All Signed PowerShell Execution Policy

9/10/2018 1853 Contributors
powershell
execution policy
certificates

Purpose:
You receive an error when running a PowerShell script or command from PDQ Deploy or PDQ Inventory similar to:

You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.

From either Error Handling Wrapper.ps1 or User.ps1.

Resolution:
PDQ.com signs each of our .ps1 files included in the product; this includes the two wrapper scripts that are used when executing PowerShell steps or remote commands, as well as any .ps1 in the package library with a code-signing certificate issued by Digicert. The thumbprint of the cert is: 

709DF96FEEDE2CAB2A5FB803BEB599571D18A1D4 

CN=PDQ.COM CORPORATION, O=PDQ.COM CORPORATION, L=Salt Lake City, S=Utah, C=US

This certificate is not included in the Trusted Publishers on Windows by default. This is the same code signing certificate with which we sign our applications. When the execution policy of "All-Signed" is set, this will only run scripts when the entire cert chain is installed and trusted. Conversely, installing a signed application does not have this requirement; the installed application must only have a valid signature.

In order to run a PowerShell script from our product when the "All-Signed" execution policy is set, you will need to install the certificate chain. There are a few of ways to accomplish this on your remote machines. First, we must extract the certificate from the product itself. The below PowerShell command will export a .cer file that you can deploy in whichever manner you chose:

#Defining the code-signing certificate as a variable

$cert = (Get-AuthenticodeSignature -FilePath "C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployConsole.exe").SignerCertificate


#Exporting the certificate to a file

Export-Certificate -Cert $cert -Filepath C:\pdqcert.cer -Type Cert


Now that we have the certificate exported, we have a few options on how to install this certificate:

1. PDQ Deploy - https://support.pdq.com/knowledge-base/1233

2. Group Policy - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

IMPORTANT:
If you have set your execution policy via group policy, this is the only option you can use


3. PowerShell -

#Importing the certificate created previously to the computer Trusted Publishers store.

Import-Certificate -Filepath C:\pdqcert.cer -CertStoreLocation Cert:\LocalMachine\TrustedPublisher\


WARNING:
The above referenced certificate will expire October 18, 2019 when PDQ.com renews this certificate you will need to import the new certificate again. 




The below images are what should appear on the computer's certificate manager when completed: