Cyber Intelligence
Operations and Security · Admin automation

L9. Security: Execution Policy, Logging, AMSI, and Secrets

Learn what PowerShell security controls do and do not do: execution policy, script block logging, module logging, AMSI, constrained language mode, application control, and secret handling.

Execution Policy Is Not a Security Boundary

Execution policy helps prevent accidental script execution, but Microsoft explicitly documents that it is not a security system that restricts user actions. On Windows, policies such as RemoteSigned, AllSigned, and Restricted affect when scripts and configuration files load. On non-Windows systems, execution policy behavior is effectively unrestricted/bypass-like because Windows security zones are not implemented.

Get-ExecutionPolicy
Get-ExecutionPolicy -List
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Group Policy can override local settings. Always check Get-ExecutionPolicy -List before assuming what policy is effective.

Logging

PowerShell security monitoring relies heavily on logs:

ControlWhat it records
Module loggingPipeline execution events for selected modules
Script block loggingCommands, functions, scripts, and script blocks
TranscriptionConsole input and output for a session
Script block logging is especially valuable for detecting suspicious encoded commands, download cradles, and living-off-the-land behavior.

AMSI and Language Restrictions

On supported Windows systems, PowerShell sends script content to AMSI for antimalware inspection. PowerShell 7.3 extended AMSI data to include .NET method invocations. Constrained Language Mode limits what scripts can do, especially when enforced through application control.

Application control is the stronger enterprise control. Microsoft identifies App Control for Business as the preferred Windows application control system. Execution policy remains defense-in-depth, not containment.

Secrets

Do not hardcode passwords, tokens, or API keys in scripts. Prefer managed identities, certificates, environment-specific secret stores, or SecretManagement-compatible vaults. Microsoft no longer recommends SecureString for new development as a general password-handling strategy; it remains for compatibility and reducing accidental console/log exposure.

Lab

  1. Run Get-ExecutionPolicy -List.
  2. Explain which scope wins by precedence.
  3. Find the event log channel used for PowerShell operational logs on Windows.
  4. Rewrite a sample script so it accepts a token from a secret store or environment variable instead of hardcoding it.

Sources

Exam Focus Points
  • Execution policy is a safety feature, not a security boundary
  • Execution policies are enforced only on Windows platforms
  • Group Policy scopes take precedence over local execution policy settings
  • Script block logging records commands, functions, scripts, and script blocks for investigation
  • AMSI and application control provide stronger defensive value than execution policy alone
Knowledge Check

1. What is the correct security interpretation of PowerShell execution policy?

2. Which logging feature records commands and script blocks processed by PowerShell?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available