Windows - Security - Set PowerShell ExecutionPolicy to RemoteSigned

What the RemoteSigned execution policy enforcer does

This Automox Worklet™ configures Windows PowerShell to require digital signatures for all remote scripts while allowing unsigned local scripts to execute. The Worklet retrieves code-signing certificates from the Automox Certificate Authority API, verifies the certificates are installed in the correct certificate stores (Root and TrustedPublisher), and then sets two registry properties in HKLM:\Software\Policies\Microsoft\Windows\PowerShell: EnableScripts (DWord value of 1) and ExecutionPolicy (String value of RemoteSigned).

The Worklet validates that your organization's certificate authority certificate and the Automox root certificate both exist on each endpoint before enforcing the policy. If either certificate is missing, remediation installs it to the appropriate store.

This implementation provides a security checkpoint for script execution without completely blocking unsigned local scripts, which is important for legitimate operational needs while preventing malicious scripts downloaded from untrusted sources.

Why enforce RemoteSigned execution policy

PowerShell is a advanced administrative tool frequently targeted by attackers. By default, Windows allows unsigned scripts to run, creating a vector for malware distribution and lateral movement. The RemoteSigned policy mitigates this by requiring that any script obtained from the network be cryptographically signed, verifying you know the origin and integrity of code before execution.

Organizations subject to compliance frameworks like CIS Benchmarks, NIST 800-53, or internal security policies benefit from this centralized enforcement. RemoteSigned provides a practical balance: it stops drive-by downloads and untrusted remote execution while preserving your ability to run legitimate administrative scripts locally.

The Automox code-signing program adds an extra layer by establishing organizational trust chains through certificate management. Your endpoints automatically validate that scripts are signed by either Automox or your organization's approved certificate authority, making script deployment safer and more auditable at scale.

How RemoteSigned enforcement works

1. Evaluation phase: The Worklet checks for the existence of the Automox and organization UUIDs in the Automox agent config file (amagent\config.json). It then queries the Automox signing API for both CURRENT and FUTURE certificate statuses for each UUID. The Worklet verifies that all required certificates exist in the LocalMachine certificate stores (Root and TrustedPublisher). Finally, it evaluates the registry to confirm EnableScripts and ExecutionPolicy properties are correctly configured at HKLM:\Software\Policies\Microsoft\Windows\PowerShell.

2. Remediation phase: If certificates are missing, the Worklet retrieves the base64-encoded certificates from the Automox API, decodes them as X.509 certificates, and installs them to both the Root and TrustedPublisher certificate stores. The Worklet then creates the required registry subkey path if it doesn't exist and sets EnableScripts to 1 and ExecutionPolicy to RemoteSigned. If values already exist but differ from the desired state, the Worklet updates them.

RemoteSigned policy configuration requirements

• Windows 10, Windows 11, or any supported Windows Server version

• Automox agent installed and registered with a valid organization UUID in amagent\config.json

• Network connectivity to console.automox.com to retrieve signing certificates

• Local administrative privileges (required for certificate store access and registry modification)

• Optional: For reverting policy to default state, uncomment the $REVERT parameter in both evaluation and remediation scripts and set it to $true

Expected PowerShell security state after enforcement

After this Worklet runs, the PowerShell execution policy on affected endpoints will be RemoteSigned. Locally created scripts execute without restriction, but scripts downloaded from the internet or obtained from remote network sources fail unless they carry a valid digital signature from Automox or your organization's certificate authority.

You can verify the policy by running Get-ExecutionPolicy or Get-ExecutionPolicy -List in PowerShell. The LocalMachine scope will show RemoteSigned. Any unsigned remote script execution attempts will display an error: "cannot be loaded because running scripts is disabled on this system." To undo this Worklet's changes, enable the REVERT parameter as documented in the script headers and rerun the Worklet.

How to validate set powershell executionpolicy to remotesigned changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for set powershell executionpolicy to remotesigned.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Write-Error, Out-Null, Where-Object.

4. Validate remediation effects from script operations such as Write-Error, Out-Null, Where-Object, then rerun evaluation for compliance.