How to Add a Certificate to the Trusted Publisher Store using Intune
Updated: Jan 5
Table of Contents
Step 1: Grab the Certificate's Thumbprint
You will need the thumbprint of the signing certificate later on. To retrieve it, follow the steps below:
Locate the certificate. It may be exported and saved on a computer, server, or in the current user's personal certificate store in the Certificate Manager.
Double-click the certificate and select the Details tab.
Select Thumbprint and copy the value; save it for later.
Step 2: Grab the Base64 Contents of the Certificate
Currently, you cannot upload a CER file to Intune. Instead, you must convert the certificate to the Base64 format and copy its contents to upload to Intune.
Use the Certificate Manager and Notepad ++
Open the User Certificate Manager and expand the personal certificate store.
Right-click the certificate and select All Tasks > Export.
Go through the export wizard; select Base-64 encoded X.509 (.CER) on the format page.
Once the certificate has been exported, right-click on it and select Edit with Notepad++.
Ensure that Word Wrap and Show All Characters are toggled on.
If you see the CR and LF characters, then follow the steps below to remove them:
Select Search > Replace
Find what: \r\n
Replace with: leave blank
Ensure Wrap Around is selected.
Ensure Extended is selected under the Search Mode.
Select Replace All.
All of the line breaks should be removed now.
Copy only the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Don't copy the dashes. You'll need this content for Step 3 below.
Step 3: Create the Configuration Profile in Intune
Now that we have all the necessary data, we can create the custom configuration profile to deploy the certificate to the devices' Trusted Publishers certificate store.
Launch Intune.
Select Devices > Windows > Configuration.
Select + Create > + New Policy.
Under Profile Type, select Templates > Custom.
Select Create.
Add a Name and optionally a Description.
Under the Configuration Settings tab, select Add.
Name: enter whatever you'd like for the name.
Description: optionally, describe the purpose of this OMA-URI setting.
OMA-URI: copy and paste the value below; replace insert_thumbprint with the value copied from Step 1.
./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/insert_thumbprint/EncodedCertificateData Type: String
Value: paste the value from Step 2.
Select Save then select Next.
Add the appropriate user/device assignment.
Configure applicability rules if necessary.
Review and Create the profile.
Cover picture provided by Freepik
Hi, nicely described. The 2nd step could be simplified by using the following Powershell script: ##Grab the Signature from the DLL#
$Signature = Get-AuthenticodeSignature -FilePath "PATH TO .dll FILE"
##Extract the Certificate
$certificate = $signature.SignerCertificate
##Capture the Base 64 and Output It
$base64Cert = [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificate)).Export('Cert'))
Write-Output $base64Cert
##Output the Thumbprint
Write-Output $certificate.thumbprint You then just need to copy the well formatted content. Kudos to Fixing Issues with Add-ins & Office Apps Security Baselines