Powershell Security at Enterprise Customers

TL;DR; (“too long; didn’t read”)

There are some people who don┬┤t have the time to read the whole text – if you are familiar with the topic the text in bold includes the most important points and is just for you.

The most important points to enforce Powershell Security is to use the newest Versions (OS and Powershell), use whitelisting and enforcing the usage of the ConstrainedLanguageMode and establish a good rights structure with frequent centralized logging and validate all the new features coming with the new Windows 10 Versions. And now in more detail:

Continue reading

Storing Credentials securely

Hi together,

I have been asked many times how to store and use securely credentials / passwords in scripts. The simplest thing is just to create a credential on a computer and export it via Export-Clixml where you make use of the SecureString and the native Windows Data Protection API (DAPI), which is secure. (take a look here) But the downside is that you can decrypt the securestring only at the computer and with the user who encrypted it.

Therefore I want to show you this simple but neat way to achieve this task on all computers. For this we simply make use of certificates to encrypt and decrypt the passwords which you would preferably create with your own PKI and deploy with your management solution.

How does this look like? As simple as this:

Install-Module ProtectedData

#Testing purpose
New-SelfSignedCertificate -Subject PowershellSec -KeyUsage KeyEncipherment -CertStoreLocation Cert:\CurrentUser\My 

#Retrieving cert
$Cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -like '*PowershellSec*'}

#$Cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like 'CN=PowerShell Automation*'}

# Encrypt password and store it in a file.
Protect-Data 'Password' -Certificate $Cert | Export-Clixml .\encrypted.xml

# Decrypt password from file within script.
$PasswordToUse = Unprotect-Data (Import-Clixml .\encrypted.xml) -Certificate $Cert 


Alternatively you could also just use the Powershell built-in cmdlets:
Protect-CmsMessage and Unprotect-CmsMessage

Happy using!


PSConfEU 2017 – materials


Hi there !

And again – a fantastic Powershell Conference managed by Tobias Weltner is now over!

The session materials can be found here:


The video material can be found here:


Additionally to this I will create also some blog posts to my sessions. In one of these I will explain Powershell Security in depth! Stay tuned!