MECM - CMPIVOT issue with Device Guard Enforced

2022-10-25T17:15:38.863+00:00

Hello,
I have WDAC and AppLocker in enforced mode in my environment, and I'm having problems with SCCM's CMPIVOT. In enforced mode CMPIVOT does not work. I have already inserted the cmpivot.exe certificate in Trusted Publishers, but it still doesn't work. When moving the machine to audit mode CMPIVOT works normally. Someone with the same problem?

I already did the procedure below
MPivot and the Microsoft Edge installer are currently signed with the Microsoft Code Signing PCA 2011 certificate. If you set PowerShell execution policy to AllSigned, then you need to make sure that devices trust this signing certificate. You can export the certificate from a computer where you've installed the Configuration Manager console. View the certificate on "C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe", and then export the code signing certificate from the certification path. Then import it to the machine's Trusted Publishers store on managed devices. You can use the process in the following blog, but make sure to export the code signing certificate from the certification path: Adding a Certificate to Trusted Publishers using Intune.

Microsoft Configuration Manager
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jason Sandys 31,186 Reputation points Microsoft Employee
    2022-10-25T20:48:04.223+00:00

    Going to need more info here.

    I have WDAC and AppLocker in enforced mode in my environment,

    Why both and what exactly do you have configured policy wise? What exactly do the event logs say when the PowerShell script is blocked on the endpoint?


  2. Jason Sandys 31,186 Reputation points Microsoft Employee
    2022-10-26T15:19:04.083+00:00

    Based on this, I think your assessment is correct although to the best of my knowledge, if the signing cert for the script is trusted, this shouldn't be an issue.

    Where exactly did you add the signing cert as a trusted publisher? On the targeted client system in its machine store?