SCCM 2012 – Application detection with Powershell … and code-signing

Martin Wüthrich Application Management, Tools

With System Center 2012 Configuration Manager, we all know it, the new Application model was released. As long as you deploy MSI, the detection method, is very easy to define. But what, if you want to check a registry key, as needed with .Net installations? No Problem. What, if you want to check if the Installation was successfull with a VB-Script? It’s that easy (Look at this very good Blog Post about the Topic to deploy the App-V 5 Client: http://scug.be/sccm/category/detection-methods). And with a Powershell script? Uhm… Yes surprisingly, the block of scripts also applied to the detection method, and honestly, in my home environment, there is absolutely no doubt to decrease this behaviour below AllSigned, my home is my Castle 😉 I need to code-sign the script!

So i just made a simple application, it copies a file called eins.txt to c:\temp\test\eins.txt, and the Powershell script then checks the existence of the file. But lets get first to some screenshots, and after that to the codes 🙂

First, you will need to create the Application, and a deployment type, this is how my deployment type is looking:
Deployment TypeThe detection method is now configured with a Powershell script, without any code-signing:
Powershell detectionHere is this simple code snippet:
$TestFile = Get-ChildItem -Path "C:\temp\test\eins.txt"
$TestFile.Exists

If you deploy an application like this, and the Powershell Execution Policy is set to run only signed scripts, you will find the following error message in the AppDiscovery.log:
AppDiscovery.log

In-line script returned error output: & : File C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1
cannot be loaded. The file
C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1 is not
digitally signed. The script will not execute on the system. For more
information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ & 'C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1'
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

So what’s next? You’ve got to get a code-signing certificate, you can get it easily from your PKI, hopefully you got one.

After this, you can sign your Powershell script with the following command:
Set-AuthenticodeSignature c:\temp\test-file.ps1 @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]
If there are more than one code-signing capable certificates in the store, you have to use another term, in my case:
Set-AuthenticodeSignature C:\temp\test-file.ps1 @(Get-ChildItem cert:CurrentUserMy1A7D1E2B6
D87D6B2DD06C2A59106FE91BE11D02E)[0]

You should not receive any error messages. I used ISE to make and save the script on Windows 8. Be Aware, in earlier Versions of ISE, there was a Problem with signing script saved from ISE: http://connect.microsoft.com/PowerShell/feedback/details/483431/set-authenticodesignature-fails-on-scripts-created-from-ise
The Workaround was, to open the script from ISE in Notepad, copy and paste it in a new Notepad document, then save, sign and use the new script.

When the script is saved, you can Import it to the detection method:
Import Powershell ScriptNavigate to your script and open it:
importNow, the detection method is working, when your have imported the public key of the code-signing certificate to the Trusted Publisher store of the Destination Computer. And then, you will get your detection mehtod with powershell working:
software center

/Update:
This will not work while on OSD 😦
See this TechNet Post: http://social.technet.microsoft.com/Forums/en-US/configmanagerosd/thread/59a35100-4772-4c99-a1d9-058ac77be1ba

11 thoughts on “SCCM 2012 – Application detection with Powershell … and code-signing

  1. Did you do anything else to make this work? I’m running ConfigMgr 2012 SP1 CU1 and tried in Microsoft’s virtual labs which is ConfigMgr 2012 RTM. My clients never see the signature block because the file that gets created on the client has no carriage returns (if you open it in Notepad, it is one long string with no line breaks).

    Reply

    • With the sample above, my script has carriage Returns, also in notepad. But I did nothing else with the file as written above. Do you Import the script or copy/paste to the text box? Does the script work when executed via PS Shell?

      Reply

  2. Greetings. I found that ConfigMgr stripped my trailing linebreaks after the signature block. This in turn made the Detection Method fail with “not digitally signed”. I haven’t found a way to sign my PS scripts without the trailing linebreak… Any ideas?

    Reply

  3. Changing the Client agent to Bypass works but I don’t like it. It’s not the worst PowerShell security hole because Bypass only applies for ConfigMgr initiated scripts. But I would like to get it working with AllSigned to tighten that up. When I open up the script ConfigMgr pushes to the client (I denied the SYSTEM account delete on the temp folder where the scripts are stored so I could grab it), either line breaks are gone (If Word Wrap is off) or it creates a two column view of the signature (If Word Wrap is on). See my post at http://social.technet.microsoft.com/Forums/en-US/c71123b0-72b9-44c4-b9ff-727ffd647b1a/script-detection-method?prof=required for some screen shots

    Reply

Leave a Reply to Anders B Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.