3) Configure GPO to allow only signed scripts and add user1’s certificate to trusted publisher group on domain computers
Go to >> Part-1:Install ADCS service and configure Code Signing Certificate Template
Go to >> Part-2: Request the certificate to sign the script by user1
Go to >> Part-4: Run the test scripts
In Part-2, we have signed the script with user1’s certificate. There are some manual works such as adding user1 certificate to trusted publisher group. Let us see how can we automate this process by using GPO.
First of all, we need to export user1 certificate from Node1 computer’s personal store to DC1 computer where we can distribute this certificate via Group Policy.
- From MMC console on Node1 computer, right-click the user1’s certificate and export.
- In the “Export File Format” page, we can either DER encoded or Base-64 encoded option. See Figure-1.
- Select the location to save the certificate. Click Next, Next and OK.
You need to export the certificate from Node1 computer to DC1 computer.
On DC1 Computer, open “Group Policy Management Editor”.
Select your OU where servers (computers you want to allow only signed scripts) are located. (here is Signed Script Servers OU). Right-click and select “Create a GPO in this domain and Link it here”. And give the name of the GPO.
Right-click and Edit the GPO.
Go to Computer Configuration >> Polices >> Windows Settings >> Security Settings >> Public Key Policies >> Trusted Publishers >> Right-Click and Import. See Figure-2.
You need to choose the user1’s certificate file you obtained from Node1 computer. See Figure-3.
I found that this public key policy setting is not enough to deploy certificates to all client computers. So I have to do another GPO setting. So, go to
Computer Configuration >> Polices >> Windows Settings >> Security Settings >> Software Restriction Policies >> Trusted Publishers >> Right-click and choose Properties.
Check “Define these policy settings” and select one of these options according to your needs. For me, I choose the middle one. See Figure-4.
Next steps is to enforce our servers to allow only scripts that are digitally signed. For this, we have to define the following settings:
Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Windows Powershell >> Turn on Script Execution >> Enabled >> Allow only signed scripts. See Figure-5.
For now, we have configured GPO to automatically deploy user1’s certificates as trusted publishers. Moreover, we have enforced our servers to run only signed scripts. In the next part, we will test various methods by user2 on new computer Node2.
Next Part >> Part-4: Run the test scripts