Windows - Security - Set PowerShell ExecutionPolicy to AllSigned

What the PowerShell AllSigned policy enforcer does

This Automox Worklet™ configures your Windows endpoints to enforce PowerShell's AllSigned execution policy at the machine level. The Worklet requires that all PowerShell scripts be digitally signed with a trusted certificate before they can execute on the endpoint.

The Worklet first verifies that Automox and organization-specific code-signing certificates are installed in your endpoint's certificate store. It then configures the Windows registry to enforce the AllSigned policy globally, preventing any unsigned scripts from running regardless of their source or origin.

Why require signed PowerShell scripts

PowerShell is a versatile tool that attackers often use to execute malicious code on endpoints. By requiring script signatures, you dramatically reduce the attack surface available to adversaries. Unsigned scripts are commonly used in lateral movement, persistence, and data exfiltration attacks.

Enforcing digital signatures protects your organization from common script-based threats while maintaining the ability to run legitimate automation and administrative tasks. This policy is especially valuable in regulated environments where proof of script origin and integrity is required for compliance.

The AllSigned policy prevents interactive PowerShell commands entered at the console but allows signed scripts and modules to execute. This strikes a balance between security and operational necessity for IT teams.

How PowerShell execution policy enforcement works

1. Evaluation phase: The Worklet checks for the presence of required signing certificates in the LocalMachine Root and TrustedPublisher certificate stores. It retrieves the current certificate authority certificates from the Automox API and verifies they exist locally. The Worklet also inspects the Windows registry at HKLM\Software\Policies\Microsoft\Windows\PowerShell to confirm that the AllSigned execution policy is already configured.

2. Remediation phase: If certificates are missing, the Worklet downloads the necessary code-signing certificates from the Automox signing API and installs them into the LocalMachine Root and TrustedPublisher stores. The Worklet then configures the Windows registry by setting EnableScripts to 1 (DWord) and ExecutionPolicy to AllSigned (String) at the registry path Software\Policies\Microsoft\Windows\PowerShell. These settings enforce the policy at the machine level for all users.

PowerShell execution policy requirements

• Windows Server 2016 or later, or Windows 10 or later

• Automox agent running with System-level permissions

• Automox code-signing certificate authority (CA) certificate obtained through Automox code-signing opt-in process

• Organization-specific code-signing CA certificate provisioned and available through Automox API

• Network connectivity to console.automox.com to download code-signing certificates

• All PowerShell scripts in your environment must be signed with a trusted certificate or the execution policy can be reverted using the REVERT parameter in the Worklet

Expected PowerShell security behavior after enforcement

After the Worklet runs successfully, your endpoint will enforce the AllSigned PowerShell execution policy. Unsigned scripts will no longer execute, whether they are run from the command line, scheduled tasks, or any other method. Interactive commands at the PowerShell console will be restricted, but signed scripts from trusted publishers will continue to execute normally.

To verify the policy is enforced, you can run Get-ExecutionPolicy -List in PowerShell on the endpoint. You should see AllSigned listed for the MachinePolicy. Any attempts to run unsigned scripts will result in an execution policy error. If you need to revert this setting, you can uncomment the REVERT parameter in both the evaluation and remediation scripts and run the Worklet again.

How to validate set powershell executionpolicy to allsigned changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for set powershell executionpolicy to allsigned.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Write-Error, Out-Null, Where-Object.

4. Validate remediation effects from script operations such as Write-Error, Out-Null, Where-Object, then rerun evaluation for compliance.