Share via


Using signed PowerShell scripts with configuration items and applications

Edit: The deployment type detection method issue will be resolved in 1706 Current Branch. It will also be available for testing in 1705 Technical Preview.

In the past if you wanted to use a signed PowerShell script as a configuration item detection method or deployment type detection method, you would see an error on the client when it tried to process the script. Configuration Manager 2012 R2 CU2 has a fix in place to mitigate this problem and allow for using signed PowerShell scripts in configuration items and detection methods. You can download CU2 from here: https://support.microsoft.com/kb/2970177. Note that the signer of the script must be pre-trusted or else the script will continue to fail.

For this new functionality to work both the administrator console and client needs to be updated to R2 CU2 as this fix requires changes to both pieces of the product.

First let's talk about configuration item detection methods. To add a signed PowerShell script, when editing a discovery or remediation script you must use "Open" to add the signed script. You cannot copy and paste it. There's a UI change in that the script becomes read only in the admin console until you "Clear" it or change the data type. This is by design. Once the configuration item gets down to the client it should process the signed PowerShell script without any issues.

Things are more complicated with deployment type detection methods. At this time there is no UI code to allow for signed PowerShell scripts but fortunately the client-side fix to allow for signed PowerShell scripts applies both to applications and configuration items. You can use the PowerShell script attached to this blog posting to add a signed PowerShell script to a deployment type in a way the client will be able to properly process. The way it works is you edit the top few lines in the script to match your environment's site code and provider host name. Please also read the information in the header of the script carefully. Notably it will overwrite any previous script in your deployment type. If you edit the script in the admin console after adding it using this script, the script will fail on the client. There's examples in the header of the PowerShell script showing how to use it.

Feel free to let me know if you have any further questions!

updatescriptdt.ps1

Comments

  • Anonymous
    April 02, 2015
    The comment has been removed
  • Anonymous
    April 02, 2015
    The comment has been removed
  • Anonymous
    November 02, 2016
    Thank you for sharing this. One question: is this script suitable for use with "script" deployment types, instead of "MSI" types? e.g. changing to if($deploymentType.Technology -in "MSI","Script")
    • Anonymous
      November 03, 2016
      I dared to try: it seems that the script was loaded correctly, and that now the detection script works fine.