SCCM: How to Sign a PS1 for Deployment
System Center Configuration Manager (SCCM) is a powerful tool for managing and deploying software and updates to your network. One common scenario is deploying PowerShell scripts to configure systems or automate tasks. However, for security reasons, SCCM requires that PowerShell scripts be digitally signed before they can be deployed. This ensures that the script hasn't been tampered with and is coming from a trusted source.
This article will walk you through the process of signing a PS1 script for deployment using SCCM.
Why Sign PS1 Scripts?
Here's why signing PS1 scripts is important:
- Security: Signing your scripts provides an extra layer of security by ensuring they haven't been altered or corrupted. This is crucial for maintaining the integrity of your deployments.
- Trust: When a script is signed, it indicates that it comes from a source you trust. This is important for users who may not be familiar with the script or its purpose.
- SCCM Requirements: SCCM requires that all PowerShell scripts deployed through its mechanism be digitally signed.
How to Sign a PS1 Script
Here's a step-by-step guide on how to sign your PS1 script:
-
Generate a Self-Signed Certificate:
- Open PowerShell as an administrator.
- Run the following command:
Replace "YourDomainName.com" with the actual domain name. This will create a self-signed certificate in your computer's certificate store.New-SelfSignedCertificate -DnsName "YourDomainName.com" -CertStoreLocation "Cert:\LocalMachine\My" - Important: This certificate is not valid for use in a production environment. It's best practice to use a proper CA-signed certificate for actual deployments.
-
Export the Certificate:
- Open the Certificate Manager (certmgr.msc).
- Navigate to Personal > Certificates.
- Find the certificate you just created, right-click it, and select All Tasks > Export.
- Choose DER encoded binary X.509 (.cer) as the format and click Next.
- Save the exported certificate to a location you can easily access.
-
Sign the PS1 Script:
- Open a PowerShell window as an administrator.
- Navigate to the directory where your PS1 script is located.
- Execute the following command:
Replace "YourScript.ps1" with the actual name of your script, and "PathToYourCertificate.cer" with the path to the exported certificate file.Set-AuthenticodeSignature -FilePath "YourScript.ps1" -CertFilePath "PathToYourCertificate.cer"
-
Test the Signature:
- You can verify that the script is signed by running:
Get-AuthenticodeSignature -FilePath "YourScript.ps1" - This command will display information about the signature, including the issuer and expiration date.
- You can verify that the script is signed by running:
-
Deploy the Script with SCCM:
- Now you can deploy your signed PS1 script through SCCM as usual. The script will execute on target systems without encountering signature errors.
Tips and Considerations
- Production Environment: In a production environment, use a certificate issued by a trusted certificate authority (CA) instead of a self-signed certificate.
- Script Signing on Multiple Machines: If you need to sign scripts on multiple machines, consider using a script signing tool or a centralized script signing solution.
- Certificate Management: Keep track of your certificate expiration dates and renew them before they expire. This is essential for maintaining the validity of your signed scripts.
Conclusion
By signing your PS1 scripts, you're not only ensuring their integrity but also complying with SCCM's security requirements. Following the steps outlined above will make your deployments more secure and reliable.