L9. Security: Execution Policy, Logging, AMSI, and Secrets
Learn what PowerShell security controls do and do not do: execution policy, script block logging, module logging, AMSI, constrained language mode, application control, and secret handling.
Execution Policy Is Not a Security Boundary
Execution policy helps prevent accidental script execution, but Microsoft explicitly documents that it is not a security system that restricts user actions. On Windows, policies such as RemoteSigned, AllSigned, and Restricted affect when scripts and configuration files load. On non-Windows systems, execution policy behavior is effectively unrestricted/bypass-like because Windows security zones are not implemented.
Get-ExecutionPolicy
Get-ExecutionPolicy -List
Set-ExecutionPolicy RemoteSigned -Scope CurrentUserGroup Policy can override local settings. Always check Get-ExecutionPolicy -List before assuming what policy is effective.
Logging
PowerShell security monitoring relies heavily on logs:
| Control | What it records |
|---|---|
| Module logging | Pipeline execution events for selected modules |
| Script block logging | Commands, functions, scripts, and script blocks |
| Transcription | Console input and output for a session |
AMSI and Language Restrictions
On supported Windows systems, PowerShell sends script content to AMSI for antimalware inspection. PowerShell 7.3 extended AMSI data to include .NET method invocations. Constrained Language Mode limits what scripts can do, especially when enforced through application control.
Application control is the stronger enterprise control. Microsoft identifies App Control for Business as the preferred Windows application control system. Execution policy remains defense-in-depth, not containment.
Secrets
Do not hardcode passwords, tokens, or API keys in scripts. Prefer managed identities, certificates, environment-specific secret stores, or SecretManagement-compatible vaults. Microsoft no longer recommends SecureString for new development as a general password-handling strategy; it remains for compatibility and reducing accidental console/log exposure.
Lab
- Run
Get-ExecutionPolicy -List. - Explain which scope wins by precedence.
- Find the event log channel used for PowerShell operational logs on Windows.
- Rewrite a sample script so it accepts a token from a secret store or environment variable instead of hardcoding it.
Sources
- Microsoft Learn: about_Execution_Policies
- Microsoft Learn: PowerShell security features
- ✓Execution policy is a safety feature, not a security boundary
- ✓Execution policies are enforced only on Windows platforms
- ✓Group Policy scopes take precedence over local execution policy settings
- ✓Script block logging records commands, functions, scripts, and script blocks for investigation
- ✓AMSI and application control provide stronger defensive value than execution policy alone
1. What is the correct security interpretation of PowerShell execution policy?
2. Which logging feature records commands and script blocks processed by PowerShell?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.