Powershell MID Server Script Files used by Orchestration Activity Packs are not signed, which is a requirement for some customers


There is no mechanism for Signing powershell MID Server Script Files (ecc_agent_script_file), and these are used by several out-of-box activities included in Orchestration Activity Packs, and powershell based activities in other out-of-box Orchestration workflows.

These scripts need to be allow to run "Unrestricted" execution policy to work currently.

Some customers have policies that have this as a requirement, e.g. Defense Information Security Agency (DISA) Security Technical Implementation Guidelines (STIG) suggest that all Powershell scripts should be Signed.

If an "AllSigned" or "remotesigned" policy is enforced on servers automatically, then these activities will fail to run, with an error like:
Error encountered when invoking PowerShell, the result from running '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"...

A Microsoft SCCM Server will have "remotesigned" execution policy by default, and need that policy made less secure to run Client Software Distribution workflows.

This affects at least:
Client Software Distribution
Orchestration add-on for Password Reset
Active Directory activity pack
Azure AD activity pack
Exchange activity pack
PowerShell activity pack
SCCM activity pack - our docs state "The Windows PowerShell x86 execution policy must be set to unrestricted mode."

Steps to Reproduce

  1. Set powershell execution policy to AllSigned or RemoteSigned on the MID Server host
  2. Attempt to run any powershell activity on it


This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this form to be notified when more information will become available.

The only workaround is to set the powershell execution policy to "Unrestricted". 

Related Problem: PRB1349797