What are the 3 Main Advantages of Signing PowerShell Scripts from Automox?

When PowerShell was introduced in 2006, it opened an entirely new realm of possibilities for systems administrators. Now admins could script nearly any action on a Windows machine. Not only that, they could push it out across their network using a group policy in Active Directory. Things were looking up for IT departments.

But on-premises versions of Active Directory have become increasingly deprecated for modern cloud-compatible IAMs, which cannot replicate the group policy functionality. Writing PowerShell can be daunting and time-consuming for junior employees (and more than a few senior ones as well). Moreover, PowerShell itself has become a major focus for abuse by threat actors.

To tackle these issues, Automox embarked on a multiyear effort.

Phase 1

First, we introduced Automox Worklets™. These plug-and-play IT automations allow you to schedule, set policies, and push PowerShell to your Windows endpoint far more efficiently than group policies in AD.

Phase 2

We rolled out Ask Otto, which uses a large language model (LLM) to help your team draft scripts immediately. In conjunction with Ask Otto and to promote quick updating, fixing, and remediation, we launched the Automox Worklets Catalog – a library of plug-and-play IT automations for hundreds of use cases across Windows, macOS, and Linux devices.

But here’s the cherry on top – soon we’ll unveil…

Phase 3: Worklet Signing

The ability to sign and validate PowerShell scripts was introduced to address the security concerns around PowerShell abuse. However, there was a major drawback: Managing keys securely is a major burden for most IT departments.

Now, the team at Automox will lower the barrier to this critical improvement by handling the most pernicious bits:

• Secure key generation and storage

• Public key distribution to your endpoints

• Seamless signing for authorized members of your IT team

So, what are the benefits of signing PowerShell scripts from Automox?

1. Signed PowerShell paired with RemoteSigned or AllSigned execution policies can help to reduce your potential attack surface.

2. Signing scripts offers assurance that what you wrote is what will be executed – no malicious modifications.

3. Signed scripts as well as a well-managed RBAC can ensure the strongest possible technical control between authorization to write and authorization to execute.

Automox customers can opt-in to sign every PowerShell command sent through Automox, so they can be confident that critical endpoint management tasks like configuration updates were unchanged in transit to managed devices. This is a major advance in security for IT teams. Dual-use and fileless PowerShell scripts comprise nearly half of the critical security threats on endpoints.

To start, we recommend updating your PowerShell execution policy to RemoteSigned. 

This setting enforces all PowerShell scripts coming from the internet to be signed while still allowing locally created scripts to run without signature. 

Very soon, you’ll be able to use a bespoke Automox Worklet in conjunction with our script signing solution. We’ll keep you posted by updating this blog as soon as it’s available. 

Note: If you are using other PowerShell scripts in your environment, you must sign them as well or migrate them into Automox. Failing to do so may result in unexpected behaviors on your devices.