Monday, January 13, 2014

Microsoft Virtual Academy: PowerShell M07 (Part 1)

Here we are module 7 only two more.  This is a short segment but lots of information.  To keep things short I have split it among three posts.  Check the Overview to see what is covered under this post.

To start your own learning check out Microsoft Virtual Academy:
(rewritten based on my notes available here:

Module 7: "Getting prepared for automation" consists of 2 video segments totaling ≈ 26 minutes along with a PowerPoint of 12 slides.

Execution Policy

   The execution policy is your safety net when it comes to PowerShell. The requirement for execution policy to allow a script to run is digitally signed and must be trusted.  This is different from VB scripts that just required them to be signed. With all the power that you have in scripts it is the execution policy that prevents malicious attacks.  By default it is set to restricted (on 2012R2 believe it is now RemoteSigned). To see what level your execution policy is at run following:


   There are six levels of security: Restricted, Unrestricted, AllSigned, RemoteSigned, Bypass, and Undefined.  For more details on levels check out TechNet article:  Note of warning avoid using Unrestricted and Bypass. For this module we focus in on RemoteSigned and AllSigned.  RemoteSigned is best for users starting out as it will allow an local created scripts to be ran without being signed, whereas AllSigned will require all scripts to be signed.

   Execution policy can be set through group policies (GPO) or at individual systems.  For GPO instructions check out this TechRepublic article: for individual systems you would execute following code:

 Set-ExecutionPolicy “[desired level]” 

 Set-ExecutionPolicy “remotesigned” 

Signing Scripts

   As you work on creating scripts and securing your network you will at some point move to AllSigned.  This will require all scripts to be signed including the ones you create on a local system.  The following will walk you through how to sign a script.

   To start you first need a self-signed certificate to use for signing.

    v3 or higher (Version 2 or non Win8/2k12 will use makecert.  More details here:

    Now we need to find this self-signed certificate and load for future use.

  Displays drives available during PowerShell session

Dir Cert:\CurrentUser -Recurse -CodeSigningCert -OutVariable a
  Pulls all certs created for current users with code signing rights and assigns them to variable a

$cert = $a[0]
  Takes and assigns first certificate from variable a to variable cert

   Now that we have a certificate loaded into $cert we can sign our scripts using the following code:

Set-AuthenticodeSignature -Certificate $cert -FilePath [pathtoscript]

Set-AuthenticodeSignature -Certificate $cert -FilePath C:\_scripts\hello.ps1

   Now that we have a signed script set execution policy to all signed.  When you try to run you are prompted with choices:

  • Never Run
    • Does not run and adds certificate to blocked or untrusted list
  • Do not run
    • Does not run and does nothing with cert
  • Run Once
    • Runs but does nothing with cert
  • Always Run
    • Runs and adds certificate to trusted/allowed list
Check out the rest of this segment:
Part 2:
Part 3:

No comments:

Post a Comment