Last updated on December 22nd, 2023 at 12:29 pm
There is a very long story about PowerShell, ConfigMgr, Jeffrey Snover, and me. The short version is that story is that I’m getting to use PowerShell to its fullest now. In today world, a Microsoft Configuration Manager (SCCM / ConfigMgr / MCM) administrator must leverage and master lots of different tools. One of those tools is PowerShell. But how do you keep PowerShell script and your environment secure? One way is to code sign PowerShell scripts. This way you know that no one has tampered with your script! But how do you do that?
This article assume that you have ready install and configured ADCS, if you have not done these steps, make sure that you review How to Install AD Certificate Services and How to Configure AD Certificate Services After that I assume that you have issued a code signing certificate! If not see How to Create a Code Signing Certificate.
Why Code Sign PowerShell?
When you code signing a script, you are making sure that no one else changes it, edited or altered the script in any way. If they do the script will no longer be valid! Ultimately, this allows you to validate who signed the script and it is unchanged since being signed.
PowerShell Execution Policies
As more companies lock down their environment to protect themselves. The need for PowerShell has grown more important. PowerShell allow you to execute the same commands over and over ensure consistent results. But PowerShell is extremely powerful too, which can be abused. So, like many things you should never run a script without knowing what is does, even then be cautious. The Execution Policy is designed to “restrict” what scripts can be run and under what scenario. For a full list of the 7-policy mode see the official online docs. about Execution Policies – PowerShell | Microsoft Learn
The Allsigned execution policy is one of the policies that many companies are moving towards for most computers. When using the Allsigned policy means that before any script can be run, it must first pass the signing requirements. Once it passes signing stage, the script will run. The reason why this is import is almost no virus or scammer will go thru the process to acquire a code signing certificate via the authorized process as it will point back to them. But why are businesses moving to this policy? Because it the most restrictive without stopping the complete use of PowerShell. Additionally, most businesses will happily go thru the process to acquire a certificate to prove that their code is their own and it has not been altered.
To enable Allsigned execution policy used these PowerShell commands.
Set-ExecutionPolicy -ExecutionPolicy AllSigned
Get-ExecutionPolicy -List
How to Code Sign PowerShell
Time Stamp Server
But first, when ever possible always use a Time Stamp Server. It will code sign and time stamp your PowerShell script and show that the cert was valid at the time it was signed. If you don’t do this step, your scripts will need to be resigned when the certificate expirers. Not doing this will help save headaches down the road.
But how do you code sign a PowerShell script? You use another script to do it, Like the one below. I know, it will seem a lot harder than it actually is!
Code to Sign your PowerShell Script
$TimeStampServer = “http://timestamp.digicert.com”
$PS1 = “C:\Users\garth\Desktop\DeviceSeed\DeviceSeed\hello.ps1”
# Query the code-signing certificate from the your certificate store
$codeCert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -eq “CN=Garth Jones”}
# Sign the PowerShell script
Set-AuthenticodeSignature -FilePath $PS1 -Certificate $codeCert -TimeStampServer $TimeStampServer
What about tampering with the script?
In a nutshell, once the script is signed, no changes can be made to it. If there is a change detected, the script is blocked. There really isn’t much more to it than that but in the video, I demonstrate changing the script and showing how I added a new line to the script and showing how PowerShell blocks the script.
How to Code Sign PowerShell companion Video
Finally, don’t forget that you can subscribe to my RRS feed to stay on top of the latest trips and tricks. Additionally, if you have any questions, please feel free to touch base @Garthmj.