Friday, March 18, 2022

"This publisher is explicitly not trusted on your system" when using AllSigned Execution Policy

Today I have been working with a customer that had the execution on all of their servers switched to AllSigned. Since most of the DSC modules are not signed, they signed these modules themselves before deploying them to the servers. Unfortunately after switching the Execution Policy to AllSigned, they got this error message:
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SERVER1 with user sid S-1-5-21-1847891336-3378225678-3880314678-500.
VERBOSE: [SERVER1]:                            [] Starting consistency engine.
VERBOSE: [SERVER1]:                            [] A pending configuration exists. DSC will process a set request on the pending configuration.
VERBOSE: [SERVER1]:                            [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\CertificateDsc\4.7.0.0\DscResources\MSFT_PfxImport\MSFT_PfxImport.psm1 in force mode.
VERBOSE: [SERVER1]:                            [] Consistency check completed.
Importing module MSFT_PfxImport failed with error - File C:\Program Files\WindowsPowerShell\Modules\CertificateDsc\4.7.0.0\DscResources\MSFT_PfxImport\MSFT_PfxImport.psm1 is published by CN=CodeSigningTest. This publisher is ex
plicitly not trusted on your system. The script will not run on the system. For more information, run the command "get-help about_signing". LCM failed to start desired state configuration manually.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : ImportModuleFailed
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.177 seconds​
 

Reproduction

I was able to reproduce the issue on my own test environment by following these steps:
 
1. Create a new self signed certificate by using the following command:

 

$cert = New-SelfSignedCertificate -FriendlyName "CodeSigningTest" -CertStoreLocation Cert:\LocalMachine\My -Subject "CodeSigningTest" -Type CodeSigningCert

 

2. Open certlm.msc and copy the created certificate from "Personal\Certificates" to "Trusted Root Certification Authorities\Certificates" (making sure the entire certificate chain is trusted)

3. Sign the module you are testing with the created certificate 

 

cd 'C:\Program Files\WindowsPowerShell\Modules\CertificateDsc'
$scripts = Get-ChildItem -Include '*.ps1', '*.psm1' -Recurse -ErrorAction Stop
foreach ($script in $scripts)
{
    try
    {
        if ((Get-AuthenticodeSignature $script.FullName).Status -eq 'NotSigned')
        {
            $null = Set-AuthenticodeSignature -Certificate $cert -FilePath $script.FullName
        }
    }
    catch
    {
        Write-Error $_
    }
}
Set-ExecutionPolicy AllSigned
​

 

4. Create and deploy a configuration

configuration ConfigurationName
{
    Import-DscResource -ModuleName CertificateDsc

    node localhost
    {
        PfxImport 'test'
        {
            Thumbprint           = 'F63261C9B9C2913BD5F650B5647D557BF3E1FD67'
            Path                 = 'C:\Temp\cert.pfx'
            Location             = 'LocalMachine'
            Store                = 'My'
            Credential           = $pw
            PsDscRunAsCredential = $InstallAccount
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName = "localhost"
            PsDscAllowPlainTextPassword = $true
            PsDscAllowDomainUser = $true
        }
    )
}

$pw = Get-Credential 'CertPassword'
$InstallAccount = Get-Credential domain\installaccount

$null = New-Item c:\Dsc -ItemType Directory
ConfigurationName -configurationData $cd -OutputPath c:\dsc

Start-DscConfiguration -Path C:\Dsc -Wait -Verbose

 

Troubleshooting

I tried several things to fix the issue:

  1. Copy the certificate to pretty much every store/folder -> No improvement
  2. Checked the signature with Get-AuthenticodeSignature -> Valid signature, still not working

Resolution

Finally I used Process Monitor to create a trace of the deployment. In that trace I searched for the thumbprint of the certificate and found these items:

YorickKuijs_0-1647617441207.png

When I used the Registry Editor and browsed to "HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates\F63261C9B9C2913BD5F650B5647D557BF3E1FD68". After deleting that registry key, I was finally able to deploy the configuration!

Posted at https://sl.advdat.com/3ubLuJJhttps://sl.advdat.com/3ubLuJJ