This week my post will still be a small one, as my time is still limited during the move to our new home. In between I was still doing some work and trying to find a subject for a presentation/ demo. During that I was working with the Configuration Baseline of UE-V. That baseline is completely based on one Configuration Item, which consists of eight script setting types and those scripts are all written in PowerShell. The deployment of the baseline resulted in error 0x87D00327, which translates to ‘Script is not signed’ (see picture).
Solution
In most cases it’s not possible, or allowed, to change the execution policy for PowerShell on the system. So just let the ConfigMgr client “manage it” and then the solution is actually very simple. In the Client Settings, under Computer Agent, there is an option to configure the PowerShell execution policy. The only pitfall in here is that it means something different then someone might think. These are the options:
- Bypass: The ConfigMgr client bypasses the PowerShell configuration on the local system so that unsigned scripts can run.
- Restricted (default in ConfigMgr 2012): The ConfigMgr client uses the current PowerShell configuration on the local system, which determines whether, or not, unsigned scripts can run.
- All Signed (default in ConfigMgr 2012 SP1):The ConfigMgr client runs scripts only if they are signed by a trusted publisher and applies independently from the current PowerShell configuration on the local system.
The easiest way to configure this, for the Configuration Baseline, is to follow the next steps:
- In the Configuration Manager Console navigate to Administration > Overview > Client Settings.
- On the Home tab, in the Create group, select Create Custom Client Device Settings and the Create Custom Client Device Settings –popup will show.
- On the General page, fill in with Name <aName> and select Computer Agent.
- On the Computer Agent page, select next to PowerShell execution policy Bypass and click Ok.
- Select the new policy <aName> and on the Home tab, in the Client Settings group, select Deploy.
- Select <aDeviceCollection> and click Ok.
Result
As always, now it’s time to take a look at the result. In this case it would be easy to just show a good result of the deployment of the Configuration Baseline, but I want to show some more. I want to show the result of the deployment of the new Client Settings. Normally, the best places to look at the results are the log files. In this case, there is no log file that shows the current setting of the PowerShell execution policy. So the best place to look at that is the old-school Policy Spy. In this case it will show PowerShellExecutionPolicy = 1 as a setting under, Machine \ CCM_ClientAgentConfig. The meaning of the different possible values are:
- 0 = All signed
- 1 = ByPass
- 2 = Restricted
More information: http://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_ComputerAgentDeviceSettings
Hi Peter. Just a question on this as I am not sure which way to look at this.
By doing the unsigned setting via the SCCM client does this mean that the powershell scripts will run unsigned if coming from the SCCM client, but still will not allow scripts running outside of SCCM client as unsigned? In other words, once this is set, will any scripts no matter how they run, run unsigned, or only the ones coming from SCCM?
Thanks so much, James.
Hi James,
That only applies to the script started by the agent.
Peter