# Using a script to deploy the Patch My PC certificate *Applies to: Patch My PC Cloud* By using a script to deploy the Patch My PC (PMPC) certificate, you can either deploy the certificate as a: * [Platform script](#using-a-platform-script) * [Proactive remediation](#using-a-proactive-remediation) In environments where a company configures an all-signed PowerShell policy or enforces script signature checking on the Win32 app in the Intune admin center, all scripts must be signed by a trusted publisher. Our script helps import the required certificate into the Trusted Publisher store to ensure that scripts signed by PMPC can be executed without issues. To deploy our code signing certificate using a script, first download our scripts from: {% hint style="info" %} **Note** You can find out more details about these scripts and what they do by reviewing the [ReadMe.md](https://github.com/PatchMyPCTeam/Community-Scripts/tree/main/Other/Code%20Signing#readme) file included with the scripts. {% endhint %} ## Certificates to deploy The following distinct use cases require separate certificates in Patch My PC: * [Intune Detection and Requirement Scripts](#id-1.-deploy-the-certificate-use-to-sign-intune-detection-and-requirement-scripts) - Used to sign **Intune detection and requirement scripts** for Win32 applications published through PMPC Cloud. * [Patch My PC Helper Scripts](#id-2.-deploy-the-certificate-use-to-sign-patch-my-pc-helper-scripts) - Used to sign required and recommended pre/post "helper" scripts for certain applications in the PMPC catalog. These helper scripts perform essential tasks such as stopping processes, uninstalling older software versions, or configuring application behavior during deployment to ensure successful app installation. {% hint style="info" %} **Note** If you prefer to deploy a certificate using a method not described here, you can download it from: {% endhint %} ## Deploy the Certificate use to sign Intune Detection and Requirement Scripts To deploy our certificate using a script, follow [Create a script policy and assign it](https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension#create-a-script-policy-and-assign-it) using the following values. ### “Platform scripts” tab
FieldValue
AddWindows 10 and later
### “Basics” tab
FieldValue
NameA descriptive name for the policy. E.g. “Patch My PC Cloud Trusted Publisher Certificate”`
DescriptionEnter an optional description for the policy
### “Script Settings” tab
FieldValue
Script locationBrowse to and select Import-PMPCCloudTrustedPublisherCertificate.ps1
Run this script using the logged on credentialsNo
Enforce script signature checkNo
Run script in 64 bit PowerShell HostNo
### “Scope tags” tab Configure as required. ### “Assignments” tab Assign the configuration template to the desired Entra ID group(s). ### “Review + add” tab Double-check everything before clicking **Add**. ## Deploy the Certificate use to sign Patch My PC Helper Scripts To deploy our certificate using a script, follow the [Create a script policy and assign it](https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension#create-a-script-policy-and-assign-it) article using the following values. ### “Platform scripts” tab
FieldValue
AddWindows 10 and later
### “Basics” tab
FieldValue
NameA descriptive name for the policy. E.g. “Patch My PC Apps Trusted Publisher Certificate”`
DescriptionEnter an optional description for the policy
### “Script Settings” tab
FieldValue
Script locationBrowse to and select Import-PMPCAppsTrustedPublisherCertificate.ps1
Run this script using the logged on credentialsNo
Enforce script signature checkNo
Run script in 64 bit PowerShell HostNo
### “Scope tags” tab Configure as required. ### “Assignments” tab Assign the configuration template to the desired Entra ID group(s). ### “Review + add” tab Double-check everything before clicking **Add**. ## Post Processing You can see the script being processed by the Intune Management Extension by looking in the **IntuneManagementExtension.log** located at: ``` %ProgramData%\Microsoft\IntuneManagementExtension\Logs ```
“IntuneManagementExtension.log” showing the script being processed by the Intune Management Extension
## Using a proactive remediation To deploy our certificate using a proactive remediation deployment, follow the [Remediations](https://learn.microsoft.com/en-us/mem/intune/fundamentals/remediations) article. The Remediation detection scripts can be found in the following repoistory on GitHub ### 1. Deploy the Certificate use to sign Intune Detection and Requirement Scripts #### “Basics” tab
FieldValue
NameA descriptive name for the policy. E.g. “Patch My PC Cloud Trusted Publisher Certificate”`
DescriptionEnter an optional description for the policy.
PublisherEnter “Patch My PC”
#### “Settings” tab
FieldValue
Detection script fileBrowse to and select PMPCCloudTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script fileBrowse to and select Import-PMPCCloudTrustedPublisherCertificate.ps1
Run this script using the logged on credentialsNo
Enforce script signature checkNo
Run script in 64 bit PowerShell HostNo
#### “Scope tags” tab Configure as required. #### “Assignments” tab Assign the configuration template to the desired Entra ID group(s), then configure the frequency you want the Proactive Remediation to be executed on the targeted devices. #### “Review + create” tab Double-check everything before clicking **Create**. ### 2. Deploy the Certificate use to sign Patch My PC Helper Scripts #### “Basics” tab
FieldValue
NameA descriptive name for the policy. E.g. “Patch My PC Apps Trusted Publisher Certificate”`
DescriptionEnter an optional description for the policy.
PublisherEnter “Patch My PC”
#### “Settings” tab
FieldValue
Detection script fileBrowse to and select PMPCAppsTrustedPublisherCertificate_HealthScript_Detection.ps1
Remediation script fileBrowse to and select Import-PMPCAppsTrustedPublisherCertificate.ps1
Run this script using the logged on credentialsNo
Enforce script signature checkNo
Run script in 64 bit PowerShell HostNo
#### “Scope tags” tab Configure as required. #### “Assignments” tab Assign the configuration template to the desired Entra ID group(s), then configure the frequency you want the Proactive Remediation to be executed on the targeted devices. #### “Review + create” tab Double-check everything before clicking **Create**. #### Post Processing You can see the script being processed by the Intune Management Extension by looking in the **HealthScriptss.log** located at: ``` %ProgramData%\Microsoft\IntuneManagementExtension\Logs ``` Observe the **Proactive Remediation Device Status** blade.
Observing the “Proactive Remediation Device Status” blade.
The following log snippet shows the **HealthScripts.log** entry if the pre-remediation (detection) script found the certificate already installed in the local computer’s Trusted Publishers store.
“HealthScripts.log” snippet showing if the pre-remediation (detection) script has found the certificate already installed in the local machine’s Trusted Publishers store.
The following log snippet shows the **HealthScripts.log** entry if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store (the Exit code of the script is **1**).
“HealthScripts.log” snippet showing if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store (the Exit code of the script is 1).
The following log snippet shows the **HealthScripts.log** entry if the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store and the remediation script was run successfully (Exit code of the script is **0**).
“HealthScripts.log” snippet showing the pre-remediation (detection) script did not find the certificate already installed in the local machine’s Trusted Publishers store and the remediation script was run successfully (Exit code of the script is 0).