# Using a Script to Deploy a PMPC Certificate *Applies to: Patch My PC Cloud* You can use a script to deploy Patch My PC (PMPC) code-signing certificates to Intune-managed devices. The script imports the selected certificate into the local Trusted Publishers certificate store. This can be deployed from Intune as a: * [Platform Script](#deploy-the-certificate-with-a-platform-script) * [Remediation Script](#using-a-remediation-script) In environments where an AllSigned PowerShell execution policy is configured, or where script signature checking is enforced for Win32 apps in the Intune admin center, scripts must be signed by a trusted publisher. Deploying the relevant Patch My PC code-signing certificate allows PowerShell to trust scripts and modules signed by Patch My PC. Download the required script from the Patch My PC Community Scripts repository: Use the script from the relevant `Current` folder for newly signed Patch My PC content. {% hint style="warning" %} **Important** If you are implementing AllSigned, WDAC, AppLocker, or similar controls after applications have already been deployed, some existing deployed content may have been signed with a previous Patch My PC certificate. In that instance, you may also need to deploy the relevant archived certificate from the corresponding `Archived` folder. Archived folders include the matching import and detection scripts for that certificate. When deploying an archived certificate using the script method, use the scripts from the archived folder rather than the scripts from the `Current` folder. {% endhint %} {% hint style="info" %} **Note** You can find out more details about these scripts and what they do by reviewing the [ReadMe.md](https://github.com/PatchMyPCTeam/Community-Scripts/tree/main/Other/Code%20Signing#readme) file included with the scripts. {% endhint %} ## Deploy the Certificate with a Platform Script Use this section to deploy one of the Patch My PC certificate import scripts as an Intune platform script. Select the tab that matches the certificate you want to deploy, then use the corresponding script and settings below when following [Create a script policy and assign it](https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension#create-a-script-policy-and-assign-it). {% tabs %} {% tab title="Intune Detection and Requirement Scripts" %} ### “Platform scripts” tab

Field	Value
Add	Windows 10 and later

### “Basics” tab

Field	Value
Name	A descriptive name for the policy. E.g. “Patch My PC Cloud Trusted Publisher Certificate”
Description	Enter an optional description for the policy

### “Script Settings” tab

Field	Value
Script location	Browse to and select \Patch My PC Cloud\Current\Import-PMPCCloudTrustedPublisherCertificate.ps1
Run this script using the logged on credentials	No
Enforce script signature check	No
Run script in 64 bit PowerShell Host	No

Field	Value
Add	Windows 10 and later

### “Basics” tab

Field	Value
Name	A descriptive name for the policy. E.g. “Patch My PC Apps Trusted Publisher Certificate”
Description	Enter an optional description for the policy

### “Script Settings” tab

Field	Value
Script location	Browse to and select \Patch My PC Apps\Current\Import-PMPCAppsTrustedPublisherCertificate.ps1
Run this script using the logged on credentials	No
Enforce script signature check	No
Run script in 64 bit PowerShell Host	No

Field	Value
Add	Windows 10 and later

### “Basics” tab

Field	Value
Name	A descriptive name for the policy. E.g. “PSAppDeployToolkit Module Trusted Publisher Certificate”
Description	Enter an optional description for the policy

### “Script Settings” tab

Field	Value
Script location	Browse to and select \PSADT\Current\Import-PSADTTrustedPublisherCertificate.ps1
Run this script using the logged on credentials	No
Enforce script signature check	No
Run script in 64 bit PowerShell Host	No

### “Scope tags” tab Configure as required. ### “Assignments” tab Assign the configuration template to the desired Entra ID group(s). ### “Review + add” tab Double-check everything before clicking **Add**. {% endtab %} {% endtabs %} ## Deploy the Certificate with a Remediation Script Use this section to deploy one of the Patch My PC certificate import scripts as an Intune remediation script. Select the tab that matches the certificate you want to deploy, then use the corresponding detection script, remediation script, and settings below when following the the [Remediations](https://learn.microsoft.com/en-us/mem/intune/fundamentals/remediations) article. The Remediation scripts can be found in the following repoistory on GitHub {% tabs %} {% tab title="Intune Detection and Requirement Scripts" %} ### “Basics” tab

Field	Value
Name	A descriptive name for the policy. E.g. “Patch My PC Cloud Trusted Publisher Certificate”
Description	Enter an optional description for the policy.
Publisher	Enter “Patch My PC”

### “Settings” tab

Field	Value
Detection script file	Browse to and select \Patch My PC Cloud\Current\PMPCCloudTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script file	Browse to and select \Patch My PC Cloud\Current\Import-PMPCCloudTrustedPublisherCertificate.ps1
Run this script using the logged on credentials	No
Enforce script signature check	No
Run script in 64 bit PowerShell Host	No

Field	Value
Name	A descriptive name for the policy. E.g. “Patch My PC Apps Trusted Publisher Certificate”
Description	Enter an optional description for the policy.
Publisher	Enter “Patch My PC”

### “Settings” tab

Field	Value
Detection script file	Browse to and select \Patch My PC Apps\Current\PMPCAppsTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script file	Browse to and select \Patch My PC Apps\Current\Import-PMPCAppsTrustedPublisherCertificate.ps1
Run this script using the logged on credentials	No
Enforce script signature check	No
Run script in 64 bit PowerShell Host	No

Field	Value
Name	A descriptive name for the policy. E.g. “PSAppDeployToolkit Module Trusted Publisher Certificate”
Description	Enter an optional description for the policy.
Publisher	Enter “Patch My PC”

### “Settings” tab

Field	Value
Detection script file	Browse to and select \PSADT\Current\PSADTTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script file	Browse to and select \PSADT\Current\Import-PSADTTrustedPublisherCertificate.ps1
Run this script using the logged on credentials	No
Enforce script signature check	No
Run script in 64 bit PowerShell Host	No

### “Scope tags” tab Configure as required. ### “Assignments” tab Assign the configuration template to the desired Entra ID group(s), then configure the frequency you want the Proactive Remediation to be executed on the targeted devices. ### “Review + create” tab Double-check everything before clicking **Create**. {% endtab %} {% endtabs %} ## Post Processing You can see the script being processed by the Intune Management Extension by looking in the **HealthScriptss.log** located at: ``` %ProgramData%\Microsoft\IntuneManagementExtension\Logs ``` Observe the **Proactive Remediation Device Status** blade.

Observing the “Proactive Remediation Device Status” blade.

The following log snippet shows the **HealthScripts.log** entry if the pre-remediation (detection) script found the certificate already installed in the local computer’s Trusted Publishers store.

“HealthScripts.log” snippet showing if the pre-remediation (detection) script has found the certificate already installed in the local machine’s Trusted Publishers store.

The following log snippet shows the **HealthScripts.log** entry if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store (the Exit code of the script is **1**).

“HealthScripts.log” snippet showing if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store (the Exit code of the script is 1).

“HealthScripts.log” snippet showing the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store and the remediation script was run successfully (Exit code of the script is 0).

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.patchmypc.com/patch-my-pc-cloud/technical-references/about-code-signing-certificates/using-a-script-to-deploy-a-pmpc-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.