This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 21%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
I discovered a problem in SCCM compliance. When using a PS script for detection, an error (0x87D00327 (-2016410841) Script is not signed) is returned. After closer examination of the problem, I found out:
SCCM creates a temporary ps1 file in the C:\Windows\CCM\SystemTemp.
This file is slightly different from the original. The original contains CR+LF at the end of the line, the SCCM file contains only LF at the end of the line. Powershell cannot detect a signed script file with only LF line ending.
Is it possible to confirm this statement that this is indeed the case? And the error is on the SCCM side because it changes the content?
Examples of files
Original Sample:
SCCM script sample:
You need to open a support case at this point as something else is going on here. Using the Open button and selecting the file does not (or at least should not) modify the file in any way -- that's the entire point of the open function. I've used this in multiple production environments without issue and have recently tested in my lab as well.
Could be a problem with language specific?
Hi,
By default, the Powershell execution policy is set as Restricted, you can type in Powershell Get-ExecutionPolicy to know.
If you want sign your scripts, you can change this policy to AllSigned and sign it using a Certificate Code Signing template, don't forget to install this certificate into Trusted Publisher certificate store. Only signed scripts will be allowed to run, you can also bypass this policy but It's not secure and recommended.
You can change the Powershell execution policy under Client Settings > Computer Agent.
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** for useful answers, thank you!
Assuming you are talking about a detection script within a configuration item, how did you add the script? If you copied and pasted, then yes, the above behavior will occur. You must use the "Open" button when creating or updating the detection script in the CI for it to properly preserve the script and signature.
As an additional note here, don't use Win32_Product. It has known, negative side effects (yes, just querying the class) and for anything except one off use, it's strongly recommended that you don't use it.
Yes, Im talking about a detection script within a configuration item. I have GPO setting set to Allsigned. I try both metod Copy/Paste and Open.../file.ps1. Both metod are ended with same error.
I know, I could change ExecutionPolicy, but I don't want to.
If I run the Signed Script, it runs on the PC without any problems, but not via SCCM Compliance. There is an error in modifying the end of the line.
What is the execution policy applied into ConfigMgr?
Do you have signed the script? Can you try just set policy at bypass and check if it will work?
Regards,
Youssef Saad - New blog: https://youssef-saad.blogspot.com
What version of ConfigMgr are you using?
Do you see the same file differences as noted above when using the Open function to add your script?
I heve set "All Signed" under Client Settings > Computer Agent. The script itself is signed and works when run manually. The problem is not in the script but in the way it is processed and run via the SCCM compliance configuration item. After importing into SCCM copy / paste or via pasting Open into SCCM, the script is run on the modified station. Missing end tag CRLF, only LF.
Yes, the experience is the same. Whether I paste directly using Copy / Paste or using the Open dialog ...
Is it possible to check how the string is stored directly in the database? If the modification occurs already when saving to the database or only after transferring to the end pc.
The version we use is Configuration Manager 2002 + KB4567007.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 31%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hi @PM did you ever resolve this issue? Having the same issue with MECM Version 2309.