Using a Script to Deploy a PMPC Certificate
Applies to: Patch My PC Cloud
You can use a script to deploy Patch My PC (PMPC) code-signing certificates to Intune-managed devices. The script imports the selected certificate into the local Trusted Publishers certificate store.
This can be deployed from Intune as a:
In environments where an AllSigned PowerShell execution policy is configured, or where script signature checking is enforced for Win32 apps in the Intune admin center, scripts must be signed by a trusted publisher. Deploying the relevant Patch My PC code-signing certificate allows PowerShell to trust scripts and modules signed by Patch My PC.
Download the required script from the Patch My PC Community Scripts repository:
https://github.com/PatchMyPCTeam/Community-Scripts/tree/main/Other/Code%20Signing
Use the script from the relevant Current folder for newly signed Patch My PC content.
Important
If you are implementing AllSigned, WDAC, AppLocker, or similar controls after applications have already been deployed, some existing deployed content may have been signed with a previous Patch My PC certificate. In that instance, you may also need to deploy the relevant archived certificate from the corresponding Archived folder.
Archived folders include the matching import and detection scripts for that certificate. When deploying an archived certificate using the script method, use the scripts from the archived folder rather than the scripts from the Current folder.
Note
You can find out more details about these scripts and what they do by reviewing the ReadMe.md file included with the scripts.
Deploy the Certificate with a Platform Script
Use this section to deploy one of the Patch My PC certificate import scripts as an Intune platform script.
Select the tab that matches the certificate you want to deploy, then use the corresponding script and settings below when following Create a script policy and assign it.
“Platform scripts” tab
Add
Windows 10 and later
“Basics” tab
Name
A descriptive name for the policy. E.g. “Patch My PC Cloud Trusted Publisher Certificate”
Description
Enter an optional description for the policy
“Script Settings” tab
Script location
Browse to and select \Patch My PC Cloud\Current\Import-PMPCCloudTrustedPublisherCertificate.ps1
Run this script using the logged on credentials
No
Enforce script signature check
No
Run script in 64 bit PowerShell Host
No
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s).
“Review + add” tab
Double-check everything before clicking Add.
“Platform scripts” tab
Add
Windows 10 and later
“Basics” tab
Name
A descriptive name for the policy. E.g. “Patch My PC Apps Trusted Publisher Certificate”
Description
Enter an optional description for the policy
“Script Settings” tab
Script location
Browse to and select \Patch My PC Apps\Current\Import-PMPCAppsTrustedPublisherCertificate.ps1
Run this script using the logged on credentials
No
Enforce script signature check
No
Run script in 64 bit PowerShell Host
No
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s).
“Review + add” tab
Double-check everything before clicking Add.
“Platform scripts” tab
Add
Windows 10 and later
“Basics” tab
Name
A descriptive name for the policy. E.g. “PSAppDeployToolkit Module Trusted Publisher Certificate”
Description
Enter an optional description for the policy
“Script Settings” tab
Script location
Browse to and select \PSADT\Current\Import-PSADTTrustedPublisherCertificate.ps1
Run this script using the logged on credentials
No
Enforce script signature check
No
Run script in 64 bit PowerShell Host
No
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s).
“Review + add” tab
Double-check everything before clicking Add.
Deploy the Certificate with a Remediation Script
Use this section to deploy one of the Patch My PC certificate import scripts as an Intune remediation script.
Select the tab that matches the certificate you want to deploy, then use the corresponding detection script, remediation script, and settings below when following the the Remediations article.
The Remediation scripts can be found in the following repoistory on GitHub https://github.com/PatchMyPCTeam/Community-Scripts/tree/main/Other/Code%20Signing
“Basics” tab
Name
A descriptive name for the policy. E.g. “Patch My PC Cloud Trusted Publisher Certificate”
Description
Enter an optional description for the policy.
Publisher
Enter “Patch My PC”
“Settings” tab
Detection script file
Browse to and select \Patch My PC Cloud\Current\PMPCCloudTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script file
Browse to and select \Patch My PC Cloud\Current\Import-PMPCCloudTrustedPublisherCertificate.ps1
Run this script using the logged on credentials
No
Enforce script signature check
No
Run script in 64 bit PowerShell Host
No
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s), then configure the frequency you want the Proactive Remediation to be executed on the targeted devices.
“Review + create” tab
Double-check everything before clicking Create.
“Basics” tab
Name
A descriptive name for the policy. E.g. “Patch My PC Apps Trusted Publisher Certificate”
Description
Enter an optional description for the policy.
Publisher
Enter “Patch My PC”
“Settings” tab
Detection script file
Browse to and select \Patch My PC Apps\Current\PMPCAppsTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script file
Browse to and select \Patch My PC Apps\Current\Import-PMPCAppsTrustedPublisherCertificate.ps1
Run this script using the logged on credentials
No
Enforce script signature check
No
Run script in 64 bit PowerShell Host
No
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s), then configure the frequency you want the Proactive Remediation to be executed on the targeted devices.
“Review + create” tab
Double-check everything before clicking Create.
“Basics” tab
Name
A descriptive name for the policy. E.g. “PSAppDeployToolkit Module Trusted Publisher Certificate”
Description
Enter an optional description for the policy.
Publisher
Enter “Patch My PC”
“Settings” tab
Detection script file
Browse to and select \PSADT\Current\PSADTTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script file
Browse to and select \PSADT\Current\Import-PSADTTrustedPublisherCertificate.ps1
Run this script using the logged on credentials
No
Enforce script signature check
No
Run script in 64 bit PowerShell Host
No
“Scope tags” tab
Configure as required.
“Assignments” tab
Assign the configuration template to the desired Entra ID group(s), then configure the frequency you want the Proactive Remediation to be executed on the targeted devices.
“Review + create” tab
Double-check everything before clicking Create.
Post Processing
You can see the script being processed by the Intune Management Extension by looking in the HealthScriptss.log located at:
Observe the Proactive Remediation Device Status blade.
The following log snippet shows the HealthScripts.log entry if the pre-remediation (detection) script found the certificate already installed in the local computer’s Trusted Publishers store.
The following log snippet shows the HealthScripts.log entry if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store (the Exit code of the script is 1).
The following log snippet shows the HealthScripts.log entry if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store and the remediation script was run successfully (Exit code of the script is 0).
Last updated
Was this helpful?