I would indeed not use Program Files; I used in my lab C:\Onguard\ as location; but ProgramData sounds like a good candidate as well.
It has been a while that I worked with these custom scripts; and if there is no further response (and just trying another location does not have result); it may be advisable to open a TAC case.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 13, 2026 08:24 AM
From: itsbrown
Subject: OnGuard Custom Script returns ExitCode 260
We're implementing a ClearPass OnGuard (Windows) Custom Script to validate the presence of a certificate related to cppm in the machine's Enterprise Trust store (LocalMachine). The script works correctly when run manually in PowerShell, but OnGuard always reports ExitCode=260. As far as I understand, this code appears before the script is executed (pre‑validation/access failure), not from the script's own exit.
Environment
- ClearPass OnGuard (Windows):
- AgentVersion: 6.12.0.300732
- AgentLibraryVersion: 10.0.85.300732
- SDK Type/Version: V4 / 4.3.3753.0
- OS: Windows 10 Enterprise LTSC 21H2 (10.0.19044), x86_64
- OnGuard runtime user: NT AUTHORITY\SYSTEM
- Target certificate (example):
- Store:
Cert:\LocalMachine\Enterprise Trust (alias Cert:\LocalMachine\Trust) - Subject/FriendlyName:
O=PolicyManager, CN=cppm - Issuer:
O=PolicyManager, CN=cppm
The script searches for the certificate in Enterprise Trust (LocalMachine). If it finds a match for subject/issuer patterns, it prints ExitCode=0 and exit 0; otherwise, it prints ExitCode=65 / exit 65. (65 = condition not met; 260 is not produced by the script).
Note: Running the script manually in PowerShell (as user or SYSTEM via PsExec/Task Scheduler) returns ExitCode=0, so the .ps1 logic itself appears correct.
Logs
- OnGuard (frontend): posture stays QUARANTINE, no Remediation URL.WinAgent: the Custom Script health block reports
ExitCode=260. - In prior tests (another log), we saw:
- "Failed to execute command … Exit code - 260"
Here are my questions for the community. I'd appreciate any help.
What are the exact conditions that trigger ExitCode=260 in OnGuard?
- My understanding: 260 = failure/denial before execution (validation, access, path, signing). Is there an official mapping for this code in OnGuard 6.12?
Script location & permissions
- Is a different location recommended (e.g.,
C:\ProgramData\Aruba Networks\...) to avoid ACL/virtualization issues under Program Files? - Any additional inherited permissions OnGuard expects?
Goal
- Ensure OnGuard executes the
.ps1 (stop returning 260) and reads the KVP ExitCode=0. - Then the Custom Script becomes Healthy, and the endpoint leaves QUARANTINE.
Thanks in advance for any hint or experience!
-------------------------------------------