PowerShell Signing Scripts


Signing a script will make your scripts comply with all exeuction policies in PowerShell and ensure the integrity of a script. Signed scripts will fail to run if they have been modified after being signed.

Scripts signing requires a code signing certificate. Recommendations:

  • Personal scripts/testing (not shared): Certificate from trusted certifiate authority (internal or third-party) OR a self-signed certificate.
  • Shared inside organization: Certificate from trusted certifiate authority (internal or third-party)
  • Shared outside organization: Certificate from trusted third party certifiate authority

Read more at about_Signing @ TechNet

Execution policies

PowerShell has configurable execution policies that control which conditions are required for a script or configuration to be executed. An excecution policy can be set for multiple scopes; computer, current user and current process. Execution policies can easily be bypassed and is not designed to restrict users, but rather protect them from violating signing policies unintentionally.

The available policies are:

RestrictedNo scripts allowed
AllSignedAll scripts need to be signed
RemoteSignedAll local scripts allowed; only signed remote scripts
UnrestrictedNo requirements. All scripts allowed, but will warn before running scripts downloaded from the internet
BypassAll scripts are allowed and no warnings are displayed
UndefinedRemove the current execution policy for the current scope. Uses the parent policy. If all policies are undefined, restricted will be used.

You can modify the current execution policies using Set-ExecutionPolicy-cmdlet, Group Policy or the -ExecutionPolicy parameter when launching a powershell.exe process.

Read more at about_Execution_Policies @ TechNet