How To Self-Signed PowerShell Scripts

By default and for security reasons we cannot run PowerShell scripts. Of course we can use -ExecutionPolicy Bypass switch but if we want to increase security it might be interesting to know how to allow signed scripts only. So we will see here how to create and allow signed scripts only.

Group Policy to allow signed scripts only

Windows | Run gpedit.msc GPO | Windows PowerShell policies GPO | Turn on Script Execution policy

Create Certificate

To sign our scripts we need a certificate. We will see here how to create a self-signed one.

PowerShell | Open PowerShell Console as administrator
PS C:\Users\Administrator\Desktop> $CertificateName = "STD Certificate"
PS C:\Users\Administrator\Desktop> $OutPutPFXFilePath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"
PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
PS C:\Users\Administrator\Desktop> New-SelfSignedCertificate -subject $CertificateName -Type CodeSigning -NotAfter (Get-Date).AddYears(10) -KeyLength 4096 | Export-PfxCertificate -FilePath $OutPutPFXFilePath -password $MyStrongPassword

Signing the script

PS C:\Users\Administrator\Desktop> $MyCertFromPfx = Get-PfxCertificate -FilePath 'C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx'
Enter password : ********
PS C:\Users\Administrator\Desktop> Set-AuthenticodeSignature -PSPath 'C:\Users\administrator\Desktop\script.ps1' -Certificate $MyCertFromPfx
PowerShell | Sign a script with Set-AuthenticodeSignature command

Import Certificate

To be correctly recognized, a self-signed certificate need to be imported on the computers on which we want to run the PowerShell scripts. So type the following commands with administrator rights.

Set variables

PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
PS C:\Users\Administrator\Desktop> $CertPath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"

Import to Trusted Root Certification Authorities store

PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\Root" -Password $MyStrongPassword
PowerShell | Self certificate inside Trusted Root Certificates Authorities Store

Import to Trusted Publishers store

PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\TrustedPublisher" -Password $MyStrongPassword
PowerShell | Self certificate inside Trusted Root Certificates Authorities Store

Check signature

PS C:\Users\Administrator\Desktop> Get-AuthenticodeSignature 'C:\Users\administrator\Desktop\script.ps1'
PowerShell | Check if a script is correctly signed with Get-AuthenticodeSignature command PowerShell | File cannot be loaded. The contents of file might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature.

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :