Trying to run a PowerShell script, and do you get the error “Cannot be loaded because running scripts is disabled on this system”? Then we need to change the execution policy in PowerShell. To protect your computer from malicious scripts, the execution policy of PowerShell is set to restricted by default.
This default setting will prevent you from running any PowerShell script on your computer, even scripts that you have written yourself. Luckily we can easily change the policy with a single command in PowerShell.
In this article
In this article, I will explain how you can quickly fix the error running scripts are disabled on this system, what the different policies are and how to change it on all computers with a Group Policy.
Fix Running scripts is disabled on this System
We are going to start with a quick fix. The method below only solves the issue temporarily, so you can run your script and continue. For a more sustainable solution, scroll a bit down to the next chapter.
- Open PowerShell or Windows Terminal
- Enter the command below to run your script
powershell -ExecutionPolicy Bypass -File script.ps1
The method above bypasses the execution policy only temporarily. This works great for a single file, but it requires you to use the command above every time that you want to run the file. A more sustainable solution is to change the execution policy.
Changing the Execution Policy Permanently
When you work a lot with PowerShell scripts then you probably want to change the Execution Policy permanently. But before we look into how to change the policy, let’s first explain its purpose and the different policies that are available.
The execution policy isn’t designed as a security system to restrict users from executing PowerShell scripts. Each user can simply bypass the policy in their current PowerShell session or even copy and paste the content of the script directly into the console. So what is the purpose of the policy then? Well, it’s designed to prevent unintentional execution of PowerShell scripts.
When changing the policy we have five options to choose from:
|Restricted||Default option – Does not allow to run any PowerShell script|
|Unrestricted||Can run any script, shows warning for downloaded scripts|
|RemoteSigned||Requires a digital signature for downloaded scripts. You can|
run locally written scripts. You can unblock downloaded scripts
to run them without signature
|ByPass||You can run all scripts and no warnings are displayed|
|AllSigned||You can only run signed scripts from trusted publishers|
Most people tend to set the policy to unrestricted, which allows you to run any PowerShell script. But a better option is to use the RemoteSigned policy. This way you can run any locally written scripts, but you will have to unblock all downloaded scripts first. The extra handling prevents users from accidentally downloading and running malicious PowerShell scripts on their system.
All users vs Current user
When changing the policy we can also determine the scope of the change. The following scopes are available for the policy:
|CurrentUser||The policy is only set for the currently logged-in user|
|LocalMachine||Policy is changed for all users on the machine|
|Process||Policy is only changed for the current PowerShell session|
Set Execution Policy for Current user
So the most common scenario is that you want to change the PowerShell Execution policy for the current user. This will solve the error “running scripts is disabled on this system” for the logged-in user. We will set the policy to RemoteSigned, which means that the user still has to perform an extra step for downloaded scripts.
- Open PowerShell
- Enter the command below and press enter
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
- Optional – Verify the setting with the command
You can now run any locally created PowerShell script without the error running scripts is disabled on this system.
When you try to run a downloaded PowerShell script with the execution policy RemoteSigned, then you get the error that the file cannot be loaded. The PowerShell script is not digitally signed:
To solve this you will first need to unblock the file. To do this we can of course use a PowerShell cmdlet,
Unblock-File. Simply type the cmdlet followed by the filename/path:
Unblock-File -path .\CreateTestFiles.ps1
Set Execution Policy for all Users
We can also change the policy for all users on a computer. To do this, you will need to have elevated permissions (Administrator permission).
- Right-Click on Start or press Windows key + X
- Choose Windows PowerShell (Admin) or Windows Terminal (Admin)
- Type the following command:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
We can verify the results with the cmdlet
Get-ExecutionPolicy -List which shows the policy for each scope. Good to know is that the CurrentUser policy takes precedence over the LocalMachine policy. So when you set the CurrentUser policy to restricted and LocalMachine to RemoteSigned, then the user still can’t execute any PowerShell script, because the policy set in the CurrentUser scope overrules the LocalMachine policy.
Change the policy only for the Current Sessions
Another option is to change the policy only for the current PowerShell session. This method is useful when you need to run a couple of PowerShell scripts, but don’t want to change the policy permanently. You could use the Bypass option for each script, but it’s thus also possible to set change the scope for only the current PowerShell session. Use the scope
Process for this:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
Set Execution policy PowerShell with GPO
When you need to modify the policy on multiple computers, then it’s a good idea to use a Group Policy for this. Group Policies allow you to change Windows settings on multiple computers that are members of a domain. Another advantage of the policy is that the setting can’t be overwritten on the computer.
- Open the Group Policy Management Editor and create a new policy.
- Expand Computer Configuration
- Navigate to Policies > Administrative Templates > Windows Components > Windows PowerShell
- Open the setting Turn on Script Execution
- Change the setting to Enabled
- Select the Execution Policy Allow local scripts and remote signed scripts. This is the same as RemoteSigned that we set earlier.
We can verify the setting on one of the clients that are a member of the OU where we just applied the setting. First, make sure that the latest policy is applied on the computer using the GPUpdate command. Optionally you can use the RSOP command to verify the policy, or just check if the execution policy is set with the command:
Get-ExecutionPolicy -list # Result Scope ExecutionPolicy ----- --------------- MachinePolicy RemoteSigned UserPolicy RemoteSigned Process Undefined CurrentUser Undefined LocalMachine Undefined
As mentioned, the advantage of the policies is that users can’t change the policy anymore. When you use the cmdlet set-executionpolicy, you will get an error that the policy is changed, but the setting is overridden by a policy defined at a more specific scope:
The best way to set the Execution Policy in PowerShell is to use the Group Policy. This way all existing and new machines in your domain can be configured with the correct policy. Of course, you can create a different policy for the IT department.
I hope this article helped you to solve the error “cannot be loaded because running scripts is disabled on this system”, if you have any questions, then just drop a comment below. If you want to learn more about PowerShell, then make sure you read this getting started guide.