I'm developing a small PowerShell toolkit for our internal use that includes functionality like adjusting system presets (power plans, restore profiles, logging, etc.). I'm seeking advice from anyone who has successfully deployed similar automation tools. Specifically, I'm focusing on aspects like script signing, execution policies, updates and distribution, and how to foster user trust. The target environments are Windows 10/11, using PowerShell versions 5.1 and 7, primarily for non-admin users.
For those experienced in distributing PowerShell tools, I'd love to know:
- Do you prefer using modules, installers, or just raw scripts?
- How do you manage certificates and signing practically?
- Are there any common issues with Defender/SmartScreen that I should be aware of?
Any real-world insights would be greatly appreciated!
5 Answers
Check out the -ExecutionPolicy Bypass option for some flexibility!
Here’s a rough outline of what you should consider:
- Set up an internal Certificate Authority if you haven't yet.
- Deploy the signing certificates to the client machines.
- Use a repository for your modules, like NuGet.
- Convert your scripts into modules if they aren’t already.
- Acquire a code signing certificate and sign your modules.
- Make sure to include help and create an updatable structure for your tools.
- Publish the modules to your new repository so clients can easily access them.
- Use commands like Install-Module and Update-Module for smooth updates.
- You can manage execution policies and language modes through Group Policy Objects (GPO).
- Consider additional tools like Git for version control and automation pipelines for deployment.
Honestly, are installers the way to go? Personally, I’m still using signed scripts with a basic launcher. But I’m thinking of switching to an installer or module format to make deployment easier. What do you think has been most effective for others?
I’m not sure I do it the "proper" way, but I package my module files as an application in SCCM. I just copy files to the PowerShellmodules directory on the workstations. I set the machine policy execution policy via GPO to RemoteSigned so it loads automatically. For updates, I package it as a new app, which replaces the old module files.
You might want to think about leveraging Group Policy Objects, Intune policies, or SCCM. PowerShell scripts can be deployed via SCCM, but sometimes configuration settings are better managed through GPO or Intune. For persistent setups, CI/CD tools like Ansible can be really useful too.
I hope OP has those tools set up already!
Thanks for the info! If you primarily use an internal CA, do you also set up an internal repo for your modules? Any tips on the transition from using simple scripts to fully signed modules?