Using a script
Deploying our Code Signing Certificate using a script
By using a script to deploy our certificate, you can either deploy the certificate as a:
In environments where a company configures an all-signed PowerShell policy or enforces script signature checking on the Win32 app in the Intune admin center, all scripts must be signed by a trusted publisher. Our script helps import the required certificate into the Trusted Publisher store to ensure that scripts signed by Patch My PC (PMPC) can be executed without issues.
To deploy our code signing certificate using a script, first download our scripts from:
https://github.com/PatchMyPCTeam/Community-Scripts/tree/main/Other/Code%20Signing
Note
You can find out more details about these scripts and what they do by reviewing the ReadMe.md file included with the scripts.
Using a platform script
To deploy our certificate using a script, follow the Create a script policy and assign it article using the following values.
“Platform scripts” tab
| Field | Value |
|---|---|
Add | Windows 10 and later |
“Basics” tab
| Field | Value |
|---|---|
Name | A descriptive name for the policy. E.g. “Patch My PC Trusted Publisher Certificate”` |
Description | Enter an optional description for the policy |
“Script Settings” tab
| Field | Value |
|---|---|
Script location | Browse to and select Import-PMPTrustedPublisherCertificate.ps1 |
Run this script using the logged on credentials | No |
Enforce script signature check | No |
Run script in 64 bit PowerShell Host | No |
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s).
“Review + add” tab
Double-check everything before clicking Add.
Post Processing
You can see the script being processed by the Intune Management Extension by looking in the IntuneManagementExtension.log located at:
Using a proactive remediation
To deploy our certificate using a proactive remediation deployment, follow the Remediations article using the following values.
“Basics” tab
| Field | Value |
|---|---|
Name | A descriptive name for the policy. E.g. “Patch My PC Trusted Publisher Certificate”` |
Description | Enter an optional description for the policy. |
Publisher | Enter “Patch My PC” |
“Settings” tab
| Field | Value |
|---|---|
Detection script file | Browse to and select PMPTrustedPublisherCertificate_HealthScript_Detection.ps1 |
Remediation script file | Browse to and select Import-PMPTrustedPublisherCertificate.ps1 |
Run this script using the logged on credentials | No |
Enforce script signature check | No |
Run script in 64 bit PowerShell Host | No |
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s), then configure the frequency you want the Proactive Remediation to be executed on the targeted devices.
“Review + create” tab
Double-check everything before clicking Create.
Post Processing
You can see the script being processed by the Intune Management Extension by looking in the HealthScriptss.log located at:
Observe the Proactive Remediation Device Status blade.
The following log snippet shows the HealthScripts.log entry if the pre-remediation (detection) script found the certificate already installed in the local computer’s Trusted Publishers store.
The following log snippet shows the HealthScripts.log entry if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store (the Exit code of the script is 1).
The following log snippet shows the HealthScripts.log entry if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store and the remediation script was run successfully (Exit code of the script is 0).
Note
If you have any feedback or comments on our docs, please email docs@patchmypc.com.
Last updated
