Automox Script Signing allows you to use AllSigned or RemoteSigned PowerShell execution policies without losing Automox functionality. This provides an extra layer of security to your Windows environment by adding a digital signature to your worklets, which ensures that your scripts are not tampered with after creation.
Automox Script Signing currently works with PowerShell scripts (worklets) and Automox system scripts.
Prerequisites:
To enable Automox Script Signing, you must be a Global Administrator or Zone Administrator.
Devices need the PowerShell execution policy set to Bypass or Unrestricted before opting in; otherwise the certificates will not be installed.
Enabling Automox Script Signing
Automox Script Signing is provided as an opt-in feature. To enable this feature, follow these steps:
Select the Settings → Script Signing tab.
Select Opt in to use Automox and custom script signing.
Click Opt In & Install.
This will install the necessary certificates to your connected devices.
Using an Elevated PowerShell Execution Policy
Before elevating your PowerShell execution policy, you must verify that the necessary certificates have been installed to your devices. This information is shown on the Devices page.
Automox Script Signing secures Automox system scripts and your custom scripts; adding a digital signature to prevent tampering. You can update the PowerShell execution policy settings on your Automox devices to enforce signatures on the PowerShell scripts running on your devices, including PowerShell not managed by Automox.
Updating the execution policy settings on your Automox devices is optional.
Account Plan Includes Worklets
Once the necessary certificates have been installed, you can use one of the worklets linked from the Script Signing settings tab to enable one of the following PowerShell execution policies for your devices:
AllSigned: This worklet updates the execution policy settings on your devices to only allow scripts that have been digitally signed by a trusted publisher to execute, regardless of origin (this includes locally created scripts). This ensures that only scripts from trusted sources are permitted to run on your devices.
RemoteSigned: This worklet updates the execution policy settings on your devices to allow locally created scripts to run without signature but enforces remotely created scripts have been digitally signed by a trusted publisher, to execute.
These worklets are also available in our Worklet Catalog:
Windows - Security - Set PowerShell ExecutionPolicy to RemoteSigned
Windows - Security - Set PowerShell ExecutionPolicy to AllSigned
Account Plan Does Not Include Worklets
If your account plan does not include worklets, you can still enable script signing for your devices and elevate your PowerShell execution policy. You will need to run a couple of PowerShell commands locally on the devices where you want to limit script usage to AllSigned or RemoteSigned.
You will be using the locally installed PowerShell on the device, which can be found at Start → All Programs → Windows PowerShell version → Windows PowerShell
Setting Script Execution Policy Locally
To set the Script Execution policy locally, follow these steps:
Check the current signing policy on the device:
Get-ExecutionPolicy
Set the signing policy for the device:
RemoteSigned (recommended):
Set-ExecutionPolicy RemoteSigned
AllSigned:
Set-ExecutionPolicy AllSigned
Verify that the execution policy has been applied on the device:
Get-ExecutionPolicy
Reverting Automox Script Signing
In the event that you want to revert the execution policy back to the default setting, run the following command in a PowerShell prompt on the target device: Set-ExecutionPolicy Default
Alternatively, you can follow the revert instructions in our Windows - Security - Set PowerShell ExecutionPolicy to AllSigned and Windows - Security - Set PowerShell ExecutionPolicy to RemoteSigned worklets from the Automox Worklet Catalog, if your account plan includes worklets.