PowerShell Scripts and Execution Policy

A PowerShell script is a text file with a .ps1 extension that contains a sequence of PowerShell commands. Scripts automate tasks that would otherwise require typing commands manually every time. Execution Policy is a security setting that controls which scripts are allowed to run on a system.

What Is a PowerShell Script?

A script is a recipe. Instead of entering each step manually, a script stores all steps in a file and runs them with a single command. Scripts can range from a few lines that rename files to hundreds of lines that deploy enterprise infrastructure.

  backup.ps1
  +------------------------------------------+
  | param ($Source, $Dest)                   |
  | $date = Get-Date -Format "yyyyMMdd"      |
  | $folder = "$Dest\Backup_$date"           |
  | New-Item $folder -ItemType Directory     |
  | Copy-Item "$Source\*" $folder -Recurse   |
  | Write-Host "Backup complete: $folder"    |
  +------------------------------------------+
  
  Run: .\backup.ps1 -Source "C:\Data" -Dest "D:\Backups"

Creating a PowerShell Script

Step 1 – Create the Script File


# Create a new script file
New-Item -Path "C:\Scripts\hello.ps1" -ItemType File

# Or open in Notepad to write
notepad C:\Scripts\hello.ps1

Step 2 – Write the Script Content

File: C:\Scripts\hello.ps1


# hello.ps1 – Simple greeting script
param (
    [string]$Name = "World"
)

Write-Host "Hello, $Name!" -ForegroundColor Green
Write-Host "Today is: $(Get-Date -Format 'dddd, MMMM dd yyyy')"
Write-Host "PowerShell Version: $($PSVersionTable.PSVersion)"

Step 3 – Run the Script


# Navigate to the script folder
cd C:\Scripts

# Run the script
.\hello.ps1

# Run with arguments
.\hello.ps1 -Name "Priya"

# Run using the full path
& "C:\Scripts\hello.ps1" -Name "Karan"

Output:


Hello, Priya!
Today is: Saturday, March 21 2026
PowerShell Version: 7.4.0

Execution Policy

Execution Policy is a security gate that controls which scripts PowerShell allows to run. It prevents accidentally running malicious or untrusted scripts downloaded from the internet.

Execution Policy Levels

PolicyWho Can Run ScriptsUse Case
RestrictedNo scripts — only interactive commandsDefault on client Windows
AllSignedOnly scripts signed by a trusted publisherHigh-security environments
RemoteSignedLocal scripts run freely; downloaded scripts need signatureRecommended for development
UnrestrictedAll scripts run; downloaded scripts prompt a warningTesting on isolated machines
BypassNothing is blocked — no warningsAutomated CI/CD pipelines
UndefinedNo policy set for this scope — uses higher scopeDefault state for many scopes

Check Current Policy


Get-ExecutionPolicy
# Output: Restricted (on a fresh Windows install)

# See policy for all scopes
Get-ExecutionPolicy -List

Output:


Scope           ExecutionPolicy
-----           ---------------
MachinePolicy   Undefined
UserPolicy      Undefined
Process         Undefined
CurrentUser     RemoteSigned
LocalMachine    Restricted

Change Execution Policy


# For current user only (no Admin required)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

# For all users on the machine (requires Admin)
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine

# For the current PowerShell session only (temporary)
Set-ExecutionPolicy Bypass -Scope Process

# Confirm prompt suppression
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

Execution Policy Scopes

  MachinePolicy (Group Policy – highest priority)
         |
  UserPolicy (Group Policy for user)
         |
  Process (current PowerShell session only)
         |
  CurrentUser (settings for this user account)
         |
  LocalMachine (all users on this computer – lowest priority)

The highest scope with a policy set wins. Group Policy settings override all local settings.

Unblocking Downloaded Scripts

Files downloaded from the internet receive a "zone mark" that causes RemoteSigned to block them even if they are not signed.


# Check if a file is blocked
Get-Item "C:\Downloads\script.ps1" | Get-ItemProperty | Select-Object -ExpandProperty Zone*

# Unblock a single file
Unblock-File -Path "C:\Downloads\script.ps1"

# Unblock all scripts in a folder
Get-ChildItem "C:\Downloads\*.ps1" | Unblock-File

Script Best Practices

1 – Add a Script Header


<#
.SYNOPSIS
    Backs up specified folders to a destination.

.DESCRIPTION
    Copies all files from SourcePath to DestinationPath with a dated subfolder.

.PARAMETER SourcePath
    The folder to back up.

.PARAMETER DestinationPath
    Where to store the backup.

.EXAMPLE
    .\backup.ps1 -SourcePath "C:\Data" -DestinationPath "D:\Backup"

.NOTES
    Author: eStudy247
    Version: 1.0
    Date: 2026-03-21
#>

param (
    [Parameter(Mandatory=$true)]
    [string]$SourcePath,

    [string]$DestinationPath = "D:\Backup"
)

2 – Use requires Statements


# Require minimum PowerShell version
#Requires -Version 7.0

# Require running as Administrator
#Requires -RunAsAdministrator

# Require a specific module
#Requires -Modules ActiveDirectory

3 – Use Verbose and Error Handling


[CmdletBinding()]
param (
    [string]$TargetServer = "localhost"
)

$ErrorActionPreference = "Stop"

try {
    Write-Verbose "Connecting to $TargetServer..."
    # ... script logic ...
    Write-Verbose "Complete."
}
catch {
    Write-Error "Script failed: $($_.Exception.Message)"
    exit 1
}

Running Scripts with Bypass for Automation

In automated pipelines (CI/CD, scheduled tasks), use the -ExecutionPolicy Bypass flag directly in the invocation to avoid policy restrictions without changing system settings.


# Run a script with Bypass from CMD or a scheduled task
powershell.exe -ExecutionPolicy Bypass -File "C:\Scripts\backup.ps1"

# PowerShell 7
pwsh.exe -ExecutionPolicy Bypass -File "C:\Scripts\backup.ps1" -SourcePath "C:\Data"

Script Signing (AllSigned Policy)

In high-security environments, scripts must be digitally signed by a trusted certificate authority.


# Create a self-signed certificate (for testing only)
$cert = New-SelfSignedCertificate -DnsName "PowerShellScripts" `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -Type CodeSigningCert

# Sign a script
Set-AuthenticodeSignature -FilePath "C:\Scripts\backup.ps1" -Certificate $cert

# Verify the signature
Get-AuthenticodeSignature -FilePath "C:\Scripts\backup.ps1"

Scheduled Tasks with PowerShell Scripts


# Create a scheduled task to run a script daily at 2 AM
$action  = New-ScheduledTaskAction -Execute "pwsh.exe" `
               -Argument "-ExecutionPolicy Bypass -File C:\Scripts\backup.ps1"

$trigger = New-ScheduledTaskTrigger -Daily -At "02:00AM"

$settings = New-ScheduledTaskSettingsSet -RunOnlyIfNetworkAvailable

Register-ScheduledTask -TaskName "DailyBackup" `
    -Action $action `
    -Trigger $trigger `
    -Settings $settings `
    -RunLevel Highest

Summary

PowerShell scripts are .ps1 files that automate sequences of commands. Execution Policy is a security control that determines which scripts are allowed to run. RemoteSigned is the recommended policy for development environments. Scripts downloaded from the internet need to be unblocked with Unblock-File. Professional scripts include comment-based help headers, #Requires statements, and structured error handling. For automation pipelines and scheduled tasks, the -ExecutionPolicy Bypass flag handles script execution cleanly without changing system-wide policy settings.

Previous lessons
Back to courses
Next lessons

Leave a Comment