Fix PowerShell Script Blocks with Execution Policy and Unblock-File in Windows 10/11
Difficulty: Intermediate | Time Required: 10 minutesPowerShell is one of the most useful tools built into Windows 10 and Windows 11, but sooner or later many users run into a frustrating message such as:
File cannot be loaded because running scripts is disabled on this system.or:
The file is not digitally signed. The script will not execute on the system.These errors usually happen for one of two reasons: your PowerShell execution policy is preventing scripts from running, or the script was downloaded from the internet and Windows marked it as blocked. This tutorial shows how to safely check your current policy, adjust it for your user account, and use
Unblock-File when Windows is blocking a trusted script.PowerShell execution policy is a safety feature, not a complete security system. It helps prevent accidental script execution, but you should still only run scripts you trust.
Prerequisites
Before starting, make sure you have:- A Windows 10 or Windows 11 PC.
- Windows PowerShell 5.1, included with Windows 10/11, or PowerShell 7 installed separately.
- A script file, usually ending in
.ps1, that you want to run. - Basic confidence using PowerShell commands.
Note: Most steps below work without administrator rights if you change the policy only for your current user. Administrator rights are usually needed only when changing system-wide settings.
Step 1: Open PowerShell
- Right-click the Start button.
- Select Terminal, Windows PowerShell, or Terminal (Admin) depending on your version of Windows.
- If you only need to fix scripts for your own user account, a normal PowerShell window is usually enough.
- If you plan to change the policy for all users on the PC, choose Run as administrator.
Step 2: Check the Current Execution Policy
Run:Get-ExecutionPolicyThis shows the effective policy for the current PowerShell session.
For more detail, run:
Get-ExecutionPolicy -ListYou may see output similar to this:
Code:
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned- Restricted — Allows individual commands, but blocks script files.
- RemoteSigned — Allows local scripts, but requires downloaded scripts to be signed or unblocked.
- AllSigned — Requires all scripts to be signed by a trusted publisher.
- Bypass — Blocks nothing and shows no warnings.
- Undefined — No policy is set at that scope.
Step 3: Set Execution Policy for Your User Account
To allow locally created scripts and trusted unblocked scripts, run:Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserIf prompted, type:
YThen press Enter.
Using
-Scope CurrentUser applies the change only to your Windows account. This is usually safer than changing the whole computer.Now verify the change:
Get-ExecutionPolicy -ListLook for:
CurrentUser RemoteSignedTip: If this is your personal PC,CurrentUseris usually the best scope. If this is a work, school, or managed device, Group Policy may override your setting.
Step 4: Try Running the Script Again
Navigate to the folder containing your script. For example:cd "$env:USERPROFILE\Downloads"Run the script using
.\ before the filename:.\MyScript.ps1If the script runs, you are done.
If you still receive a message saying the script is not digitally signed or was downloaded from the internet, continue to the next step.
Step 5: Check Whether the Script Is Blocked
When files are downloaded using browsers or email clients, Windows may add a hidden marker calledZone.Identifier. PowerShell can detect this and may block the script under RemoteSigned.To check one file, run:
Get-Item .\MyScript.ps1 -Stream Zone.Identifier -ErrorAction SilentlyContinueIf you see output showing a
Zone.Identifier stream, Windows has marked the file as downloaded from the internet.You can also scan a folder for blocked PowerShell scripts:
Code:
Get-ChildItem -Path . -Filter *.ps1 -File |
Get-Item -Stream Zone.Identifier -ErrorAction SilentlyContinueNote: This works on file system drives that support alternate data streams, such as typical NTFS Windows drives.
Step 6: Review the Script Before Unblocking It
Before unblocking any script, inspect it.Open it in Notepad:
notepad .\MyScript.ps1Check for anything suspicious, such as:
- Commands that delete large folders.
- Unknown web downloads.
- Credential prompts you did not expect.
- Obfuscated text or unreadable encoded commands.
- Commands that disable security features.
Warning:Unblock-Fileremoves the downloaded-from-internet marker. Only use it when you trust the file and its source.
Step 7: Unblock a Trusted Script
To unblock one trusted script, run:Unblock-File -Path .\MyScript.ps1Now try running it again:
.\MyScript.ps1If the issue was caused by the internet-zone marker, the script should now run under
RemoteSigned.Step 8: Unblock Multiple Trusted Scripts in a Folder
If you downloaded a trusted script package containing several.ps1 files, you can unblock them together.First, preview the files:
Get-ChildItem -Path . -Filter *.ps1 -RecurseIf the list looks correct, unblock them:
Code:
Get-ChildItem -Path . -Filter *.ps1 -Recurse -File |
Unblock-FileExample:Tip: If you downloaded a ZIP file, unblock the ZIP before extracting it. That can prevent every extracted file from inheriting the blocked marker.
Unblock-File -Path .\TrustedScripts.zipThen extract the ZIP normally.
Step 9: Use a Temporary Policy for One Session
If you do not want to permanently change your execution policy, you can start a temporary session.From an existing PowerShell window, run:
powershell.exe -ExecutionPolicy RemoteSignedOr, if using PowerShell 7:
pwsh.exe -ExecutionPolicy RemoteSignedThe policy applies only to that new session and child processes. When you close the window, the temporary setting is gone.
This is useful for testing, labs, and one-time troubleshooting.
Troubleshooting Notes
“Set-ExecutionPolicy succeeded, but scripts are still blocked”
Run:Get-ExecutionPolicy -ListIf
MachinePolicy or UserPolicy is set, your device is probably controlled by Group Policy. This is common on business, school, or domain-joined PCs. In that case, contact your administrator.“The script still says it is not digitally signed”
If your policy isAllSigned, every script must be signed by a trusted publisher. Either use a signed script, sign it yourself with a trusted certificate, or ask your administrator whether RemoteSigned is acceptable.“Unblock-File does nothing”
That is normal if the file is not blocked.Unblock-File does not display output when it succeeds, and it does not produce an error for files that are already unblocked.“Should I use Unrestricted or Bypass?”
Avoid usingUnrestricted or Bypass as a permanent setting on a normal Windows 10/11 PC. They reduce warnings and protections. For most users, RemoteSigned plus Unblock-File for trusted scripts is a cleaner approach.Conclusion
Fixing blocked PowerShell scripts in Windows 10 and Windows 11 usually comes down to two checks: your execution policy and whether Windows marked the script as downloaded from the internet. SettingRemoteSigned for CurrentUser allows normal local script development without changing policy for everyone on the computer. When a trusted downloaded script is blocked, Unblock-File removes the internet-zone marker so PowerShell can run it.Used carefully, these tools let you keep PowerShell productive while still respecting Windows’ built-in safety checks.
Key Takeaways:
- Use
Get-ExecutionPolicy -Listto see which policy is actually affecting you. RemoteSignedis a practical choice for many Windows 10/11 users.- Prefer
Set-ExecutionPolicy RemoteSigned -Scope CurrentUserover system-wide changes. - Use
Unblock-Fileonly after reviewing and trusting the script. - Group Policy can override local PowerShell execution policy settings.
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
