PSDesiredStateConfiguration icon indicating copy to clipboard operation
PSDesiredStateConfiguration copied to clipboard
verified publisher icon PowerShell

Import-DSCResource selects "Never run" for class based resources signed by unknown publishers

Open oleesch opened this issue 9 years ago • 1 comments

If the Execution Policy is set to AllSigned and you try to import a class based resource signed by an unknown publisher, Import-DSCResource will opt to "Never run" software from this publisher. Since the default option for the authenticode prompt is "Do not run", this behaviour is unexpected.

"Never run" causes problems in that it will import the certificate in question in to the Disallowed store of the SYSTEM account. This can lead to a lot of manual cleanup work in case a default signing certificate has been missing from the Trusted Publisher store for unrelated reasons. Is this really the intended behaviour? Shouldn't DSC select the default option?

Steps to reproduce

  1. Set Execution Policy to AllSigned
  2. Apply a DSC configuration that imports a class based DSC resource signed by an unknown publisher

Expected behavior

Resource is not imported, using the default option "Do not run".

Actual behavior

Resource is not imported, using the option "Never run".

Environment data

Name Value

PSVersion 5.1.14393.206 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.14393.206 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

oleesch avatar Nov 23 '16 08:11 oleesch

@StevenBucher98 can this issue be closed as Import-DSCResource is not in this repository is only for DSC v1?

ThomasNieto avatar Aug 18 '23 15:08 ThomasNieto