When using custom scripts for Detection Methods you have the possibility to use a Powershell script. However, if your environment has security in focus, then setting the ExecutionPolicy for Powershell scripts to anything other than AllSigned is not an option. This means you have to sign your scripts before running them. Christian has written an excellent blog post about how you can sign your Powershell scripts.
The problem is that there is a bug in Configuration Manager that breaks the signed scripts when you use them as a Detection Method. Regular signed Powershell scripts when run as an Application runs fine, but it is the Detection Method scripts that fail.
The bug has been reported on Microsoft Connect, please upvote it if you have experienced the same (note, you need to be subscribed to Configuration manager to vote).
Let´s say that you have signed your script and when you look at the bottom it looks like this. Notice that it has 77 lines of code, including a line break at the bottom. This is added by the Set-AuthenticodeSignature cmndlet which you use to sign your scripts.
Now lets insert the script into an Application as a custom Detection Method. I´ve created an Application and a simple Deployment Type. Hit properties and find the Detection Method tab. I´ve pasted the script in or opened the file directly, it doesn´t matter. Notice the line break at the bottom.
Notice also that the lines of code has changed to 71 as we hit OK. Obviously some whitespaces and line breaks are being omitted. Now click Apply and OK so that you are out back in the ConfigMgr console. Go back into the Application and check the Deployment Type again. Surprise, surprise, the line break at the bottom is gone. By Powershells standards this script no longer has a valid signature and will not run.
Now, to prove that it is ConfigMgr that is omitting this line break and that the script actually works, go to the Detection Method tab for your application and copy the code into to a file on a test client. Notice that the line break at the bottom is gone, but that the number of lines is the same as the original – 1. Original had 77 lines and this one has 76 lines.
Run the script. It will give you the error about the script not being digitally signed.
Note that it has been posted a “workaround” for this issue, but it simply states that you should set the ExecutionPolicy for clients via the ConfigMgr Client Settings to something other than AllSigned, and this is in my opinion not a good idea for security reasons.