cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Running a powershell script through a live response session

CodnChips
Brass Contributor

‎Feb 15 2022 08:20 AM

‎Feb 15 2022 08:20 AM

Running a powershell script through a live response session

I have a powershell script, which has been digitally signed and uploaded to the files repository for usage within a 365 Defender Live Response Session.

The powershell script just runs these three commands:

Get-MpComputerStatus
Get-MpThreat
Get-MpPreference

I can run the script with no issues from my local machine as a regular user with no elevated privs.

 

If I initiate a Live Response session and run the file on the device, I receive the following:

 

Errors:
. : AuthorizationManager check failed.
At line:1 char:818
+ ... 27}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

 

You would think that owning the Security Administrator Role would permit running the script?

Any clues would be greatly appreciated.

Many thanks

9,687 Views
0 Likes
12 Replies
Reply
12 Replies
CodnChips

‎Feb 15 2022 09:10 AM

‎Feb 15 2022 09:10 AM

Re: Running a powershell script through a live response session

I've just found this, which may be the answer:
The AuthorizationManager check failed error can be thrown when importing modules or running scripts that were downloaded from the internet on Windows. You can use the Unblock-File cmdlet to ensure that the file can be run.
0 Likes
Reply
CodnChips

‎Feb 15 2022 09:17 AM

‎Feb 15 2022 09:17 AM

Re: Running a powershell script through a live response session

Commands are really limited during that session so don't think unlock command will work. Because it's been digitally signed, it should be trusted therefore renders that moot
0 Likes
Reply
Jonhed

‎Feb 15 2022 10:03 AM

‎Feb 15 2022 10:03 AM

Re: Running a powershell script through a live response session

Is the certificate of authority used for the digital signing trusted on the device in question?
0 Likes
Reply
af-00001

‎Mar 04 2022 07:02 AM

‎Mar 04 2022 07:02 AM

Re: Running a powershell script through a live response session

I'm facing exactly the same issue, and yet to find the solution. signed script works perfectly when run locally, however running the same script on the same machine via live response. fails with the same error - "AuthorizationManager check failed"
0 Likes
Reply
CodnChips

‎Mar 04 2022 09:13 AM

‎Mar 04 2022 09:13 AM

Re: Running a powershell script through a live response session

Hey @Jonhed
Thanks for responding. Yes, the server that signed is the domain certserv - loved by all!! :rolling_on_the_floor_laughing:
0 Likes
Reply
CodnChips

‎Mar 04 2022 09:18 AM

‎Mar 04 2022 09:18 AM

Re: Running a powershell script through a live response session

Hi @af-00001
Ok, well at least that’s two of us in the same boat! I haven’t found a solution yet, which is really annoying - you’d think if can run via a non-admin user, it should be able to run via the trusted connection. I hope someone from MS eventually see’s this and can offer some help\wisdom
0 Likes
Reply
CodnChips

‎Mar 04 2022 09:21 AM

‎Mar 04 2022 09:21 AM

Re: Running a powershell script through a live response session

On monday I’m going to see if I can permit the file through 365 Defender
0 Likes
Reply
best response confirmed by CodnChips (Brass Contributor)
TheDilly

‎Mar 09 2022 04:23 PM - edited ‎Mar 09 2022 04:23 PM

‎Mar 09 2022 04:23 PM - edited ‎Mar 09 2022 04:23 PM

Solution

Re: Running a powershell script through a live response session

I had the exact same issue. I had my code signing certificate installed in the current user's "Trusted Publishers" so I could both sign my script and run my script in Powershell. But when I tried to run the script in Live Response, it gave me the "AuthorizationManager check failed" error.

The code signing certificate needs to be installed into Local Computer/Trusted Publishers. Live Response shell runs as SYSTEM, and it needs to see your code signing certificate in order to trust the Powershell script. I'm still testing, but it sounds like you need to push out your code signing certificate to Local Computer/Trusted Publishers for your entire fleet. (Make sure when you export your code signing certificate to NOT include your private key, otherwise your certificate could be used by others to sign code)

I assumed that getting a code signing certificate from a trusted CA meant I wouldn't have to install my certificate on all computers but that doesn't appear to be the case.

1 Like
Reply
af-00001

‎Mar 10 2022 12:34 AM

‎Mar 10 2022 12:34 AM

Re: Running a powershell script through a live response session

@TheDilly Thanks ill check that. However the signing cert I have used if a fully correct suburbanite CA from the domain PKI.  So should already be fully trusted on all machines in the domain

0 Likes
Reply
TheDilly

‎Mar 10 2022 11:09 AM

‎Mar 10 2022 11:09 AM

Re: Running a powershell script through a live response session

Mine is too. I assumed that since all the computers in the domain trust the CA I got the code signing certificate from, everyone would trust my certificate. But that doesn't appear to be the case.

The Scripting Guy lays out the step by step when using an internal PKI:
https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts...
https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts...

And I also reached out to Microsoft Support about the "AuthorizationManager check failed" and they told me to put the certificate in the Trusted Publisher store for the Local Machine. It did solve the problem.

So why use a trusted CA if we have to distribute the certificate anyway?
0 Likes
Reply
af-00001

‎Mar 14 2022 09:17 AM

‎Mar 14 2022 09:17 AM

Re: Running a powershell script through a live response session

Thank you!

That solved it for me as well. signing cert needs to be imported directly into trusted publishers.
0 Likes
Reply
CodnChips

‎Mar 14 2022 09:36 AM

‎Mar 14 2022 09:36 AM

Re: Running a powershell script through a live response session

@TheDilly
Thanks so much for your response - this is THE answer! I've tested this today on a single machine and BAM it worked straight away!! This makes forums amazing!
This info & the error displayed should be included in the MS Docus for Defender Live Response.
Thanks again
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by CodnChips (Brass Contributor)
TheDilly

‎Mar 09 2022 04:23 PM - edited ‎Mar 09 2022 04:23 PM

‎Mar 09 2022 04:23 PM - edited ‎Mar 09 2022 04:23 PM

Solution

Re: Running a powershell script through a live response session

I had the exact same issue. I had my code signing certificate installed in the current user's "Trusted Publishers" so I could both sign my script and run my script in Powershell. But when I tried to run the script in Live Response, it gave me the "AuthorizationManager check failed" error.

The code signing certificate needs to be installed into Local Computer/Trusted Publishers. Live Response shell runs as SYSTEM, and it needs to see your code signing certificate in order to trust the Powershell script. I'm still testing, but it sounds like you need to push out your code signing certificate to Local Computer/Trusted Publishers for your entire fleet. (Make sure when you export your code signing certificate to NOT include your private key, otherwise your certificate could be used by others to sign code)

I assumed that getting a code signing certificate from a trusted CA meant I wouldn't have to install my certificate on all computers but that doesn't appear to be the case.

View solution in original post

1 Like
Reply