With System Center 2012 Configuration Manager, we all know it, the new Application model was released. As long as you deploy MSI, the detection method, is very easy to define. But what, if you want to check a registry key, as needed with .Net installations? No Problem. What, if you want to check if the Installation was successfull with a VB-Script? It’s that easy (Look at this very good Blog Post about the Topic to deploy the App-V 5 Client: http://scug.be/sccm/category/detection-methods). And with a Powershell script? Uhm… Yes surprisingly, the block of scripts also applied to the detection method, and honestly, in my home environment, there is absolutely no doubt to decrease this behaviour below AllSigned, my home is my Castle 😉 I need to code-sign the script!
So i just made a simple application, it copies a file called eins.txt to c:\temp\test\eins.txt, and the Powershell script then checks the existence of the file. But lets get first to some screenshots, and after that to the codes 🙂
First, you will need to create the Application, and a deployment type, this is how my deployment type is looking:
The detection method is now configured with a Powershell script, without any code-signing:
Here is this simple code snippet:
$TestFile = Get-ChildItem -Path "C:\temp\test\eins.txt"
If you deploy an application like this, and the Powershell Execution Policy is set to run only signed scripts, you will find the following error message in the AppDiscovery.log:
In-line script returned error output: & : File C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1
cannot be loaded. The file
C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1 is not
digitally signed. The script will not execute on the system. For more
information, see about_Execution_Policies at
At line:1 char:3
+ & 'C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1'
+ CategoryInfo : SecurityError: (:) , PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
So what’s next? You’ve got to get a code-signing certificate, you can get it easily from your PKI, hopefully you got one.
After this, you can sign your Powershell script with the following command:
Set-AuthenticodeSignature c:\temp\test-file.ps1 @(Get-ChildItem cert:CurrentUserMy -codesigning)
If there are more than one code-signing capable certificates in the store, you have to use another term, in my case:
Set-AuthenticodeSignature C:\temp\test-file.ps1 @(Get-ChildItem cert:CurrentUserMy1A7D1E2B6
You should not receive any error messages. I used ISE to make and save the script on Windows 8. Be Aware, in earlier Versions of ISE, there was a Problem with signing script saved from ISE: http://connect.microsoft.com/PowerShell/feedback/details/483431/set-authenticodesignature-fails-on-scripts-created-from-ise
The Workaround was, to open the script from ISE in Notepad, copy and paste it in a new Notepad document, then save, sign and use the new script.
When the script is saved, you can Import it to the detection method:
Navigate to your script and open it:
Now, the detection method is working, when your have imported the public key of the code-signing certificate to the Trusted Publisher store of the Destination Computer. And then, you will get your detection mehtod with powershell working:
This will not work while on OSD 😦
See this TechNet Post: http://social.technet.microsoft.com/Forums/en-US/configmanagerosd/thread/59a35100-4772-4c99-a1d9-058ac77be1ba
11 thoughts on “SCCM 2012 – Application detection with Powershell … and code-signing”
Did you do anything else to make this work? I’m running ConfigMgr 2012 SP1 CU1 and tried in Microsoft’s virtual labs which is ConfigMgr 2012 RTM. My clients never see the signature block because the file that gets created on the client has no carriage returns (if you open it in Notepad, it is one long string with no line breaks).
With the sample above, my script has carriage Returns, also in notepad. But I did nothing else with the file as written above. Do you Import the script or copy/paste to the text box? Does the script work when executed via PS Shell?
Greetings. I found that ConfigMgr stripped my trailing linebreaks after the signature block. This in turn made the Detection Method fail with “not digitally signed”. I haven’t found a way to sign my PS scripts without the trailing linebreak… Any ideas?
Anders B. had the same Problem. He also asked in the TechNet Forum. As written above, I didn’t get this error.
I see. Did you by any chance get a link to the technet post? I haven´t found anyone else with this problem apart from Anders B. I´ve also created a post on the Partner Forum, so comparing cases would help a lot.
Here you are:
Would you please post your thread, so I also can get updated?
Thank you. Yes, the link to the post is http://partnersupport.microsoft.com/en-us/profile/dff9eb57-d03c-4d36-8aae-42ca4cbd15f2. You need to be a partner to read it though. I´ll keep you posted. The workaround with Client Settings will have to do for now until I get an answer.
Correct URL is of course:
Microsoft Support opened a bug for this issue. I don’t have access to the connect site in order to view the status, but this is the link they gave me.
Thank you! I´ve added a comment and upvoted this bug. The workaround is not good as it compromises security.
Changing the Client agent to Bypass works but I don’t like it. It’s not the worst PowerShell security hole because Bypass only applies for ConfigMgr initiated scripts. But I would like to get it working with AllSigned to tighten that up. When I open up the script ConfigMgr pushes to the client (I denied the SYSTEM account delete on the temp folder where the scripts are stored so I could grab it), either line breaks are gone (If Word Wrap is off) or it creates a two column view of the signature (If Word Wrap is on). See my post at http://social.technet.microsoft.com/Forums/en-US/c71123b0-72b9-44c4-b9ff-727ffd647b1a/script-detection-method?prof=required for some screen shots