We are running SCCM 2012 R2 CU4.
We have a GPO at the root of the domain setting the Powershell execution policy to Allow only signed scripts. In the SCCM Client Settings I have the Powershell execution policy set to Bypass.
I have my Powershell script signed with a certificate that's in the computer's Trusted Publishers store. I can run the script locally on my test computer and it runs as expected. In SCCM on the Deployment Type -> Detection Method I choose custom script, Powershell as my type and I browse and import my signed script. SCCM reports my script length is the same number of lines as the actually script.
When I do an Application Deployment check I can see in the AppDiscovery.log where it tries to run the script. But it errors out saying:
In-line script returned error output: File C:\Windows\CCM\SystemTemp\64c32b3d-e1b1-408d-a083-30057ce2cb29.ps1 cannot
be loaded. The file C:\Windows\CCM\SystemTemp\64c32b3d-e1b1-408d-a083-30057ce2c
b29.ps1 is not digitally signed. The script will not execute on the system. Ple
ase see "get-help about_signing" for more details..
At line:1 char:2
+ & <<<< 'C:\Windows\CCM\SystemTemp\64c32b3d-e1b1-408d-a083-30057ce2cb29.ps1'
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException
It says the script is "not digitally signed".
I can see in the log the command it is trying to run so I know it's using the -ExecutionPolicy Bypass switch:
Script command line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -Noninteractive -ExecutionPolicy Bypass "& 'C:\Windows\CCM\SystemTemp\64c32b3d-e1b1-408d-a083-30057ce2cb29.ps1'"
I have a copy of the script on my test machine. When I run the above command replacing the temp script with the actually script it runs fine. When I use PSexec to run a command prompt as system and run the command it runs fine.
In all honesty, the Powershell Detection Method has never worked for us even after installing CU2 which was suppose to fix it. I'm not sure what we're doing wrong here since there are countless articles online that says this works perfectly. Is the problem the GPO? But since the script is actually signed this shouldn't be a problem.
Any help would be greatly appreciated.