[kachapopopow]

That still has the same issue. Powershell will refuse to run scripts that are not signed by default.

[andy81]

You can use the -ExecutionPolicy argument to get around that.

It's not a security boundary, just something to stop users accidentally opening an email attachment like they will with bat/vbs.

[ffsm8]

Which is pointless if it's only for powershell.... But hey, security theater is kinda the MO of Microsoft if you think about rotating password policies which have a maximum password length etc

[naikrovek]

Sign the powershell script. It’s not that large of a hurdle to get a code signing cert, though it certainly isn’t trivial.

[lll-o-lll]

Code signing certs must have the key HSM’d these days. It’s a big hurdle.

[gloosx]

You have to go through a humilating process to get it as well as pay few hundred $$$ to one of MS street vendors.

[naikrovek]

you have to prove who you are, yes. I don't know what you mean in the 2nd half of the sentence.

[gloosx]

lemme explain quickly: you have to prove a lot of different things on paper, not just who you are; in reality this is just a money-milking side-hustle business for Microsoft. The process I had to go through had many different steps but in the end it all just relied on a blind trust between me and vetting team from the first step.

[naikrovek]

lemme respond quickly: code signing certs are in use by many more than just microsoft. if i want a code signing cert from digicert, microsoft doesn't get any money, digicert does. i can use it for more than just powershell scripts, of course, i can sign anything. they are useful things to have. getting them is a pain in the ass, yes, but it's supposed to be. they want to filter out identity impersonators and do everything they can to issue a cert to a person that is who they say they are. that's the whole point of the cert, so that's why you must show all of that proof.