Greg's Tech blog

Signed Powershell scripts in the enterprise

Tuesday 29 of December, 2009

I want to start using Powershell within our company to manage repeating tasks and general administrative tasks. Powershell was deployed in a very secured configuration from Microsoft. So much so that it will not run a file-based script in default mode. I do not wish to break this secure default. I've learned to sign scripts so that I can safely downgrade security to 'allsigned' which will allow PS to run scripts that are signed with a trusted cert.

Next step is to deploy our code signing cert so that other machines can run them without manual intervention. The first part of that is to add the cert to as a trusted publisher to a group policy. The instructions for doing that are in this Best Practices (cache) document from MS. That worked great for us.

Next, we needed to roll out a group policy change to set the ExecutionPolicy to allsigned. This was accomplished using a group policy admin template (cache) from MS. Once this was installed and imported into the group policy manager, we were able to enable the ExecutionPolicy setting and set it to AllSigned. We then deployed the GPO to the appropriate machine OUs within our domain and Powershell was automatically reconfigured.

Now we're ready to start using signed scripts!