About the Patch My PC Code-Signing Certificates

Applies to: Patch My PC Cloud

Patch My PC (PMPC) signs PowerShell scripts with a code-signing certificate from a public Certificate Authority (CA). The following scripts are code-signed:

  • Intune Win32 app Detection Scripts

  • Intune Win32 app Requirement Scripts

  • Patch My PC helper Scripts used in certain Catalog apps

For these scripts to run correctly under an AllSigned execution policy, the public key of the code-signing certificate(s) must be present in the Trusted Publishers certificate store on all relevant computers you intend to deploy the packages to.

If this public key is not in the store, scripts will fail to execute. No error will be thrown in the log files, however, powershell.exe will hang while it tries to execute the detection or requirement script.

Certificates used

There are two distinct use cases that require separate certificates in Patch My PC:

  1. Intune Detection and Requirement Scripts Used to sign Intune detection and requirement scripts for Win32 applications published through PMPC Cloud.

  2. Patch My PC Helper Scripts Used to sign required and recommended pre/post "helper" scripts for certain applications in the PMPC catalog. These helper scripts perform essential tasks such as stopping processes, uninstalling older software versions, or configuring application behavior during deployment to ensure successful app installation.

Use Case 1: Intune Detection and Requirement Scripts

Specifically for Intune detection and requirement scripts, AgentExecutor.exe (the Intune client process responsible for calling Win32 app detection or requirement scripts) runs in session 0; it is not visible by the logged on user and PowerShell is awaiting input by the user to accept the code-signing certificate.

powershell.exe waiting for user input

After 60 minutes, the Intune Management Extension service will timeout and terminate the powershell.exe process with the below log entries in the IntuneManagementExtension.log.

Note

Microsoft do not expose this timeout to be configurable in Intune.

powershell.exe being terminated after 60 minutes timeout

Use Case 2: Patch My PC Helper Scripts

PMPC utilizes "helper" scripts to perform both required and recommended pre/post actions for certain applications in the PMPC catalog. These helper scripts can, but are not limited to, help remove old versions of software if the vendor's installer does not handle this automatically.

Deploying a certificate from Intune

You have two ways to deploy either certificate from Intune:

Note

If you prefer to deploy a certificate using a method not described here, you can download it from: https://patchmypc.com/codesign

Important

In addition, the computer must trust the certificate chain for the code-signing certificate, which is generally the case with certificates issued by public CAs. By importing the code-signing certificate's public key into the Trusted Publishers store, you ensure PowerShell can successfully verify and run the signed scripts.

PreviousCloud ReferenceNextUsing a Custom Configuration Policy to deploy the Patch My PC certificate

Last updated

Was this helpful?