PowerShell scripts are no longer executed. TamperProtection Failure
I have an environment with about 150 Windows 10 notebooks that are AAD joined and fully managed by Intune.
PowerShell Platform Scripts are used on the devices to perform various configurations. The PowerShell scripts are all executed in the user context “Run this script using the logged on credentials” and without signature check (Enforce script signature check=no).
On 08/12/2024 a new PowerShell script was configured which is not executed successfully on all devices. The status of the majority of devices is “Unknown”. However, there are devices on which it is executed successfully, status “Succeeded”.
Another Powershell script was configured for testing, which only logs the device IP address in a local log file. This script behaves in the same way. The majority of the devices deliver status “Unknown” on other devices with status “Succeeded”. These are always the same devices on which the script is executed, or not.
The following error message can be found in the Intunemanagementextension.log on the devices with status “Unknown”:
<![LOG[[TamperProtection] Enforcement mode = Enforcement2. PolicyType = 6. Running checks.]LOG]!><time=”15:35:51.2966252″ date=”8-13-2024″ component=”IntuneManagementExtension” context=”” type=”1″ thread=”69″ file=””>
<![LOG[[TamperProtection] Blob embedded certs:DigiCert Global Root G2:DigiCert Global Root G2|08/01/2013 14:00:00|01/15/2038 13:00:00|DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Microsoft Azure RSA TLS Issuing CA 07:DigiCert Global Root G2|06/08/2023 02:00:00|08/26/2026 01:59:59|3382517058A0C20228D598EE7501B61256A76442
SideCarSignCert.manage.microsoft.com:Microsoft Azure RSA TLS Issuing CA 07|02/09/2024 09:58:06|02/03/2025 09:58:06|A2553C3CDEE7BF3BF85EE30C4AB9CC819EB84D2C
]LOG]!><time=”15:35:51.2966252″ date=”8-13-2024″ component=”IntuneManagementExtension” context=”” type=”1″ thread=”69″ file=””>
<![LOG[[TamperProtection] (Failure) AccountId:<removed-for-security>,PolicyId:<removed-for-security>,Type:6,Enforce: Enforcement2. OSVersion:10.0.19045,AgentVersion:1.64.106.0. Additional validation failure:[Cert number 0]: [Validator SubjectNameIssuerStringMatchValidator]: [Field: SubjectName] Success
[Field: IssuerName] Did not match pre-trust list. Incoming value: Microsoft Azure RSA TLS Issuing CA 07
[Cert number 1]: [Validator SubjectNameIssuerStringMatchValidator]: [Field: SubjectName] Did not match pre-trust list. Incoming value: Microsoft Azure RSA TLS Issuing CA 07
[Field: IssuerName] Success
The script is not executed. The error is logged accordingly in HKEY_LOCAL_MACHINEsoftwaremicrosoftintunemanagementextensionPolicies
An intensive internet search has not yet yielded anything. Would be great if someone has an idea.
I have an environment with about 150 Windows 10 notebooks that are AAD joined and fully managed by Intune. PowerShell Platform Scripts are used on the devices to perform various configurations. The PowerShell scripts are all executed in the user context “Run this script using the logged on credentials” and without signature check (Enforce script signature check=no). On 08/12/2024 a new PowerShell script was configured which is not executed successfully on all devices. The status of the majority of devices is “Unknown”. However, there are devices on which it is executed successfully, status “Succeeded”. Another Powershell script was configured for testing, which only logs the device IP address in a local log file. This script behaves in the same way. The majority of the devices deliver status “Unknown” on other devices with status “Succeeded”. These are always the same devices on which the script is executed, or not. The following error message can be found in the Intunemanagementextension.log on the devices with status “Unknown”: <![LOG[[TamperProtection] Enforcement mode = Enforcement2. PolicyType = 6. Running checks.]LOG]!><time=”15:35:51.2966252″ date=”8-13-2024″ component=”IntuneManagementExtension” context=”” type=”1″ thread=”69″ file=””>
<![LOG[[TamperProtection] Blob embedded certs:DigiCert Global Root G2:DigiCert Global Root G2|08/01/2013 14:00:00|01/15/2038 13:00:00|DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Microsoft Azure RSA TLS Issuing CA 07:DigiCert Global Root G2|06/08/2023 02:00:00|08/26/2026 01:59:59|3382517058A0C20228D598EE7501B61256A76442
SideCarSignCert.manage.microsoft.com:Microsoft Azure RSA TLS Issuing CA 07|02/09/2024 09:58:06|02/03/2025 09:58:06|A2553C3CDEE7BF3BF85EE30C4AB9CC819EB84D2C
]LOG]!><time=”15:35:51.2966252″ date=”8-13-2024″ component=”IntuneManagementExtension” context=”” type=”1″ thread=”69″ file=””>
<![LOG[[TamperProtection] (Failure) AccountId:<removed-for-security>,PolicyId:<removed-for-security>,Type:6,Enforce: Enforcement2. OSVersion:10.0.19045,AgentVersion:1.64.106.0. Additional validation failure:[Cert number 0]: [Validator SubjectNameIssuerStringMatchValidator]: [Field: SubjectName] Success
[Field: IssuerName] Did not match pre-trust list. Incoming value: Microsoft Azure RSA TLS Issuing CA 07
[Cert number 1]: [Validator SubjectNameIssuerStringMatchValidator]: [Field: SubjectName] Did not match pre-trust list. Incoming value: Microsoft Azure RSA TLS Issuing CA 07
[Field: IssuerName] Success The script is not executed. The error is logged accordingly in HKEY_LOCAL_MACHINEsoftwaremicrosoftintunemanagementextensionPolicies An intensive internet search has not yet yielded anything. Would be great if someone has an idea. Read More
