rss logo
Computing
Home
How To
Music
The Band
Tracks
Misc
Links
🇫🇷 Fr

Enable and Run Signed PowerShell Scripts in Windows

Microsoft logo PowerShell logo

By default, PowerShell scripts are restricted from running for security reasons. While the -ExecutionPolicy Bypass switch can override this restriction, it's not the most secure option. If you want to enhance security, it's worth exploring how to allow only signed scripts to run. Here, we'll look at how to create and authorize only signed scripts.

Group Policy to allow signed scripts only

  • Open the Group Policy editor:
Open the Run dialog and type gpedit.msc to access the Group Policy Editor in Windows.
  • Go to User Configuration > Administrative Templates > Windows Components > Windows PowerShell:
View of the Local Group Policy Editor highlighting the 'Turn on Script Execution' setting under Windows PowerShell options.
  • Edit the Turn on Script Execution policy:
Group Policy Editor window with the Turn on Script Execution setting enabled and Allow only signed scripts selected as the execution policy

Create Certificate

To sign our scripts, we need a certificate. Here's how to create a self-signed certificate.

  • Open Windows PowerShell as administrator:
Windows menu showing the Run as administrator option for PowerShell
  • Set a name for your new certificate in the variable $CertificateName:
PS C:\Users\Administrator\Desktop> $CertificateName = "STD Certificate"
  • Define where you want to create your certificate:
PS C:\Users\Administrator\Desktop> $OutPutPFXFilePath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"
  • Set password for the pfx container:
PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
  • Finaly, create the certificate with a lifetime of 10 years and a key size of 4096 bits:
PS C:\Users\Administrator\Desktop> New-SelfSignedCertificate -subject $CertificateName -Type CodeSigning -NotAfter (Get-Date).AddYears(10) -KeyLength 4096 | Export-PfxCertificate -FilePath $OutPutPFXFilePath -password $MyStrongPassword

Signing the script

  • Load the certificate:
PS C:\Users\Administrator\Desktop> $MyCertFromPfx = Get-PfxCertificate -FilePath 'C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx' Enter password : ********
  • Signing the script:
PS C:\Users\Administrator\Desktop> Set-AuthenticodeSignature -PSPath 'C:\Users\administrator\Desktop\script.ps1' -Certificate $MyCertFromPfx PowerShell command output for signing a script with Set-AuthenticodeSignature

Importing the certificate

To be correctly recognized, a self-signed certificate must be imported on the computers on which we want to run the PowerShell scripts. Type the following commands with administrator rights.

Set variables

  • Set the pfx password and certificate path:
PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText PS C:\Users\Administrator\Desktop> $CertPath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"

Import to Trusted Root Certification Authorities store

  • Import the certificate into the Trusted Root Certification Authorities local computer store:
PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\Root" -Password $MyStrongPassword Trusted Root Certification Authorities with a highlighted certificate for code signing

Import to Trusted Publishers store

  • Import the certificate to the Trusted Publishers local computer store:
PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\TrustedPublisher" -Password $MyStrongPassword Trusted Publishers section with a highlighted code signing certificate

Check script signature

  • We can check whether the script is correctly signed using the Get-AuthenticodeSignature command:
PS C:\Users\Administrator\Desktop> Get-AuthenticodeSignature 'C:\Users\administrator\Desktop\script.ps1' PowerShell command to validate script signature with a valid status
  • If the script has been altered after being signed, the HashMismacth status appears and the script cannot be executed:
PowerShell command showing a hash mismatch error while validating script signature

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address