About the Patch My PC Code-Signing Certificate
Details about the Patch My PC Cloud Code-Signing certificate and how to deploy it.
Patch My PC (PMPC) signs Win32 app PowerShell detection and requirement scripts with a code-signing certificate from a public Certificate Authority (CA). For these scripts to run correctly under an AllSigned execution policy, the public key of the code-signing certificate must be present in the Trusted Publishers certificate store on all relevant computers you intend to deploy the packages to.
If this public key is not in the store, scripts will fail to execute. No error will be thrown in the log files, however, powershell.exe will hang while it tries to execute the detection or requirement script.
This is because AgentExecutor.exe (the Intune client process responsible for calling Win32 package detection or requirement scripts) runs in session 0; it is not visible by the logged on user and PowerShell is awaiting input by the user to accept the code-signing certificate.
After 60 minutes, the Intune Management Extension service will timeout and terminate the powershell.exe process with the below log entries in IntuneManagementExtension.log.
Microsoft do not expose this timeout to be configurable in Intune.
In addition, the computer must trust the certificate chain for the code-signing certificate, which is generally the case with certificates issued by public CAs. By importing the code-signing certificate's public key into the Trusted Publishers store, you ensure PowerShell can successfully verify and run the signed scripts.
Deploying our certificate from Intune
You have two ways to deploy our certificate from Intune:
Using a Custom Configuration Policy (recommended)
Note
If you prefer to deploy our certificate using a method not described here, you can download it from: https://patchmypc.com/codesign
If you have any feedback or comments on our docs, please email docs@patchmypc.com.
Last updated
