To enable script execution in Windows 11, set the execution policy to RemoteSigned using the Set-ExecutionPolicy cmdlet in an elevated PowerShell session.
By default, Windows 11 blocks all PowerShell scripts with the Restricted execution policy. This safety feature prevents malicious code from running, but it also stops legitimate scripts for development, automation, or Office deployments. The fix takes one command in an administrator console, and a safer alternative applies the change only to your user account. Below you’ll find the exact steps, the security trade-offs of each policy option, and how to clean up afterward.
What Is the PowerShell Execution Policy?
An execution policy is a security control that determines which PowerShell scripts (files ending in .ps1) can run on your machine. Windows 11 ships with the Restricted policy, which prevents any script from executing. The other policies—RemoteSigned, AllSigned, Unrestricted, Bypass, Default, and Undefined—allow varying levels of script execution with different security requirements.
Each policy can be applied at different scopes: LocalMachine (affects all users), CurrentUser (affects only you), Process (for the current session only), or Session (for a specific PowerShell session). The safest approach for most individual users is RemoteSigned at the CurrentUser scope.
| Policy | Behavior | When to Use |
|---|---|---|
| Restricted | Blocks all scripts | Default; use for day-to-day desktop work |
| RemoteSigned | Allows local scripts; remote script must be signed | Best balance of security and productivity |
| AllSigned | All scripts must be signed by a trusted publisher | High-security environments |
| Unrestricted | All scripts run with a warning for remote ones | Development sandboxes after full understanding of risks |
| Bypass | No restrictions – everything runs | One-off execution or automated installers |
| Default | Uses the machine-level default policy | Reset to factory behavior |
| Undefined | No policy set at this scope; falls back to parent scope | Mixed environment with Group Policy |
How to Enable Script Execution in Windows 11: The Safe Steps
The most secure method is to use a user-wide scope that avoids affecting other accounts. If you only need scripts temporarily, use the one-time bypass flag so no policy change sticks.
Method 1 – Set Policy for All Users (Administrator Required)
- Open Start, type PowerShell, right-click Windows PowerShell, and select Run as administrator.
- Check the current policy: type
Get-ExecutionPolicyand press Enter. It should returnRestricted. - Set the policy to
RemoteSigned: typeSet-ExecutionPolicy RemoteSignedand press Enter. - When prompted, type Y (Yes) or A (Yes to All) and press Enter.
- Run your script (
.\YourScript.ps1) from the command line. - Revert immediately after use: type
Set-ExecutionPolicy Restrictedand press Enter. Confirm with Y. - Close the PowerShell window.
Leaving the policy at Unrestricted or RemoteSigned permanently exposes your machine to unsigned remote scripts. Reverting is critical.
Method 2 – Set Policy Only for Your User (Safer, No Admin)
This change applies only to your own scripts and won’t affect other users on the same PC.
- Open Windows Terminal (or PowerShell as a normal user).
- Run
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force. - Verify the change:
Get-ExecutionPolicy -Listshows all scopes in order of precedence. - Run your script, then revert with
Set-ExecutionPolicy Restricted -Scope CurrentUser.
Method 3 – One-Time Execution Without Changing Policy
Use this when you only need to run a single script and want zero permanent changes.
- Open PowerShell (normal, not admin).
- Run
powershell.exe -noprofile -executionpolicy bypass -file .\YourScript.ps1. - The script runs with full trust for that invocation only. No registry settings are touched.
| Method | Scope | Requires Admin? | Best For |
|---|---|---|---|
| Set-ExecutionPolicy RemoteSigned | LocalMachine (all users) | Yes | Admin-managed machines, family PC |
| Set-ExecutionPolicy RemoteSigned -Scope CurrentUser | CurrentUser | No | Personal laptop, single-user workstation |
| -ExecutionPolicy Bypass flag | Process (one session) | No | Running one specific installer or script |
Common Mistakes That Break Script Execution
- Not running PowerShell as Administrator.
Set-ExecutionPolicydefaults toLocalMachinescope, which requires elevation. If you get an error, launch PowerShell with admin rights or use-Scope CurrentUser. - Leaving the policy at Unrestricted. This is a major security gap. Always revert to
Restrictedafter your script finishes. - Ignoring the Mark of the Web. Scripts downloaded from the internet might be blocked even after changing the policy. Use
Unblock-File .\script.ps1first, or set policy toRemoteSignedwhich still requires a signature for remote files. - Domain or Group Policy overrides. If your PC is managed by an IT department, local policy changes may be reverted automatically on reboot. Check with your admin before making changes.
Reverting the Policy After Use
Returning the policy to Restricted is the most important step. Run Set-ExecutionPolicy Restricted (as admin) or Set-ExecutionPolicy Restricted -Scope CurrentUser and confirm. You can also verify with Get-ExecutionPolicy to ensure it shows Restricted.
Final Steps for Safe Script Execution in Windows 11
- Open PowerShell as administrator (or use
-Scope CurrentUserfor a user-only change). - Set the policy to
RemoteSignedusingSet-ExecutionPolicy RemoteSigned. - Run your script.
- Revert to
Restrictedimmediately. - If you only need one script, use the
-ExecutionPolicy Bypassflag instead of changing global settings.
The whole process takes less than a minute, and following the revert step keeps your Windows 11 machine as secure as it was before.
References & Sources
- Microsoft. “about_Execution_Policies” Official documentation detailing all policy states, scopes, and best practices.
