# Scappman PowerShell Certificate

## Certificates

To help our customers create secure environments, Scappman signs all the PowerShell scripts it creates. The public key of our Code Signing certificate can be found at the bottom of this paragraph. By adding this certificate to the Trusted Publishers local machine certificate store you can set your PowerShell ExecutionPolicy to AIISigned, which will only allow scripts that have been signed by a Trusted Publisher to run.

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2FBfhSBeolQnpQr9lka2X3%2Fimage.png?alt=media&#x26;token=ef7f88a8-0f28-4b3b-8f33-906f6ac3e77a" alt=""><figcaption></figcaption></figure>

For more information about PowerShell ExcutionPolicy, refer to the [Microsoft Docs](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.3).

In case you want to implement this, check out our [guide](#how-to-enable-execution-policy-and-trust-the-certificate) down below

***

{% hint style="warning" %}
It is crucial to keep both certificates on your machines as some of the current packages, which are already pushed in your Intune tenant, are still signed with the old certificate.
{% endhint %}

<mark style="background-color:orange;">**New**</mark> <mark style="background-color:orange;"></mark><mark style="background-color:orange;">Certificate (For packages deployed starting 03/10/2024):</mark>

{% file src="<https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2FUTH4iKOiSijuc8PWw8Si%2FXplendit-CodeSigning.cer?alt=media&token=5e3351bc-42af-4294-ae95-54632976769b>" %}

Certificate  (For packages deployed until 03/10/2024) :

{% file src="<https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2FF8NqMBjIqIKX67M6AlqU%2FScappman_codesigning.cer?alt=media&token=01e0c6a3-297a-4583-bd0d-6de2f6cf8d47>" %}

***

## How-To: Enable **Execution Policy and trust the certificate**

### **PowerShell ‘AllSigned’ Execution Policy Overview**

Enabling the ‘AllSigned’ Execution Policy in PowerShell enhances IT security by requiring all scripts and configuration files to be signed by a trusted publisher before execution. Key benefits include:

* **Enhanced Security**: Reduces the risk of running malicious or unauthorized code.
* **Integrity Assurance**: Ensures scripts haven’t been tampered with, supporting compliance with security standards.
* **Accountability**: Tracks the origin of scripts, providing greater control over the IT environment.
* **Trust Management**: Establishes trusted relationships with script publishers, allowing only verified scripts to be executed.

By implementing this policy, Scappman helps you create a secure environment, protect your data, and maintain the reliability of your IT operations.

### You can configure the ALL Signed policy in Intune with the following Administrative Template.

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2FmJyXEjtC6QcG8vDa8hEZ%2Fimage.png?alt=media&#x26;token=f6aaf962-2858-4da2-903a-ac1723a2a03e" alt=""><figcaption></figcaption></figure>

### How to import a certificate into the Trust Publishers Root folder

1. Download the New Certificate

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2Fuf6MDTZ8rDSFpoX2Rq9E%2Fimage.png?alt=media&#x26;token=50c222d4-e2eb-4f95-985f-653527567c73" alt=""><figcaption></figcaption></figure>

2. Get the thumbprint of the certificate

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2FbBXjgJnkrU8iNi4xYhlU%2Fimage.png?alt=media&#x26;token=ccde74d5-270e-43d1-b1f4-82d1f72c6845" alt=""><figcaption></figcaption></figure>

3. Create custom Intune profile setting

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2F8us7chEfTjB6jRyNehDg%2Fimage.png?alt=media&#x26;token=5fb0ab48-44e3-4ef1-9e2a-f8b7c75f1ac2" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2FnkpylDyMuGOQELhMHKQw%2Fimage.png?alt=media&#x26;token=de5d9746-a2cb-4bb6-98bc-a1ee4f73ea5f" alt=""><figcaption></figcaption></figure>

4. Fill in required information.

Fill in Name by your choice.

Construct OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/**!Placethumbprintnumberhere!**/EncodedCertificate

Open newest certification and copy paste into "String Value".

{% hint style="info" %}
See step 2 for Thumbprintnumber
{% endhint %}

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2F8yl5rcCQ04RwuipAYXe5%2Fimage.png?alt=media&#x26;token=b92e7daf-2ff9-4942-b403-6d716ed20dd5" alt=""><figcaption></figcaption></figure>

5. Assign policy to your devices.

<figure><img src="https://3218147909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfgYEET6wvimf9qIpg7bt%2Fuploads%2F2OEF9ZasXjv852Coij95%2Fimage.png?alt=media&#x26;token=1812bfff-1500-4f01-b6d0-0a1df92a0298" alt=""><figcaption></figcaption></figure>