11 Replies Latest reply on Apr 22, 2016 11:02 AM by Mark.Fanslow

    Powershell Package Not Working

    ugatiff Rookie

      Hi folks,

       

      We've created a powershell package and haven't been able to get it work on any of our machines EXCEPT my Laptop.

       

      We've already tested policy execution and on machines that have the same powershell execution policy set the script works on my laptop but not on my test desktop.

       

      Both devices have the same policies applied to them and have the same account and group settings and permissions.  I've checked a lot of other items looking for what the key difference is and I'm stumped.  Any clues about what else I should look at?

        • 1. Re: Powershell Package Not Working
          steve.may Apprentice

          Are you getting any error information when it fails?  Have you checked the log files on the client and the core?

          • 2. Re: Powershell Package Not Working
            ugatiff Rookie

            The task is reporting as successful for both computers.  The desktop seems to be kicking off the powershell script fine but it's not actually completing the task it should.

             

            The only notable error in the log is: PowerShell script output: AuthorizationManager check failed. which seems to indicate that there's a problem with the Execution Policy but I've confirmed the script will run just fine if I trigger it manually.

            • 3. Re: Powershell Package Not Working
              MarXtar ITSMMVPGroup

              Under what credentials are you launching this? By default LANDESK will use Local System and that could be affecting things. Have you tried running it as the logged in user or specifying an account?

               

              Also check this: How to open a command prompt running as Microsoft's "Local System" account

               

              Can help it checking what will happen if something is launched via Local System.

               

              Mark McGinn

              MarXtar Ltd/MarXtar Corporation

              http://landeskone.marxtar.co.uk

              LANDESK One Development Partner

               

              Try MarXtar State Management for LANDESK to Better Understand and Manage your Assets

              • 4. Re: Powershell Package Not Working
                steve.may Apprentice

                Does it run properly if you manually run the PowerShell script on the system from a command prompt?  You might be able to see the actual error better that way.

                 

                Out of curiosity, are these 64bit or 32bit machines?

                • 5. Re: Powershell Package Not Working
                  ugatiff Rookie

                  Should have included the exact error from the sdclient task logs:

                   

                  Mon, 18 Apr 2016 17:12:59 PowerShell script output: AuthorizationManager check failed.

                  At line:1 char:6 + & { . <<<<  '\\server\share\myscript.ps1'; exit $LASTEXITCODE } + CategoryInfo : NotSpecified: (:) [], PSSecurityException + FullyQualifiedErrorId : RuntimeException

                   

                  It does run fine when I run the following from an elevated command prompt:

                   

                  %windir%\system32\WindowsPowerShell\v1.0\powershell.exe -file "\\server\share\myscript.ps1"

                   

                  Also runs fine if I add -noninteractive to the command prompt.  We also pushed a batch script out with that and it ran fine and worked correctly as well so we have a workaround for the immediate issue but I'm trying to explore why it worked on one machine and not all our others (so we can hopefully get future scripts working on them all as this is typical of other scripts we've tried).

                   

                  They're both 64-bit machines running Win 7.

                  • 6. Re: Powershell Package Not Working
                    Mark.Fanslow Rookie

                    I have the same exact issue but with 32-bit Win 7 machines.

                     

                    So far we have chased after Execution Policy and signing the PowerShell Script with no change.  Script runs fine locally but through LANDESK PowerShell Package we still get  "AuthorizationManager check failed.".

                     

                    We even populated the PowerShell $profile to make certain that wasn't the reason: http://www.remkoweijnen.nl/blog/2012/03/15/authorizationmanager-check-failed-when-starting-powershell/

                    • 7. Re: Powershell Package Not Working
                      PeterN SupportEmployee

                      Hi,

                       

                      The error suggests that this is still a Execution Policy issue.

                       

                      Due to have the policy set by GPO? Does the laptop receive it?

                       

                      Are the working machines using a different architecture for PowerShell? What is the Execution Policy set to on that laptop? I would check it (Get-ExecutionPolicy) on both a 32bit and 64bit PowerShell session to see if they differ.

