This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
Today I have been working with a customer that had the execution on all of their servers switched to AllSigned. Since most of the DSC modules are not signed, they signed these modules themselves before deploying them to the servers. Unfortunately after switching the Execution Policy to AllSigned, they got this error message:
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SERVER1 with user sid S-1-5-21-1847891336-3378225678-3880314678-500.
VERBOSE: [SERVER1]: [] Starting consistency engine.
VERBOSE: [SERVER1]: [] A pending configuration exists. DSC will process a set request on the pending configuration.
VERBOSE: [SERVER1]: [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\CertificateDsc\4.7.0.0\DscResources\MSFT_PfxImport\MSFT_PfxImport.psm1 in force mode.
VERBOSE: [SERVER1]: [] Consistency check completed.
Importing module MSFT_PfxImport failed with error - File C:\Program Files\WindowsPowerShell\Modules\CertificateDsc\4.7.0.0\DscResources\MSFT_PfxImport\MSFT_PfxImport.psm1 is published by CN=CodeSigningTest. This publisher is ex
plicitly not trusted on your system. The script will not run on the system. For more information, run the command "get-help about_signing". LCM failed to start desired state configuration manually.
+ CategoryInfo : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : ImportModuleFailed
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.177 seconds
Reproduction
I was able to reproduce the issue on my own test environment by following these steps:
1. Create a new self signed certificate by using the following command:
$cert = New-SelfSignedCertificate -FriendlyName "CodeSigningTest" -CertStoreLocation Cert:\LocalMachine\My -Subject "CodeSigningTest" -Type CodeSigningCert
2. Open certlm.msc and copy the created certificate from "Personal\Certificates" to "Trusted Root Certification Authorities\Certificates" (making sure the entire certificate chain is trusted)
3. Sign the module you are testing with the created certificate
cd 'C:\Program Files\WindowsPowerShell\Modules\CertificateDsc'
$scripts = Get-ChildItem -Include '*.ps1', '*.psm1' -Recurse -ErrorAction Stop
foreach ($script in $scripts)
{
try
{
if ((Get-AuthenticodeSignature $script.FullName).Status -eq 'NotSigned')
{
$null = Set-AuthenticodeSignature -Certificate $cert -FilePath $script.FullName
}
}
catch
{
Write-Error $_
}
}
Set-ExecutionPolicy AllSigned
4. Create and deploy a configuration
configuration ConfigurationName
{
Import-DscResource -ModuleName CertificateDsc
node localhost
{
PfxImport 'test'
{
Thumbprint = 'F63261C9B9C2913BD5F650B5647D557BF3E1FD67'
Path = 'C:\Temp\cert.pfx'
Location = 'LocalMachine'
Store = 'My'
Credential = $pw
PsDscRunAsCredential = $InstallAccount
}
}
}
$cd = @{
AllNodes = @(
@{
NodeName = "localhost"
PsDscAllowPlainTextPassword = $true
PsDscAllowDomainUser = $true
}
)
}
$pw = Get-Credential 'CertPassword'
$InstallAccount = Get-Credential domain\installaccount
$null = New-Item c:\Dsc -ItemType Directory
ConfigurationName -configurationData $cd -OutputPath c:\dsc
Start-DscConfiguration -Path C:\Dsc -Wait -Verbose
Troubleshooting
I tried several things to fix the issue:
- Copy the certificate to pretty much every store/folder -> No improvement
- Checked the signature with Get-AuthenticodeSignature -> Valid signature, still not working
Resolution
Finally I used Process Monitor to create a trace of the deployment. In that trace I searched for the thumbprint of the certificate and found these items:
When I used the Registry Editor and browsed to "HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates\F63261C9B9C2913BD5F650B5647D557BF3E1FD68". After deleting that registry key, I was finally able to deploy the configuration!
