Microsoft Finally Notarizes PowerShell for macOS — and Ditches MSI on Windows

Microsoft has confirmed two significant changes to how PowerShell is packaged and distributed — one ending years of frustration for macOS users, the other signalling a deliberate break from a decades-old Windows installer standard.

macOS: Notarization and Hardening Put Gatekeeper Warnings to Rest

For years, installing PowerShell on a Mac has been a surprisingly complicated ritual. Apple’s built-in security layer, Gatekeeper, routinely flagged PowerShell’s .pkg installer and tar archives as coming from an unidentified developer. The result: system-blocking pop-ups, manual trips into System Settings, or running xattr commands in Terminal — not exactly the seamless onboarding enterprise deployments call for.

Starting with the next maintenance release of PowerShell 7.4 and higher, that changes. Microsoft has formally submitted the PowerShell package to Apple for notarization — the process by which Apple scans software for malware and issues a digital ticket confirming it is safe to run. Alongside notarization, the PowerShell binary and its associated libraries are being hardened to satisfy both the security entitlements Apple requires for distributed software and Microsoft’s own internal standards.

The fix arrives just ahead of a hard deadline. Apple has signalled that Homebrew’s PowerShell cask will be disabled on September 1, 2026 if it does not pass Gatekeeper checks. Users who install via Homebrew have already seen deprecation warnings when running brew install powershell. Notarization resolves that issue entirely.

Windows: MSI Is Out, MSIX Is In

On the Windows side, Microsoft announced in April 2026 that the traditional MSI installer format is being deprecated for PowerShell. Beginning with PowerShell 7.7-preview.1, MSIX becomes the primary — and for new releases, the only — installation method on Windows.

The move is not a complete cut-off overnight. Existing releases such as PowerShell 7.6 will continue to ship MSI packages, and organizations already running those versions are not immediately affected. However, PowerShell 7.7 GA and all future versions will not include an MSI installer.

Microsoft’s rationale centres on reliability. The MSI format has historically depended on custom installer actions and scripts, which can produce subtly different results depending on the machine state. MSIX uses a declarative model: the package describes exactly what should be installed, and Windows enforces it — no custom scripts, no unexpected side effects. The format also supports built-in differential updates, meaning only changed components need to be downloaded on each upgrade.

The Bigger Picture: A Year of Deliberate Change for PowerShell

Both announcements sit inside a broader pattern. Microsoft has said publicly that 2026 is a significant year for PowerShell, with the team planning substantial changes to the tool — including the development of PowerShell 7.7, which is expected to introduce breaking design changes alongside these packaging improvements. The macOS notarization fix and the Windows installer modernisation together reflect a push to reduce friction at every stage of the PowerShell lifecycle, from first install to ongoing enterprise management.

For most end users, the most tangible change will be the disappearance of Gatekeeper pop-ups on macOS. For IT administrators managing fleets of Windows machines, the shift to MSIX has deeper implications for deployment pipelines and automation scripts — though with existing releases remaining on MSI, there is a transitional window to adapt.

Detailed release notes and migration guidance are available through the official PowerShell Team blog.