View on GitHub

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines

Download from GitHub

The recommended way to install ScubaGear is from PSGallery, but it can also be downloaded from GitHub:

  1. Go to the releases page and find the latest release.
  2. Under the Assets header, click ScubaGear-v1.4.0.zipto download the zip file.
  3. Extract the zip file into the folder of your choice.

Import Module

When ScubaGear is installed by downloading from GitHub, it must be imported into every new PowerShell terminal session before it can be executed. To import the module, open a PowerShell 5.1 terminal, navigate to the repository folder, and run this command:

# Import the module into the session
Import-Module .\PowerShell\ScubaGear 

Note: Do not add a \ to the end of the .\PowerShell\ScubaGear path.

Once ScubaGear has been downloaded and imported, the required dependencies can be installed.

PowerShell Execution Policy

PowerShell has a feature known as an execution policy that can prevent ScubaGear from running when it is downloaded from Github.

“PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.”

Execution Policy on Windows

On Windows servers, the default execution policy is RemoteSigned, which allows ScubaGear to run after the publisher (CISA) is agreed to once. ScubaGear is signed by a commonly-trusted Certificate Authority (CA).

On Windows clients, the default execution policy is Restricted. This policy can prevent ScubaGear from running because it (correctly) considers parts of ScubaGear to be scripts.

Execution Policy Changes

To see the current execution policy, run this cmdlet:

# Get execution policy for current PowerShell session
Get-ExecutionPolicy

More information can be found in Microsoft’s documentation.

If the execution policy is not RemoteSigned, it can be changed for the local computer using this cmdlet:

# Set execution policy to Remote Signed
Set-ExecutionPolicy `
  -ExecutionPolicy RemoteSigned `
  -Scope LocalMachine

More information can be found in Microsoft’s documentation.

Note: If your execution policy is set to Restricted and you cannot change it, then you will not be able to run ScubaGear.

Mark of the Web

Windows clients with an execution policy of Unrestricted generate a warning about running untrusted scripts when executing ScubaGear, even when the scripts and modules are signed, because the files contain an identifier showing that they were downloaded from the Internet. This identifier, informally referred to as a mark of the web, can be removed by running Unblock-File on the scripts and modules in the ScubaGear folder.

# Run these commands one at a time in the ScubaGear folder
# to unblock PowerShell files
Get-ChildItem *.ps1 -Recurse | Unblock-File
Get-ChildItem *.psm1 -Recurse | Unblock-File
Get-ChildItem *.psd1 -Recurse | Unblock-File

Warning: Users should use Unblock-File carefully and only run it on files they have vetted and deem trustworthy to execute on their system. See Microsoft’s documentation on unblocking files for more information.