How to Digitally Sign the Powershell Scripts with Microsoft CA in Domain – A step-by-step Guide – Part 3

3) Configure GPO to allow only signed scripts and add user1’s certificate to trusted publisher group on domain computers
Go to >> Part-1:Install ADCS service and configure Code Signing Certificate Template
Go to >> Part-2: Request the certificate to sign the script by user1
Go to >> Part-4: Run the test scripts

In Part-2, we have signed the script with user1’s certificate. There are some manual works such as adding user1 certificate to trusted publisher group. Let us see how can we automate this process by using GPO.

First of all, we need to export user1 certificate from Node1 computer’s personal store to DC1 computer where we can distribute this certificate via Group Policy.

  1. From MMC console on Node1 computer, right-click the user1’s certificate and export.
  2. In the “Export File Format” page, we can either DER encoded or Base-64 encoded option. See Figure-1.
  3. Select the location to save the certificate. Click Next, Next and OK.
Select certificate type
Figure-1: Select certificate type

You need to export the certificate from Node1 computer to DC1 computer.
On DC1 Computer, open “Group Policy Management Editor”.

Select your OU where servers (computers you want to allow only signed scripts) are located. (here is Signed Script Servers OU). Right-click and select “Create a GPO in this domain and Link it here”. And give the name of the GPO.

Right-click and Edit the GPO.

Go to Computer Configuration >> Polices >> Windows Settings >> Security Settings >> Public Key Policies >> Trusted Publishers >> Right-Click and Import. See Figure-2.

You need to choose the user1’s certificate file you obtained from Node1 computer. See Figure-3.

Export user1's certificate to trusted publishers via GPO
Figure-2: Export user1’s certificate to trusted publishers via GPO
Select certificate to import
Figure-3: Select user1’s certificate to import

I found that this public key policy setting is not enough to deploy certificates to all client computers. So I have to do another GPO setting. So, go to
Computer Configuration >> Polices >> Windows Settings >> Security Settings >> Software Restriction Policies >> Trusted Publishers >> Right-click and choose Properties.

Check “Define these policy settings” and select one of these options according to your needs. For me, I choose the middle one. See Figure-4.

GPO Trusted Publishers setting
Figure-4: Again we enable Trusted Publishers Group

Next steps is to enforce our servers to allow only scripts that are digitally signed. For this, we have to define the following settings:
Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Windows Powershell >> Turn on Script Execution >> Enabled >> Allow only signed scripts. See Figure-5.

GPO setting allow only signed scripts on servers
Figure-5: Group Policy Seting: Allow only signed scripts on servers

For now, we have configured GPO to automatically deploy user1’s certificates as trusted publishers. Moreover, we have enforced our servers to run only signed scripts. In the next part, we will test various methods by user2 on new computer Node2.

Next Part >> Part-4: Run the test scripts

Leave a Reply

Your email address will not be published. Required fields are marked *