I’m kind of at a loss at the moment. I’ve been using psadt for a long time now. I don’t exactly have a problem with the tool, I’m sure it’s working. Testing on my private pc - no issues.
I do have a problem on our pc’s in the office, on all of them (where it should be working :’) ). I get the following error, even when running the script manually as an admin, with version 3.8.3, 3.8.2 and now even the same testing with 3.7.0… I can’t figure it out:
PS C:\windows\ccmcache\d> .\Deploy-Application.ps1
C:\windows\ccmcache\d\Deploy-Application.ps1 : Module [C:\windows\ccmcache\d\AppDeployToolkit\AppDeployToolkitMain.ps1] failed to load:
(0) : Source file 'c:\Windows\ccmcache\d\AppDeployToolkit\AppDeployToolkitMain.cs' could not be opened ('Unspecified error ')
At C:\windows\ccmcache\d\AppDeployToolkit\AppDeployToolkitMain.ps1:11132 char:2
+ Add-Type -Path $appDeployCustomTypesSourceCode -ReferencedAssembl ...
At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Deploy-Application.ps1
It must be something on the pc’s, but I can’t find it… They’re Win10 1903’s. I haven’t been working here that long so I’m not sure if it’s some policy problem or whatever… I’ve never had this with psadt before.
I don’t think it’s blocked, I’m not getting any messages and there’s nothing in my security dashboard either. But to be sure, I excluded the ccmcache folder temporarily and rebooted. Alas, the result remains the same.
Powershell uses Net Framework and that is pretty much it. The cs file is just a text file with cs code. Not many things can actually break here. But as I have said, some software can detect that this is a code file and block it when accessed.
I’m a little closer. I know what’s causing it, but I can’t seem to “undo it”. As soon as the “Application Control”-GPO is forced on the vm (or workstations), I get the above errors. The thing is, we’re only using Application Control in audit mode. In my opinion this shouldn’t be actively blocking things, but it is!
Now, simply reversing the GPO to disabled (device guard), doesn’t fix things. I even removed the policy file manually from c:\windows\system32\codeintegrity and made sure to create a new policy to disable DeviceGuard. I haven’t found the magic solution yet.
So as I specified in another reply, some months ago we enabled Windows Defender Application Control (WDAC) in Audit Mode. You would expect this setting to do just that, audit. It wasn’t after a long time that I discovered the AppDeployToolkit was no longer functioning so I didn’t immediately think of WDAC as a rootcause.
Anyway, I updated the CI Policies XML file before converting it to a policy, like this:
From MS: This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to Constrained Language Mode. NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, as well as on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on pre-1903 versions of Windows 10 without the 10C or later LCU is not supported and may have unintended results.
From MS: Enables policy enforcement for .NET applications and dynamically-loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above.
I will probably test a little further if maybe I can get away with only adding the first part, or only removing the second part. I might also do some testing with signing the script and not do any of the above steps. But anyway, I’m happy I finally found the root-cause and I hope this post can help someone in the future!