While trying to implement some AppLocker policies, we decided to block Powershell from running under non admin user context.
As we were implementing we noticed that user deployments are failing to detect and evaluate.
After a bit of digging around, it's apparently due to a weird (probably intentional) behavior when it comes to evaluation logic for user deployments.
Basically when the available deployment is to a User collection, powershell script evaluations occur in user context, unlike how they would with deployments to Computer collections where it happens under system context.
https://serverfault.com/questions/699705/in-what-context-do-sccm-powershell-detection-scripts-run-in
https://www.reddit.com/r/SCCM/comments/raffkv/application_powershell_detection_method_running/
Here is the excerpt from AppDiscovery.log
Saw an accompanying AppLocker event 8004 "%SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE was prevented from running." in "Microsoft-Windows-AppLocker/EXE and DLL" that happens at the same time. Confirmed that this was due to AppLocker by taking off the policy and testing with a bunch of other deployments.
Does anyone know of any workarounds and/or suggestions?
I am aware of options to granularly control Powershell permissions and whatnot, but that is something we decided to tackle a bit later on due to some time constraints we have for AppLocker in general.
As we were implementing we noticed that user deployments are failing to detect and evaluate.
After a bit of digging around, it's apparently due to a weird (probably intentional) behavior when it comes to evaluation logic for user deployments.
Basically when the available deployment is to a User collection, powershell script evaluations occur in user context, unlike how they would with deployments to Computer collections where it happens under system context.
https://serverfault.com/questions/699705/in-what-context-do-sccm-powershell-detection-scripts-run-in
https://www.reddit.com/r/SCCM/comments/raffkv/application_powershell_detection_method_running/
Here is the excerpt from AppDiscovery.log
Code Select
Entering ExecQueryAsync for query "select * from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_4E7EBB8C-1F9D-49BB-9545-567A9F3C2D81/DeploymentType_b76da5d9-3b8e-4bcf-8479-d597a275abdc" AND Revision = 1)"
Performing detection of app deployment type WebEx 42.5.0.22259 (x64)(ScopeId_4E7EBB8C-1F9D-49BB-9545-567A9F3C2D81/DeploymentType_b76da5d9-3b8e-4bcf-8479-d597a275abdc, revision 1) for user.
script parameters: -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass
Failed to create script host process, 800704ec
CScriptHandler::DiscoverApp failed (0x800704ec).
Deployment type detection failed with error 0x800704ec.
Failed to perform detection of app deployment type WebEx 42.5.0.22259 (x64)(WebEx 42.5.0.22259 (x64), revision 1) for user. Error 0x800704ecSaw an accompanying AppLocker event 8004 "%SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE was prevented from running." in "Microsoft-Windows-AppLocker/EXE and DLL" that happens at the same time. Confirmed that this was due to AppLocker by taking off the policy and testing with a bunch of other deployments.
Does anyone know of any workarounds and/or suggestions?
I am aware of options to granularly control Powershell permissions and whatnot, but that is something we decided to tackle a bit later on due to some time constraints we have for AppLocker in general.