Feb 15 2022 08:20 AM
Feb 15 2022 08:20 AM
I have a powershell script, which has been digitally signed and uploaded to the files repository for usage within a 365 Defender Live Response Session.
The powershell script just runs these three commands:
I can run the script with no issues from my local machine as a regular user with no elevated privs.
If I initiate a Live Response session and run the file on the device, I receive the following:
. : AuthorizationManager check failed.
At line:1 char:818
+ ... 27}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threa ...
+ CategoryInfo : SecurityError: (:) , PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
You would think that owning the Security Administrator Role would permit running the script?
Any clues would be greatly appreciated.
Feb 15 2022 09:10 AM
Feb 15 2022 09:17 AM
Feb 15 2022 10:03 AM
Mar 04 2022 07:02 AM
Mar 04 2022 09:13 AM
Mar 04 2022 09:18 AM
Mar 04 2022 09:21 AM
Mar 09 2022 04:23 PM - edited Mar 09 2022 04:23 PMSolution
I had the exact same issue. I had my code signing certificate installed in the current user's "Trusted Publishers" so I could both sign my script and run my script in Powershell. But when I tried to run the script in Live Response, it gave me the "AuthorizationManager check failed" error.
The code signing certificate needs to be installed into Local Computer/Trusted Publishers. Live Response shell runs as SYSTEM, and it needs to see your code signing certificate in order to trust the Powershell script. I'm still testing, but it sounds like you need to push out your code signing certificate to Local Computer/Trusted Publishers for your entire fleet. (Make sure when you export your code signing certificate to NOT include your private key, otherwise your certificate could be used by others to sign code)
I assumed that getting a code signing certificate from a trusted CA meant I wouldn't have to install my certificate on all computers but that doesn't appear to be the case.
Mar 10 2022 12:34 AM
@TheDilly Thanks ill check that. However the signing cert I have used if a fully correct suburbanite CA from the domain PKI. So should already be fully trusted on all machines in the domain
Mar 10 2022 11:09 AM
Mar 14 2022 09:17 AM
Mar 14 2022 09:36 AM