RemoteSigned”. This is the recommended setting for average PowerShell users. This is how you enable the setting:

PS> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned  

When enabled, you can run any local script file or network file within your domain, but you can no longer run scripts that either are tagged as “downloads”, or scripts that reside on network locations that are not part of your domain.

To run blocked scripts, here are your choices:

  • Unblock the file, typically by opening its properties dialog, and clicking "Unblock"
  • Use Unblock-File
  • Copy the content to a new file
  • Set the execution policy to "Bypass"
  • Download the file using browsers that do not tag, or Invoke-WebRequest to download the file:
PS> Invoke-WebRequest -Uri "http://bit.ly/e0Mw9w" -UseBasicParsing -OutFile  "$home\Desktop\Rick.ps1"  

It is somewhat unexpected behavior that Invoke-WebRequest does not tag downloaded files and allows to bypass the execution policy.

Twitter This Tip! ReTweet this Tip!