• Welcome to Support Forum: Get Support for Patch My PC Products and Services.

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - korebreach

Our change control is so difficult to navigate that having a setup meeting would be difficult.  I'll have a go at it from the documentation as soon as I can get it authorized.  I'll let you know if that changes, or if I get stuck and need additional help :)  Thanks for the info on the documentation!

Oh, and to avoid confusion between which platform (SCCM side or Intune side) is responsible for the 3rd party updates, I have configured the SCCM side to remove the group of workstations from SCCM PMPC patching when moved to our Intune testing group.  That way, I can know for sure that the Intune side is working!
We have an Enterprise Plus subscription, and have had it for a couple of years.  Up until now, we have only been using the "SCCM side" of PMPC.  However, we are transitioning to a co-managed (SCCM+Intune) environment.  For the near future, we are not going to be moving the Software Updates workload (Windows Update for Business Policy) to Intune (for most of production workstations).  That will stay on SCCM.  We do, however, want to start testing the Intune functionality in PMPC with a small number of workstations where we have moved the Software Updates workload to Intune.

I started looking for the documentation for configuring PMPC to do Intune Applications and Intune Updates.  However, the documentation sections appear to be for "SCCM only" and for "Intune only".  The Intune section says right at the top that it is for an "Intune-only" environment.  We're not Intune-only, and probably won't be for many more years.

Where is the documentation for setting up the Intune functionality for a SCCM+Intune environment?  Is this possible, or do I have to choose one or the other?  Do I use the Intune-only documentation for SCCM+Intune?
We are in the situation where we have an "all purposes" certificate, rather than a "code signing" certificate as our WSUS cert.  This cert is placed in the appropriate stores and was specified for use by PMPC (signing the detection script, etc.).  We knew from articles on these forums that this wasn't going to work, as PMPC requires a true "code signing" certificate.  Because our SCCM environment client settings are configured for "bypass" on PowerShell scripts, this wasn't a problem.  Detection script signing would fail, but it wouldn't matter.  The only evidence of the failures was that our PMPC reports would show, "An error occurred while signing the file, but there is no error message to display."  The report would show that the application creation failed, but it was still present in SCCM.  It just didn't have the detection script signed.

We knew that we needed to get around to fixing this, especially since we are doing initial steps into Intune, and at that point, the detection script signing would be necessary.

However... on June 16th, PMPC released an update to the publishing service, which was installed automatically during a sync.  The release notes show that some functionality was added to re-sign updates, as well as an option to do a registry key related to signing with Powershell vs. .NET.  None of this seems quite applicable to our situation (using an all-purposes certificate), but for some reason, even without setting any registry key, the signing seems to now be working.  No errors in the publishing logs.  No errors in the reports. 

Looking at the publishing logs, I see:

Creating PowerShell detection script.   Worker   6 (0x0006)
Signing C:\Program Files\Patch My PC\Patch My PC Publishing Service\Detection Method Scripts\VLC Media Player 3.0.16 (EXE-x64).ps1 with the code signing certificate [Thumbprint=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX][Store=LocalMachine\WSUS]   CertManager   6 (0x0006)
Signing with Windows native method...   CertManager   6 (0x0006)

So, it appears that the detection scripts are now getting signed.  Is this just a happy undocumented extra bonus?
For other users that may experience this problem, the issue was due to the WSUS certificate we are using.  We currently have an "all purposes" certificate, which in theory includes code-signing.  However, PMPC requires that the certificate is a true code-signing certificate.  This hasn't been a problem in the past because out SCCM client settings for PowerShell scripts are set to "bypass".  We're in the process of updating that certificate to a code-signing one, and re-deploying that certificate in place of our current one via GPO.
Yes.  It's still happening when publishing apps to SCCM:

Updating SCCM applications for BoxSync 4.0.8016 (x86)   Worker   6 (0x0006)
Getting file from cache.   Downloader   6 (0x0006)
Starting download for: https://patchmypc.com/scupcatalog/downloads/icons/BoxDrive.png   Downloader   6 (0x0006)
Configured Download Timeout: 15 minutes and 0 seconds   WebClientEx   6 (0x0006)
Creating PowerShell detection script.   Worker   6 (0x0006)
An error occurred while signing the PowerShell detection script, but there is no error message to display.   CertManager   6 (0x0006)
Copying ScriptRunner   Worker   6 (0x0006)
Moving application to Applications\PMPC   Worker   6 (0x0006)
Triggering a RefreshPackageSource for packageID: CAS02C19   Worker   6 (0x0006)
Successfully triggered SCCM package source refresh   Worker   6 (0x0006)
Successfully updated SCCM application:  BoxSync 4.0.8009 (x86) -> BoxSync 4.0.8016 (x86)    Worker   6 (0x0006)
I just did my first test after configuring PMPC to publish applications to SCCM (Base Install).  The applications do get published to SCCM, and a test of deploying one of the applications to my PC worked fine (7-Zip .MSI version).  However, the PMPC publishing service logs show the following error for every application that gets sent to SCCM:

"An error occurred while signing the PowerShell detection script, but there is no error message to display."

I do have the option configured in the Base Install Options to "Code-sign the PowerShell detection method script using the WSUS Signing Certificate".

Since the deployment/installation was a success, should I worry about the error message?