Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Permissions Required in SCCM for Base Installations from Patch My PC

When enabling the base installation feature as shown below in our Publisher, it’s important to understand what permissions are required in SCCM.

SCCM Application Options

Topics covered in this article:

Automatically Create the Configuration manager Security Role for the Patch My PC Publisher

In build 1.8.6 or newer, the Publisher can automatically create the Security role with the minimum permissions for you.

Auto create ConfigMgr security role for Patch My PC

After the security role is created, you will need to assign the computer account of the server running the publisher to it.

Assign ConfigMgr Security Role

Manually Create the Configuration manager Security Role for the Patch My PC Publisher

When we create installation packages and distribute then we will need the following permissions in SCCM.

  • Application: Read, Modify, Delete, Create
  • Distribution Point: Read, Copy to Distribution Point
  • Distribution Point Group: Read, Copy to Distribution Point Group
  • Folder Class: Read, Modify, Create
  • Package: Read, Modify, Delete, Create
  • Site: Read
  • Software Updates: Read, Modify

We will need to be able to create, modify, delete, and distribution packages within SCCM. By default, we attempt these actions using the computer account of the server the publishing service is running.

You can download our pre-created security role named “Patch My PC – Base Installations“. Once imported, you will then need to add the computer account as a new Administrative User and assign this new security role. Be sure to select “All instances of the objects that are related to the assigned security roles” to prevent potential issues with scoping.

If you prefer, you can configure an impersonation account to use rather than the computer account of the server in the base install options.