Permissions
Applies to: Patch My PC Publisher
ConfigMgr Security Role
The Publisher can create, manage, update and delete applications in ConfigMgr as well as perform other functions like triggering a Software Update Point (SUP) sync. The following permisisons are required in ConfigMgr to accomplish these tasks:-
Application: Read, Modify, Delete, Set Security Scope, Create, Move Object, Modify Folder
Distribution Point: Read, Copy to Distribution Point
Distribution Point Group: Read, Copy to Distribution Point Group
Folder Class: Read, Modify, Create
Security Scopes: Read
Site: Read
Software Updates: Read, Modify
The PatchMyPCService, shown in the image above, will run in the SYSTEM context by default. If the Publisher is installed on the ConfigMgr Site Server, no further consideration is required as the SYSTEM account already has the access it requires. If Patch My PC Publisher is being installed on a remote server, the Computer$ account of that server will need the permissions outlined above.
Note
During a scheduled sync, these operations are performed under the context of the Logon account specified on the PatchMyPCService. By default, this will be SYSTEM. Tasks performed manually in the Publisher will be performed under the context of the currently logged on user.
More details can be found in the following KB, including how to create a custom Security Role to grant these permissions.
Content Source Folder
To create, manage and update third-party application content in ConfigMgr, the Publisher will need at least Modify permission on both the SMB share and NTFS folder that you specify as the Source Folder during configuration.
Connections to the application source UNC path are performed using the computer account of the server because the Publisher service runs in the SYSTEM context. This applies whether content is being created, updated, or cleaned up. Because of this, the computer account must be granted the appropriate permissions at both the SMB share level and the NTFS folder level.
The minimum required permission is Modify. This allows the Publisher to create folders, write application content, update files during application revisions, and remove content when applications are deleted.
In this example, the Publisher is installed on BB-CM1, and the application source folder is hosted on BB-APP1. Because the Publisher accesses the content over SMB, all file operations authenticate as BB-CM1$.
To ensure application creation and management works correctly, BB-CM1$ must be granted Modify permissions on the SMB share and the underlying NTFS folder on BB-APP1. Without these permissions, application creation, updates, or cleanup operations will fail.
Note
The Publisher automatically creates a root Applications folder in the configured UNC source path. The name of this folder is not configurable.
All application content generated by the Publisher is stored beneath this folder, with vendor and product specific subdirectories created automatically as applications are published.
Tip
Each application version is stored in its own UniqueID folder. This results in multiple UniqueID folders under a single application folder, allowing the Publisher to track individual application versions and manage application lifecycles correctly.
Application content is stored using the following structure: SourceFolder\Applications\Vendor\Application\UniqueID
When application retention is enabled, retained application content UniqueID folders are moved into a Retained Apps folder under SourceFolder\Applications\Vendor\Application.
Important
The Applications folder structure is critical to the Publisher operations. The Publisher evaluates both the ConfigMgr database object and the corresponding content directories when making decisions about application retention, upgrades, and lifecycle management.
Manually modifying, moving, or deleting folders within this structure can cause inconsistencies between ConfigMgr and the content source, which may lead to unexpected behavior or management issues later.
For more information, see: Connection and Source Options.
Last updated
Was this helpful?