Exploring Device Management.
31 December 2023
In the age of cyber attacks and increasing security threats, it is important to take all necessary steps to secure your systems and data. One such step is code signing, which is the process of digitally signing code to verify its authenticity and integrity. Code signing is particularly important for PowerShell scripts that act as a wrapper script for Intune software deployment, as it adds an extra layer of security to your deployment process.
Code signing is a security technique that involves adding a digital signature to a code file to verify its authenticity and integrity. The digital signature is created using a private key and can be verified using a public key. When a user or system attempts to run a signed code file, the digital signature is checked to ensure that the file has not been tampered with since it was signed. Code signing is a critical security feature that helps protect against malware, phishing attacks, and other security threats. You need to use an dedicated certificate for the code signing. Those certificates can be created with your own PKI infrastructure or you can buy an code signing certificate from an public PKI provider.
PowerShell scripts are an integral part of the Intune software deployment process. However, if a malicious actor were to gain access to your scripts and modify them, they could easily compromise the security of your entire deployment process. Code signing helps to prevent this by adding an extra layer of security to your PowerShell scripts. When you sign your wrapper script with a digital signature, you can be sure that it has not been tampered with and that it can be trusted.
Benefits of code signing for security aspects There are several benefits to using code signing for your wrapper script in the Intune software deployment process. First and foremost, code signing helps to protect against malicious tampering of your PowerShell scripts. This is particularly important in situations where your scripts contain sensitive or confidential information. In addition, code signing can help prevent phishing attacks and other security threats by ensuring that only trusted scripts are executed on your systems. Finally, code signing can help improve overall system security by ensuring that all scripts and executables are verified and trusted.
To sign an PowerShell script you need to run the code below an PowerShell session. The first command is to get the code-signing certificate from the local machine’s personal certificate store. The second command will add a digital signature to the PowerShell script file based on the code signing certificate.
#Get the certificate from the local certificate store named "MYCODESIGNINGCERT" and store it to $codeCert.
$codeCert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -match "CN=MYCODESIGNINGCERT"}
#Sign the PowerShell script
Set-AuthenticodeSignature -FilePath C:\Temp\script.ps1 -Certificate $codeCert -TimeStampServer http://timestamp.sampleprovider.com
-TimeStampServer is an optional parameter but I highly recommend you to use an TimeStamp to include in the signature hash so that the signature also works when the certificate is expired.
This will apply an hash section to your script at the end:
In conclusion, code signing is an essential security feature for PowerShell scripts that act as a wrapper script for Intune software deployment. By adding a digital signature to your scripts, you can be sure that they have not been tampered with and that they can be trusted. This can help protect against malicious attacks, phishing attempts, and other security threats. As such, code signing should be a critical part of your overall security strategy.