Set-ExecutionPolicy unrestricted permission denied

Question

I am trying to set the execution policy to Unrestricted, but I'm getting the following error:

PS> Set-ExecutionPolicy Unrestricted
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
Set-ExecutionPolicy : Access to the registry key
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied. To change the execution
policy for the default (LocalMachine) scope, start Windows PowerShell with the "Run as administrator" option. To
change the execution policy for the current user, run "Set-ExecutionPolicy -Scope CurrentUser".
At line:1 char:1
+ Set-ExecutionPolicy unrestricted
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetExecutionPolicyComma
   nd

Answer 1

Set-ExecutionPolicy defaults to setting the script execution policy for the whole system (implied -Scope LocalMachine).

-Scope LocalMachine can only be used from an elevated session (run as admin);^[1] if your session isn't elevated, you'll get the error you saw - and the error text actually both explains the problem and provides instructions for how to resolve it.

To summarize:

• Re-run your command from an elevated (admin) session, assuming you have administrative credentials.

  • You can start one with Start-Process powershell -Verb RunAs (use pwsh in PowerShell (Core) 7+).

• Alternatively, change the persistent execution policy only for the current user
  (-Scope CurrentUser)

   Set-ExecutionPolicy -Scope CurrentUser RemoteSigned -Force
  

Note:

• While a current-user execution policy takes precedence over a local-machine one, both can be preempted by GPO-based policies:

  • If GPO policies are in place, running Set-ExecutionPolicy is ineffective, and PowerShell will report the following error to indicate that:

    • Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of {current-policy}. Type "Get-ExecutionPolicy -List" to view your execution policy settings.

  • In that case, changing the GPO policies is your only option, although note that on domain-joined machines these policies are usually centrally controlled.

  • See this answer for more information.

• I've chosen RemoteSigned as the policy in the sample call, as it provides a balance between security and convenience: it places no restriction on local scripts, but prevents execution of scripts downloaded from the web that aren't cryptographically signed.

• -Force bypasses the interactive prompt.

• There's also a way to set the execution policy for a single session only, via
  -Scope Process, though that is typically used via the PowerShell CLI (powershell.exe for Windows PowerShell, pwsh for PowerShell (Core) 7+), in the form of
  -ExecutionPolicy Bypass.

---

^{[1] While the same applies to PowerShell (Core) 7+ in principle, elevation is not required if you happen to have installed it in a current-user location. Also note that execution policies fundamentally do not apply when you use PowerShell (Core) 7+ on Unix-like platforms.}