About the Patch My PC Code-Signing Certificate

Applies to: Patch My PC Cloud

Patch My PC (PMPC) signs Win32 app PowerShell detection and requirement scripts with a code-signing certificate from a public Certificate Authority (CA). For these scripts to run correctly under an AllSigned execution policy, the public key of the code-signing certificate must be present in the Trusted Publishers certificate store on all relevant computers you intend to deploy the packages to.

If this public key is not in the store, scripts will fail to execute. No error will be thrown in the log files, however, powershell.exe will hang while it tries to execute the detection or requirement script.

This is because AgentExecutor.exe (the Intune client process responsible for calling Win32 package detection or requirement scripts) runs in session 0; it is not visible by the logged on user and PowerShell is awaiting input by the user to accept the code-signing certificate.

powershell.exe waiting for user input

After 60 minutes, the Intune Management Extension service will timeout and terminate the powershell.exe process with the below log entries in IntuneManagementExtension.log.

Microsoft do not expose this timeout to be configurable in Intune.

powershell.exe being terminated after 60 minutes timeout

In addition, the computer must trust the certificate chain for the code-signing certificate, which is generally the case with certificates issued by public CAs. By importing the code-signing certificate's public key into the Trusted Publishers store, you ensure PowerShell can successfully verify and run the signed scripts.

Deploying our certificate from Intune

You have two ways to deploy our certificate from Intune:

Note

If you prefer to deploy our certificate using a method not described here, you can download it from: https://patchmypc.com/codesign

PreviousCloud ReferenceNextUsing a Custom Configuration Policy to deploy the Patch My PC certificate

Last updated

Was this helpful?