Set-ExecutionPolicy unrestricted permission denied

25k views Asked by At

I am trying to set the execution policy to Unrestricted, but I'm getting the following error:

PS> Set-ExecutionPolicy Unrestricted
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
Set-ExecutionPolicy : Access to the registry key
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied. To change the execution
policy for the default (LocalMachine) scope, start Windows PowerShell with the "Run as administrator" option. To
change the execution policy for the current user, run "Set-ExecutionPolicy -Scope CurrentUser".
At line:1 char:1
+ Set-ExecutionPolicy unrestricted
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetExecutionPolicyComma
   nd
1

There are 1 answers

0
mklement0 On

Set-ExecutionPolicy defaults to setting the script execution policy for the whole system (implied -Scope LocalMachine).

-Scope LocalMachine can only be used from an elevated session (run as admin);[1] if your session isn't elevated, you'll get the error you saw - and the error text actually both explains the problem and provides instructions for how to resolve it.

To summarize:

  • Either: Re-run your command from an elevated session, assuming you have administrative credentials.

    • You can start one with Start-Process powershell -Verb RunAs (use pwsh in PowerShell (Core) 7+).
  • Or: Change the persistent execution policy only for the current user (-Scope CurrentUser)

     Set-ExecutionPolicy -Scope CurrentUser RemoteSigned -Force
    

Note:

  • I've chosen RemoteSigned as the policy in the sample call, as it provides a balance between security and convenience: it places no restriction on local scripts, but prevents execution of scripts downloaded from the web that aren't cryptographically signed.

  • -Force bypasses the interactive prompt.

  • While a current-user execution policy takes precedence over a local-machine one, both can be preempted by GPO-based policies - see this answer for more information.

  • There's also a way to set the execution policy for a single session only, via
    -Scope Process, though that is typically used via the PowerShell CLI (powershell.exe for Windows PowerShell, pwsh for PowerShell (Core) 7+), in the form of
    -ExecutionPolicy Bypass.


[1] While the same applies to PowerShell (Core) 7+ in principle, elevation is not required if you happen to have installed it in a current-user location. Also note that execution policies fundamentally do not apply when you use PowerShell (Core) 7+ on Unix-like platforms.