Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Intune Win32 Application Failed to install: Powershell script is failed to execute

Intune applications created by Patch My PC may give the error Failed to install in some scenarios if the code-signing certificate used to sign the PowerShell detection method script isn’t trusted on the client device.

Topics covered in this article:

Determine if You are Affected

If affected, you will see the error Failed to install in Company Portal if the application assignment is available. In some cases, the application may actually be installed successfully, as shown below.

Intune Application Failed to Install Powershell script is failed to execute

If you review the Intune Management Extention log file AgentExecutor.log, you will see errors similar to below:

Powershell script is failed to execute
write output done. output = , error = File C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts\<GUID>.ps1 cannot be loaded. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. + CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : UnauthorizedAccess

This error results from having the option Digitally sign the detection method script and enforce signature checking on the application in Intune enabled and not deploying the certificate to the Trusted Root and Trusted Publishers certificate store on the client.

Intune Application Options

Resolution: Deploy the Code-Signing Certificate to Client Devices

The way we will deploy the code signing certificate is through a PowerShell Script, which will not be signed, that is deployed out as a script in IntuneBelow is a step by step showing how an Intune Script can be created using the script attached here. Additionally, there are steps to help gather the required information.

Gathering Info

 The script itself will need to be edited with your specific Thumbprint and Base64 encoded certificate string. The function contained within the script discusses how to gather these values, but I’ll also note them below. Also, if you are comfortable with Configuration Items within Configuration Manager, you can simply grab the script, adjust for your environment, and deploy away!

  • Certificate Thumbprint:
    • Within the properties of your Code Signing certificate, go to the Details tab and scroll to down to the thumbnail area. This thumbprint will help us uniquely identify the certificate.
      •  certificate properties, details, thumbprint field
    • This can also be copied out of the Patch My PC Publisher, as shown below.
      • General Tab, Show Certificate, Thumbprint field
  • Base64 Encoded Certificate StringThis can be acquired a handful of ways, but a simple way is to get a copy of the certificate as a file and run a PowerShell command similar to the below
    • Set-Clipboard -Value ([System.Convert]::ToBase64String((Get-Content -Path .\ExportedCert.cer -Encoding Byte)))

Step 1: Create a New Script

Make a local copy of the script attached here and ensure you edit the script based on the information you gathered above. We will later upload this .ps1 file to Intune.

Navigate to Intune and locate the Scripts node under Devices.

 Intune \ Devices \ Scripts

Within this node, you can create Add a new Windows 10 script.

Add Script - Windows 10

Basic information can be input for the Name and Description.

We now will make sure our local copy of the script has been edited for our environment.

  1. Ensure $Remediate = $true
  2. Set $CodeSigningCertificateThumbprint to your thumbprint gathered earlier.
  3. Set $EncodedCertString to the Base64 string representation of your code signing certificate gathered earlier.
  4. Save the script!

With our script updated and saved we can:

  1. Upload it to Intune
  2. Ensure we set ‘Run script in 64 bit PowerShell Host’

More InformationNote: It is important that you do not ‘Enforce script signature check’ on this script. We are deploying this script to ensure we can enforce signature checking on other scripts.

Step 2: Assign the Script

With all the above steps complete we can assign our script! The target of the assignment is up to you, but in our case, we will target all devices.

Assign To All Devices