Forum Discussion
CodnChips
Feb 15, 2022Brass Contributor
Running a powershell script through a live response session
I have a powershell script, which has been digitally signed and uploaded to the files repository for usage within a 365 Defender Live Response Session. The powershell script just runs these three co...
- Mar 10, 2022
I had the exact same issue. I had my code signing certificate installed in the current user's "Trusted Publishers" so I could both sign my script and run my script in Powershell. But when I tried to run the script in Live Response, it gave me the "AuthorizationManager check failed" error.
The code signing certificate needs to be installed into Local Computer/Trusted Publishers. Live Response shell runs as SYSTEM, and it needs to see your code signing certificate in order to trust the Powershell script. I'm still testing, but it sounds like you need to push out your code signing certificate to Local Computer/Trusted Publishers for your entire fleet. (Make sure when you export your code signing certificate to NOT include your private key, otherwise your certificate could be used by others to sign code)
I assumed that getting a code signing certificate from a trusted CA meant I wouldn't have to install my certificate on all computers but that doesn't appear to be the case.
af-00001
Mar 04, 2022Brass Contributor
I'm facing exactly the same issue, and yet to find the solution. signed script works perfectly when run locally, however running the same script on the same machine via live response. fails with the same error - "AuthorizationManager check failed"
TheDilly
Mar 10, 2022Copper Contributor
I had the exact same issue. I had my code signing certificate installed in the current user's "Trusted Publishers" so I could both sign my script and run my script in Powershell. But when I tried to run the script in Live Response, it gave me the "AuthorizationManager check failed" error.
The code signing certificate needs to be installed into Local Computer/Trusted Publishers. Live Response shell runs as SYSTEM, and it needs to see your code signing certificate in order to trust the Powershell script. I'm still testing, but it sounds like you need to push out your code signing certificate to Local Computer/Trusted Publishers for your entire fleet. (Make sure when you export your code signing certificate to NOT include your private key, otherwise your certificate could be used by others to sign code)
I assumed that getting a code signing certificate from a trusted CA meant I wouldn't have to install my certificate on all computers but that doesn't appear to be the case.
- CodnChipsMar 14, 2022Brass ContributorTheDilly
Thanks so much for your response - this is THE answer! I've tested this today on a single machine and BAM it worked straight away!! This makes forums amazing!
This info & the error displayed should be included in the MS Docus for Defender Live Response.
Thanks again - af-00001Mar 10, 2022Brass Contributor
TheDilly Thanks ill check that. However the signing cert I have used if a fully correct suburbanite CA from the domain PKI. So should already be fully trusted on all machines in the domain
- TheDillyMar 10, 2022Copper ContributorMine is too. I assumed that since all the computers in the domain trust the CA I got the code signing certificate from, everyone would trust my certificate. But that doesn't appear to be the case.
The Scripting Guy lays out the step by step when using an internal PKI:
https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2/
https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2/
And I also reached out to Microsoft Support about the "AuthorizationManager check failed" and they told me to put the certificate in the Trusted Publisher store for the Local Machine. It did solve the problem.
So why use a trusted CA if we have to distribute the certificate anyway?- af-00001Mar 14, 2022Brass ContributorThank you!
That solved it for me as well. signing cert needs to be imported directly into trusted publishers.