SCCM Detection Method: Error 0x87D00327 (-2016410841) Script is not signed

P M 21 Reputation points
2020-12-16T14:57:09.067+00:00

I discovered a problem in SCCM compliance. When using a PS script for detection, an error (0x87D00327 (-2016410841) Script is not signed) is returned. After closer examination of the problem, I found out:
SCCM creates a temporary ps1 file in the C:\Windows\CCM\SystemTemp.
This file is slightly different from the original. The original contains CR+LF at the end of the line, the SCCM file contains only LF at the end of the line. Powershell cannot detect a signed script file with only LF line ending.

Is it possible to confirm this statement that this is indeed the case? And the error is on the SCCM side because it changes the content?

Examples of files

Original Sample:
48728-originalsample.png

SCCM script sample:
48832-sccmsample.png

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,565 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,311 Reputation points Microsoft Employee
    2020-12-30T02:08:13.967+00:00

    You need to open a support case at this point as something else is going on here. Using the Open button and selecting the file does not (or at least should not) modify the file in any way -- that's the entire point of the open function. I've used this in multiple production environments without issue and have recently tested in my lab as well.


5 additional answers

Sort by: Most helpful
  1. Youssef Saad 3,416 Reputation points
    2020-12-16T15:47:28.057+00:00

    Hi,

    By default, the Powershell execution policy is set as Restricted, you can type in Powershell Get-ExecutionPolicy to know.

    If you want sign your scripts, you can change this policy to AllSigned and sign it using a Certificate Code Signing template, don't forget to install this certificate into Trusted Publisher certificate store. Only signed scripts will be allowed to run, you can also bypass this policy but It's not secure and recommended.

    You can change the Powershell execution policy under Client Settings > Computer Agent.

    Regards,


    Youssef Saad | New blog: https://youssef-saad.blogspot.com
    Please remember to ** “Accept answer” ** for useful answers, thank you!

    2 people found this answer helpful.
    0 comments No comments

  2. Jason Sandys 31,311 Reputation points Microsoft Employee
    2020-12-16T15:44:05.937+00:00

    Assuming you are talking about a detection script within a configuration item, how did you add the script? If you copied and pasted, then yes, the above behavior will occur. You must use the "Open" button when creating or updating the detection script in the CI for it to properly preserve the script and signature.

    As an additional note here, don't use Win32_Product. It has known, negative side effects (yes, just querying the class) and for anything except one off use, it's strongly recommended that you don't use it.

    1 person found this answer helpful.
    0 comments No comments

  3. P M 21 Reputation points
    2020-12-21T09:43:36.407+00:00

    Yes, Im talking about a detection script within a configuration item. I have GPO setting set to Allsigned. I try both metod Copy/Paste and Open.../file.ps1. Both metod are ended with same error.
    I know, I could change ExecutionPolicy, but I don't want to.
    If I run the Signed Script, it runs on the PC without any problems, but not via SCCM Compliance. There is an error in modifying the end of the line.


  4. Reittier 1 Reputation point
    2024-05-06T08:13:38.3+00:00

    Hi @PM did you ever resolve this issue? Having the same issue with MECM Version 2309.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.