This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 54%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello,
I have WDAC and AppLocker in enforced mode in my environment, and I'm having problems with SCCM's CMPIVOT. In enforced mode CMPIVOT does not work. I have already inserted the cmpivot.exe certificate in Trusted Publishers, but it still doesn't work. When moving the machine to audit mode CMPIVOT works normally. Someone with the same problem?
I already did the procedure below
MPivot and the Microsoft Edge installer are currently signed with the Microsoft Code Signing PCA 2011 certificate. If you set PowerShell execution policy to AllSigned, then you need to make sure that devices trust this signing certificate. You can export the certificate from a computer where you've installed the Configuration Manager console. View the certificate on "C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe", and then export the code signing certificate from the certification path. Then import it to the machine's Trusted Publishers store on managed devices. You can use the process in the following blog, but make sure to export the code signing certificate from the certification path: Adding a Certificate to Trusted Publishers using Intune.
Going to need more info here.
I have WDAC and AppLocker in enforced mode in my environment,
Why both and what exactly do you have configured policy wise? What exactly do the event logs say when the PowerShell script is blocked on the endpoint?
Hi Jason,
My policy is configured this rules:
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:Managed Installer</Option>
</Rule>
<Rule>
<Option>Enabled:Update Policy No Reboot</Option>
</Rule>
</Rules>
In CMPIVOT
In the logs no show error this blocked but looks like a problem to me with powershell Constrained Language Mode. When computer moved to Audit mode CMPIVOT is OK.
My Log event viewer in attach
Based on this, I think your assessment is correct although to the best of my knowledge, if the signing cert for the script is trusted, this shouldn't be an issue.
Where exactly did you add the signing cert as a trusted publisher? On the targeted client system in its machine store?
Hi Jason ,
I exported certificate from "C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe", and import it to the machine's Trusted Publishers store on managed devices.
Thanks
Can you validate that the cert used to sign cmpivot.exe is the same as the script that is being called on the client -- you may have to extract the script from the DB per the quick SQL snippet at https://www.ephingadmin.com/CMPivotRevisited/?