• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Strict AppLocker Policies and Powershell Detection Methods

Started by as, June 01, 2022, 10:37:49 AM

Previous topic - Next topic

as

While trying to implement some AppLocker policies, we decided to block Powershell from running under non admin user context.
As we were implementing we noticed that user deployments are failing to detect and evaluate.
After a bit of digging around, it's apparently due to a weird (probably intentional) behavior when it comes to evaluation logic for user deployments.
Basically when the available deployment is to a User collection, powershell script evaluations occur in user context, unlike how they would with deployments to Computer collections where it happens under system context.

https://serverfault.com/questions/699705/in-what-context-do-sccm-powershell-detection-scripts-run-in
https://www.reddit.com/r/SCCM/comments/raffkv/application_powershell_detection_method_running/

Here is the excerpt from AppDiscovery.log
Entering ExecQueryAsync for query "select * from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_4E7EBB8C-1F9D-49BB-9545-567A9F3C2D81/DeploymentType_b76da5d9-3b8e-4bcf-8479-d597a275abdc" AND Revision = 1)"
Performing detection of app deployment type WebEx 42.5.0.22259 (x64)(ScopeId_4E7EBB8C-1F9D-49BB-9545-567A9F3C2D81/DeploymentType_b76da5d9-3b8e-4bcf-8479-d597a275abdc, revision 1) for user.
script parameters:  -NoLogo -Noninteractive -NoProfile  -ExecutionPolicy Bypass
Failed to create script host process, 800704ec
CScriptHandler::DiscoverApp failed (0x800704ec).
Deployment type detection failed with error 0x800704ec.
Failed to perform detection of app deployment type WebEx 42.5.0.22259 (x64)(WebEx 42.5.0.22259 (x64), revision 1) for user. Error 0x800704ec


Saw an accompanying AppLocker event 8004 "%SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE was prevented from running." in "Microsoft-Windows-AppLocker/EXE and DLL" that happens at the same time. Confirmed that this was due to AppLocker by taking off the policy and testing with a bunch of other deployments.

Does anyone know of any workarounds and/or suggestions?
I am aware of options to granularly control Powershell permissions and whatnot, but that is something we decided to tackle a bit later on due to some time constraints we have for AppLocker in general.

Wes Mitchel

Hi AS
  You will need to either turn off those restrictions or allow our signed PoS scripts to run.

reeksk

Hi Wes, we have the same issue. When deploying to a user collection the detection script fails. It fails as Applocker is blocking powershell from running. So its not actually getting to even read the script yet, so the signing doesnt come into play yet. Just wondering how you or other customers get around this with Applocker blocking powershell for users?

thanks
kieren