Signing SCCM Application Object Detection Scripts

Recently I ran across an issue where task sequence was failing on installing an application.  The returned exit code was the dreaded 16389.  I have found that this exit code means the application detection rule or requirements did not process correctly.

The AppDiscovery.log file showed the following error message:

In-line script returned error output: & : File C:\WINDOWS\CCM\SystemTemp\0977b843-e4ab-4320-9a4a-2981b62a3f13.ps1
cannot be loaded. The file
C:\WINDOWS\CCM\SystemTemp\0977b843-e4ab-4320-9a4a-2981b62a3f13.ps1 is not
digitally signed. You cannot run this script on the current system.

The detection method was using a PowerShell script. Usually, Group Policy sets the script execution policy.  However, during OSD task sequences, no Group Policy is applied.  To remain secure and work around this, we must digitally sign the detection method script.

The first item that is needed is a coding signing certificate that is trusted by the computer.  The certificate can be from either a public PKI store such as DigiCert or from your internal PKI server. Once you have obtained the certificate and its private key, import it into either the current user or local machine certificate store.  Below is a PowerShell script that I use to add a digital signature to files.  This script accepts two parameters: the file name to be signed and the location of the certificate store,  current user or local machine.

The steps to sign the code are:

  1. Save the detection method PowerShell commands as a script file.
  2. Run the Sign-File.ps1 script providing the parameters of the file name and certificate store name.  The script defaults to the current user store.
  3. Open the Application Object in the SCCM console.
  4. Edit the Deployment Type.
  5. Select the Detection Method tab
  6. Click on the Edit button next to “Use a custom script to detect the presence of this deployment type.”
  7. Select PowerShell as the script type.
  8. Click on the Open button.
  9. Browse to the file that was just signed.
  10. The Script Contents section will now have the digital signature embedded.Script Editor Signed File
  11. Click on all the OK buttons until the Application Object is closed.




One response to “Signing SCCM Application Object Detection Scripts”

  1. Morten Andersen Avatar

    Or if you don’t want to bother with Code Signing, set the Powershell execution policy to either RemoteSigned or Unrestricted with a Run Command Line. You can set the execution policy by either changing the registry or using PowerShell itself to set it (choose your style) 🙂

    Registry within Run Command Line:
    reg add “HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” /v “ExecutionPolicy” /t REG_SZ /d “RemoteSigned” /f

    Powershell within Run Command Line:
    powershell.exe -Command {Set-ExecutionPolicy remotesigned}

    Make sure you do a reboot before doing app install/detection and you should be fine 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: