PowerShell Execution Policies are a safety feature, not a security boundary, designed to prevent the accidental execution of malicious scripts. They control the conditions under which PowerShell loads configuration files and runs scripts. The default policy on Windows client computers is often Restricted, which prevents all scripts from running. Common policies include RemoteSigned (requires digital signatures for downloaded scripts), AllSigned (requires signatures for all scripts), and Bypass (nothing is blocked). Understanding these policies is crucial for configuring a secure yet functional automation environment.

Execution policies can be applied at different scopes, with a specific order of precedence: MachinePolicy (GPO), UserPolicy (GPO), Process (current session), CurrentUser, and LocalMachine. This hierarchy allows administrators to enforce rules via Group Policy while enabling developers to override settings locally for testing, provided GPO doesn't forbid it. The Process scope is particularly useful for temporarily bypassing restrictions for a single session without permanently altering system-wide security settings.

When scripts are downloaded from the internet, Windows attaches a "Zone.Identifier" alternate data stream, marking them as potentially unsafe. Even with RemoteSigned, these files must be explicitly trusted using the Unblock-File cmdlet before they can run. This mechanism ensures that users make a conscious decision to execute code from external sources. Best practice dictates using the most restrictive policy that still allows your work to proceed, typically RemoteSigned for developers and AllSigned for enterprise production environments.

• Use Get-ExecutionPolicy -List to view all active scopes
• Set RemoteSigned for a balance of security and usability
• Use Unblock-File to trust downloaded scripts
• Understand that execution policies are not a replacement for antivirus