About the Patch My PC Code-Signing Certificates
Applies to: Patch My PC Cloud
Patch My PC (PMPC) signs PowerShell scripts with a code-signing certificate from a public Certificate Authority (CA). The following scripts are code-signed:
Intune Win32 app Detection Scripts
Intune Win32 app Requirement Scripts
Patch My PC helper Scripts used in certain Catalog apps
For these scripts to run correctly under an AllSigned execution policy, the public key of the code-signing certificate(s) must be present in the Trusted Publishers certificate store on all relevant computers you intend to deploy the packages to.
If this public key is not in the store, scripts will fail to execute. No error will be thrown in the log files, however, powershell.exe will hang while it tries to execute the detection or requirement script.
Certificates used
There are two distinct use cases that require separate certificates in Patch My PC:
Intune Detection and Requirement Scripts Used to sign Intune detection and requirement scripts for Win32 applications published through PMPC Cloud.
Patch My PC Helper Scripts Used to sign required and recommended pre/post "helper" scripts for certain applications in the PMPC catalog. These helper scripts perform essential tasks such as stopping processes, uninstalling older software versions, or configuring application behavior during deployment to ensure successful app installation.
Use Case 1: Intune Detection and Requirement Scripts
Specifically for Intune detection and requirement scripts, AgentExecutor.exe (the Intune client process responsible for calling Win32 app detection or requirement scripts) runs in session 0; it is not visible by the logged on user and PowerShell is awaiting input by the user to accept the code-signing certificate.

After 60 minutes, the Intune Management Extension service will timeout and terminate the powershell.exe process with the below log entries in the IntuneManagementExtension.log.

Use Case 2: Patch My PC Helper Scripts
PMPC utilizes "helper" scripts to perform both required and recommended pre/post actions for certain applications in the PMPC catalog. These helper scripts can, but are not limited to, help remove old versions of software if the vendor's installer does not handle this automatically.
Deploying a certificate from Intune
You have two ways to deploy either certificate from Intune:
Using a Custom Configuration Policy (recommended)
Important
In addition, the computer must trust the certificate chain for the code-signing certificate, which is generally the case with certificates issued by public CAs. By importing the code-signing certificate's public key into the Trusted Publishers store, you ensure PowerShell can successfully verify and run the signed scripts.
Last updated
Was this helpful?