With System Center 2012 Configuration Manager, we all know it, the new Application model was released. As long as you deploy MSI, the detection method, is very easy to define. But what, if you want to check a registry key, as needed with .Net installations? No Problem. What, if you want to check if the Installation was successfull with a VB-Script? It’s that easy (Look at this very good Blog Post about the Topic to deploy the App-V 5 Client: http://scug.be/sccm/category/detection-methods). And with a Powershell script? Uhm… Yes surprisingly, the block of scripts also applied to the detection method, and honestly, in my home environment, there is absolutely no doubt to decrease this behaviour below AllSigned, my home is my Castle 😉 I need to code-sign the script!
So i just made a simple application, it copies a file called eins.txt to c:\temp\test\eins.txt, and the Powershell script then checks the existence of the file. But lets get first to some screenshots, and after that to the codes 🙂
First, you will need to create the Application, and a deployment type, this is how my deployment type is looking:
The detection method is now configured with a Powershell script, without any code-signing:
Here is this simple code snippet:
$TestFile = Get-ChildItem -Path "C:\temp\test\eins.txt"
$TestFile.Exists
If you deploy an application like this, and the Powershell Execution Policy is set to run only signed scripts, you will find the following error message in the AppDiscovery.log:
In-line script returned error output: & : File C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1
cannot be loaded. The file
C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1 is not
digitally signed. The script will not execute on the system. For more
information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ & 'C:\Windows\CCM\System\Temp\49e933fa-9975-42dd-b248-36689fc53149.ps1'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
So what’s next? You’ve got to get a code-signing certificate, you can get it easily from your PKI, hopefully you got one.
After this, you can sign your Powershell script with the following command:
Set-AuthenticodeSignature c:\temp\test-file.ps1 @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]
If there are more than one code-signing capable certificates in the store, you have to use another term, in my case:
Set-AuthenticodeSignature C:\temp\test-file.ps1 @(Get-ChildItem cert:CurrentUserMy1A7D1E2B6
D87D6B2DD06C2A59106FE91BE11D02E)[0]
You should not receive any error messages. I used ISE to make and save the script on Windows 8. Be Aware, in earlier Versions of ISE, there was a Problem with signing script saved from ISE: http://connect.microsoft.com/PowerShell/feedback/details/483431/set-authenticodesignature-fails-on-scripts-created-from-ise
The Workaround was, to open the script from ISE in Notepad, copy and paste it in a new Notepad document, then save, sign and use the new script.
When the script is saved, you can Import it to the detection method:
Navigate to your script and open it:
Now, the detection method is working, when your have imported the public key of the code-signing certificate to the Trusted Publisher store of the Destination Computer. And then, you will get your detection mehtod with powershell working:
/Update:
This will not work while on OSD 🙁
See this TechNet Post: http://social.technet.microsoft.com/Forums/en-US/configmanagerosd/thread/59a35100-4772-4c99-a1d9-058ac77be1ba
Leave a Reply