                       

                      To my knowledge the Execution Policy settings for 32bit vs 64bit are stored in different locations in the registry:

                       

                      HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

                      vs

                      HKLM\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

                      • 8. Re: Powershell Package Not Working
                        wcoffey SupportEmployee

                        Hi ugatiff, In your powershell distribution package | Install/Uninstall options add the following to bypass the execution policy "Set-ExecutionPolicy -ExecutionPolicy bypass". The bypass parameter temporarily allows the execution. Also I recommend adding the following syntax in your script for better error handling: if ($? -ne $true) { exit 1 }

                        • 9. Re: Powershell Package Not Working
                          Mark.Fanslow Rookie

                          My Execution Policy is set to RemoteSigned and the script being deployed through LANDESK is signed by a trusted publisher.

                           

                          I did end up getting this to work though. 

                           

                          On the PowerShell Package properties>Accounts:

                          Select "Current user's account."

                           

                          On the Scheduled Task>Task Settings>Download options:

                          Select "Download and execute"

                          • 10. Re: Powershell Package Not Working
                            ugatiff Rookie

                            markf@skechers.com wrote:

                             

                            My Execution Policy is set to RemoteSigned and the script being deployed through LANDESK is signed by a trusted publisher.

                             

                            I did end up getting this to work though.

                             

                            On the PowerShell Package properties>Accounts:

                            Select "Current user's account."

                             

                            On the Scheduled Task>Task Settings>Download options:

                            Select "Download and execute"

                            I made these changes and the package runs but it's no longer non-interactive - it pops up the powershell window and has a UAC prompt

                             

                            PeterN - I manually set the excecution policy for both the 32 and 64 bit.  Perhaps it's just setting it at the user level and that's why modifying the package to run as the logged in user works?  Although that seems unlikely as the noted registry changes are in HKLM and not Current User.

                            • 11. Re: Powershell Package Not Working
                              Mark.Fanslow Rookie

                              I am having a similar experience as you are concerning "no longer non-interactive".  Most of this is due to the inability to spawn PowerShell with any switches (-windowstyle hidden and etc).  I am going to cave in and use a .bat file to do so for me.  I might also use this method of minimizing the time the prompt stays on the screen:  http://jeffwouters.nl/index.php/2015/09/howto-hide-a-powershell-prompt/

                              This person suggests adding:

                              Add-Type -Name win -MemberDefinition '[DllImport("user32.dll")] public static extern bool ShowWindow(int handle, int state);' -Namespace native

                              [native.win]::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle,0)

                               

                              I can open PowerShell and navigate to the LANDESK packages share and run the script successfully.  This is why I am having difficulty thinking it is an Execution Policy issue.

                               

                              Possibly useless information below:

                              -------------------------------------------------------------------------------------------------------------------------------------------------------------------

                              That being said, I am having difficulty getting a "real" description of RemoteSigned.

                              How does the RemoteSigned execution policy work? | Windows PowerShell Blog

                              Above is the oft referenced explanation of RemoteSigned which is summarized nicely by jaykul here: https://security.stackexchange.com/questions/1801/how-is-powershells-remotesigned-execution-policy-different-from-allsigned

                                   "RemoteSigned only requires code-signing on modules/snapins and scripts which are flagged as from the "Internet" zone in the 'Zone.Identifier' alternate data stream, unless you have "Internet Explorer Enhanced Security" activated, in which case it also includes "Intranet"      flagged files and UNC paths."

                               

                              The old way of identifying a file's zone identifier used to be "notepad “Get-WhoAmI.ps1:Zone.Identifier”" but no longer works.  Going down the rabbit hole further I see "Get-Item script.ps1 -Stream Zone.Identifier" but that doesn't work either.

                               

                              Which leads me to where I am now...nowhere on the topic.

                               

                              EDIT:  Files created locally will have a distinct lack of Zone Identifier...above is the experience one would have if all content was created locally.  This might explain why unsigned scripts were able to run from the LANDESK share.