Recently I ran across an issue where task sequence was failing on installing an application. The returned exit code was the dreaded 16389. I have found that this exit code means the application detection rule or requirements did not process correctly.
The AppDiscovery.log file showed the following error message:
In-line script returned error output: & : File C:\WINDOWS\CCM\SystemTemp\0977b843-e4ab-4320-9a4a-2981b62a3f13.ps1
cannot be loaded. The file
C:\WINDOWS\CCM\SystemTemp\0977b843-e4ab-4320-9a4a-2981b62a3f13.ps1 is not
digitally signed. You cannot run this script on the current system.
The detection method was using a PowerShell script. Usually, Group Policy sets the script execution policy. However, during OSD task sequences, no Group Policy is applied. To remain secure and work around this, we must digitally sign the detection method script.
The first item that is needed is a coding signing certificate that is trusted by the computer. The certificate can be from either a public PKI store such as DigiCert or from your internal PKI server. Once you have obtained the certificate and its private key, import it into either the current user or local machine certificate store. Below is a PowerShell script that I use to add a digital signature to files. This script accepts two parameters: the file name to be signed and the location of the certificate store, current user or local machine. Sign-File.ps1.zip
The steps to sign the code are:
- Save the detection method PowerShell commands as a script file.
- Run the Sign-File.ps1 script providing the parameters of the file name and certificate store name. The script defaults to the current user store.
- Open the Application Object in the SCCM console.
- Edit the Deployment Type.
- Select the Detection Method tab
- Click on the Edit button next to “Use a custom script to detect the presence of this deployment type.”
- Select PowerShell as the script type.
- Click on the Open button.
- Browse to the file that was just signed.
- The Script Contents section will now have the digital signature embedded.
- Click on all the OK buttons until the Application Object is closed.