Joseph Lee

A full-stack engineering mindset

5 minute read

0. Overview

One of my clients has decided to change their PowerShell execution policy to AllSigned. As a result, any PowerShell scripts executed through Intune are now required to be digitally signed, and script signature validation must be enforced at runtime.

We initially considered signing the scripts with a public certificate, but due to the associated cost and the short renewal cycle, we decided instead to deploy an internal Active Directory Certificate Authority (AD CA) to handle the code signing ourselves.

  • ref) Digital Signature Overview

https://learn.microsoft.com/ko-kr/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)#digital-signatures

1. AD CA Configuration

1. Install CA feature

Check Active directory Certificate Services image

Check ‘Certificate Authority’ and ‘Certificate Authority Web Enrollment’ image

image

image

image

Check ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ image

Sorry for the image but Make sure to select Enterprise CA!! image

Click Next image

Set CN of CA image

Select the validity period of the CA. image

image

image

It’s finished and close the window. image

2. Create the code signing certificate template

Once the installation has finished successfully, go servermanager > Tools > Certificate Authority. image

Go Certificate Template > Manage under the CN of the CA drop down list. image

And Code Signing > (Right Click) Duplicate Template. Well, you can use this template directly but you can create your own template with duplicate from this one. image

In General tab, set Template name and the validity of the certificate. image

In Request Handling tab, select the options. image

In Subject Name, Select CN as Subject name format. image

In Security tab, I allow read and write permissions to Authenticated Users. image

Lastly, In Cryptography tab, I just let them as default. Click ‘Apply’ and ‘OK’ for save. image

So here is the our customed certificate for the Code Signing. image

3. Adding to the Certificate Templates

Now we have created the customed template, we have to issue the template to issue. Go Certificate Template > (Right Click) New > Certificate Template to Issue. image

Find the ‘ForIntune’ from the list and click ‘OK’ to add the Certificate Templates. image

image

2. From AD DC, Request Certificate

Go to AD DC, and add snap in certificate with Current User. Go (Right Click) Personal > All Tasks > Request new Certificate. image

Next image

Select ‘ForIntune’ and Click ‘Enroll’ image

Certificate installation Enrollment has been succeed from AD CA. image

So, we got a new directory under the ‘Personal’ and the Cod Signing certificate as well. image

I just add friendly name to the certificate. image

3. Signing the script

1. Signing

Now let’s sign the script. First of all, we must identify the script. Use this command. ‘Cert:\CurrentUser\My” is the path in the command where we issed the certificate under the personal.

Get-ChildItem "Cert:\CurrentUser\My" | fl

image

Assign the certificate to a variable. Refer following command.

$certificate = Get-ChildItem "Cert:\CurrentUser\My" | Where-Object {$_.Thumbprint -eq "Thumbprint"}

image

We are ready to go. Execute following command to sign the PowerShell script.

Set-AuthenticodeSignature -FilePath "C:\IntunePowerShell\CustomCompliance.ps1 -Certificate $certificate

image

2. Validating

Once the script is signed, you will see the signature information as a commented section within the script. The script will only run if this information and the certificate details on the device match exactly. If even a single character in the script is modified, it must be signed again. image

3. Deploying the Certificate with GPO

1. Current PowerShell Policy

From Group policy, MachinePolicy is Allsign which means only allow to execute digitally signed script. image

image

image

ref) https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.5 image

2. if not signed script..

So at the moment, if the script is not digitally signed, it can’t be executed. Here is the test.ps1 which is not signed. image

If I execute the test.ps1 in the AD joined device used user cake1, the execution is blocked. image

3. if signed script but the certificate is not installed in the device..

The script is signed but the device can’t identify the signature in the script. This is why we have to install the certificate to the devices. From intune, we selected that we will run the script as a system context which means automatically executed without any prompt. Let’s deployment the certificate from AD GPO.

image

4. Create GPO

Before create GPO, we need to export the certificate

From mmc, export the certificate. image

Next image

Select export PK or not. Next. image

Select the options you want. Next. image

Select the security principals. Next. image

Browse and select where you want to export.

image

Finish. image

image

This is it. image

Create GPO(Trusted Root Certificate Authorities & Trusted Publishers!!)

So, we will create a new Group Policy Object to deploy our certificate. (Right Click)Group Policy Objects > New image

Give it a name. image

Right click and edit. image

Go to the ‘Public Key Policies’ and import the certificate. YOU SHOULD DO THE SAME PROCESS TO TRUSTED PUBLISHERS!!!! image

image

Browse the location where we export the certificate. image

image

image

image

image

image

The certificate is imported to the GPO. image

Link the GPO to the OU where the domain joined devices exist. image

Click OK. image

5. Validating

Moving on one of the domain joined devices. Run cmd as administrator and execute the command ‘gpupdate /force’ or you can take some time, the certificate will be installed automatically.

Trusted Root Certification Authorities and Trusted Publishers. image

image

After that, the script will be executed very well without any prompt. So, we are good to go to move on Intune for the last step. image

4. Intune Configuration

All you have to do in intune is update the script and select ‘Yes’ to ‘Enforce script signature check’. image

5. Result

Here is the result. Only domain joined device which is CAKE1PC is marked as ‘Compliant’. image

Let’s check in azure portal. The CAKE1PC is Compliant which means the signed intune script is well executed. image

But the other devices which is not domain joined PC and only registered in intune so that the device is not installed certificate from the GPO.

We configured Intune to allow scripts to run only if they are signed. However, when the signed script was executed on the device, it failed to run properly because the required certificate was not installed on the device. As a result, the script couldn’t return JSON data, which led Intune to throw the following error.

image

6. Ref)

If you are planning to implement CA to your production environment, It’s highly recommaneded to select the 3-tier certificate authorities. Please refer following document.

image

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)#ca-hierarchy-options

7. Note

In this post, I select web enrollment but it’s not recommended. Please check the following link.

https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

Leave a comment

You may also enjoy

Understanding Digital Signing

4 minute read

0. Overview You’ve probably seen a message like “This software is from a trusted publisher” — or the opposite, a Windows Defender warning that says “This fil...

ADFS Deep-Dive

1 minute read

0. Overview This post is just a introduce the techcommunity post from Microsoft. Please refer the link below: https://techcommunity.microsoft.com/blog/cor...

MacOS Entra joined with PSSO

4 minute read

0. Overview In this post, we will learn how to make the mac device “Microsoft Entra joined” The result would be like: