none
CMPivot and domain PowerShell Execution Policy "Allow Only Signed Scripts" RRS feed

  • Question

  • CMPivot fails on all systems running domain policy for PowerShell Execution Policy is set to "Allow only signed scripts".   This prevents CMPivot query from running on all machines that are not explicitly exempt (only handful).   CMPivot works if GPO security level lowered to "Allow Local Scripts and Remote Signed Scripts".   Client Settings for PowerShell are set to "Bypass".   A ticket was opened with Software Assurance and they confirmed that the domain policy will always take precedence over the Client settings which runs as local policy.   I am not able to find any MS documentation that addresses this issue and recommended workaround. 

    Are there any settings that can be enable that allow us to use CMPivot feature while maintaining the highest level of security that requires all PS scripts to be signed? 
    Monday, July 22, 2019 9:18 PM

Answers

  • You most likely won't get a Microsoft response in this forum.

     I do have this option set to "Bypass" but it is ignored. 

    It's not ignored, it's just overridden by your group policy. To my knowledge, all CMPivot scripts are signed using a Microsoft signing cert as I remember this being asked directly to the product group but that doesn't help you. You need to open a support case with Microsoft on this as they are the only ones that can address this.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by SaraGB Tuesday, July 23, 2019 3:33 AM
    Tuesday, July 23, 2019 2:09 AM

All replies

  • Hi,

    I don't think if there are a workaround to use CMPivot with keeping an execution for only signed PS scripts.

    You can set the policy in the client settings also:

    With that, you can deploy a custom client settings to a specific device collection to reduce the risk.

    We're waiting for a Microsoft member to confirm if there are any workaround about this or not.

    Regards,

    SAAD Youssef

    ______

    Please remember to mark the replies as answer if they help, thank you!

    Monday, July 22, 2019 10:01 PM
  • Thanks.  I do have this option set to "Bypass" but it is ignored.  I can track the execution of the query to the scripts.log where it appears to execute and produces "Process completed with exit code 0".   however, the results reported back as failure with output "Unsupported PowerShellVersion".   I look forward to Microsoft's response.   
    Unsupported PowerShell version.
    Unsupported PowerShell version.

    SaraGB

    Tuesday, July 23, 2019 1:07 AM
  • You most likely won't get a Microsoft response in this forum.

     I do have this option set to "Bypass" but it is ignored. 

    It's not ignored, it's just overridden by your group policy. To my knowledge, all CMPivot scripts are signed using a Microsoft signing cert as I remember this being asked directly to the product group but that doesn't help you. You need to open a support case with Microsoft on this as they are the only ones that can address this.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by SaraGB Tuesday, July 23, 2019 3:33 AM
    Tuesday, July 23, 2019 2:09 AM
  • Thanks, Jason

    SaraGB

    Tuesday, July 23, 2019 3:34 AM