FAQs

The following table provides answers to frequently asked questions regarding Intune application.

Question	Answer
Do endpoints need to have PowerShell execution policy to allow script execution?	Not required to have execution permissions for a patch to get installed. We made Enforce script signature check and run script silently in detection scripts to No for an Intune application. Hence it bypasses the execution-policy and runs irrespective of the execution policy being set in endpoint.
Do any files be excluded from virus scanning in endpoints?	Antimalware settings should exclude the following Intune directories: On x64 client machines: C:\Program Files (x86)\Microsoft Intune Management Extension\Content C:\windows\IMECache On x86 client machines: C:\Program Files\Microsoft Intune Management Extension\Content C:\windows\IMECache More details, see https://docs\.microsoft\.com/en\-us/mem/intune/apps/apps\-win32\-troubleshoot​
Is it possible to deploy the agent via Intune?	Yes via a feature in the product introduced in the April release of the Patch Daemon (version 5.0.385 and above).
What permissions does the Patch Daemon account require? Does it require PowerShell script execution rights?	It requires an account which has access directory as an administrator with rights to create new app registrations. It does not require PowerShell execution permissions as PowerShell is not leveraged when publishing a package to Intune.

Patch Daemon (h1)

This section includes the following topics:

• Pre-requisites (h2)

• Publishing a Package from Patch Daemon without Local Administrator Rights (h2)

Pre-requisites (h2)

Patch Daemon requires the following pre-requisites:

• Software Vulnerability Management Patch Daemon needs RSAT (Remote Server Administration Tools) for Windows 10, version 1809 and below, download from** https://www.microsoft.com/en-us/download/details.aspx?id=45520​**. For latest Windows 10, Settings > Optional Features > Add Feature > RSAT: Windows Server Update Services Tools.

• Download SVM Patch Daemon at** https://resources.flexera.com/tools/SVM/SVMClientToolkitInstall.msi​**

Publishing a Package from Patch Daemon without Local Administrator Rights (h2)

Perform the following steps to publish a package from Patch Daemon without local Admin rights.

To publish a package from Patch Daemon without Local Admin Rights:

1. Install the patch daemon, configure it using local Administrator account and perform the following steps:
2. Add your Flexera Software Vulnerability Manager Patch Daemon service account user (for example: test_user) to local Administrators and WSUS Administrators groups on your DC.

   • Some of the security policies in environments do not allow adding users to the local Administrators group but only to WSUS Administrators.

3. To resolve permission issues when you cannot add a user to the local Administrators group, you would need to configure the below settings in the machine where the patch daemon is installed to allow your user to publish a package successfully.
   • Give your service user account Full control over all the below items and perform all actions using an administrative account.
4. Ensure that test machine contains WSUS certificate. If not, please export the certificate from WSUS machine from path Trusted publishers and install in the test machines in Trusted root certification authority and Trusted publishers.
5. Registry
6. Add permission to the below registries to your service account (test_user) in the test machine where patch daemon is installed.
   • HKEY_LOCAL_MACHINE\Software\Flexera
   • HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
   • HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
   • HKLM\Software\Microsoft\SystemCertificates\Disallowed
   • HKLM\Software\Microsoft\Update Services\Server\Setup
7. Add permission to the below registries to your service account (test_user) in the WSUS machine.
   • HKLM\SOFTWARE\Classes\AppID
   • {8F5D3447-9CCE-455C-BAEF-55D42420143B}
   • You might have to take ownership of this key. A logged-in user, which is used to configure all permissions, needs full control of this key. This is required when configuring DCOM permissions. Settings for currently logged-in users can be changed back when all is completed.
8. Windows Explorer in test machine.
   • C:\ProgramData\Microsoft\Crypto
   • C:\ProgramData\Flexera Software\SVM Patch
9. Shares and groups
   • The service user account needs to be added to WSUS administrators.
   • WSUS administrators need to have full access to WSUS content location. Share and NTFS.
10. DCOM - Distributed Component Object Model in WSUS machine.
    • Open Dcomcnfg and go to Component Services > Computers > My Computer > DCOM Config, and modify WSUSCertServer security settings:
      • Launch and Activation permissions - give Local Launch and Local Activation rights to WSUS administrators group/your service user
      • Access permissions - give Local Access rights to WSUS administrators group/your service user.
      • Reboot the machine, after changing DCOM settings.
11. Service Login and publishing.
12. Change logon user to the test_user and restart the service.
13. Once service restarted you can login to the test machine though your test user and publish patches.

    • test_user does not have a privilege to restart patch daemon service.