How to Add a Certificate to the Trusted Publisher Store using Intune
- Gareth Oxendine
- Oct 29, 2024
- 3 min read
Updated: Mar 10
SUMMARY: |
You may need to deploy your own or a third-party's public certificate to the trusted publisher's store of all Windows devices in your environment. Perhaps you are deploying signed applications, patches, or scripts. To prevent the Do you want to run software from this untrusted publisher? message from appearing, you can use Intune to deploy the publisher's certificate to the Trusted Publishers store of your Windows devices. |
Table of Contents
Step 1: Grab the Certificate's Thumbprint
You will need the thumbprint of the signing certificate later on. To retrieve it, follow the steps below:
Locate the certificate. It may be exported and saved on a computer, server, or in the current user's personal certificate store in the Certificate Manager.
Double-click the certificate and select the Details tab.
Select Thumbprint and copy the value; save it for later.
Step 2: Grab the Base64 Contents of the Certificate
Currently, you cannot upload a CER file to Intune. Instead, you must convert the certificate to the Base64 format and copy its contents to upload to Intune.
NOTE: |
I recommend using the application, Notepad++, to edit the contents of the converted Base64 certificate. Notepad++ simplifies the process needed for deploying CER certificates using Intune. |
Use the Certificate Manager and Notepad ++
Open the User Certificate Manager and expand the personal certificate store.
Right-click the certificate and select All Tasks > Export.
Go through the export wizard; select Base-64 encoded X.509 (.CER) on the format page.
Once the certificate has been exported, right-click on it and select Edit with Notepad++.
Ensure that Word Wrap and Show All Characters are toggled on.
If you see the CR and LF characters, then follow the steps below to remove them:
Select Search > Replace
Find what: \r\n
Replace with: leave blank
Ensure Wrap Around is selected.
Ensure Extended is selected under the Search Mode.
Select Replace All.
All of the line breaks should be removed now.
Copy only the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Don't copy the dashes. You'll need this content for Step 3 below.
Step 3: Create the Configuration Profile in Intune
Now that we have all the necessary data, we can create the custom configuration profile to deploy the certificate to the devices' Trusted Publishers certificate store.
NOTE: |
This configuration profile will deploy the certificate to the local machine's certificate store, meaning that all users of the targeted devices will be able to use the certificate to verify the publisher's signature. According to Microsoft, certificates deployed to the local machine's trusted publisher store are global to all users on the computer and will also be installed under the current user's trusted publisher store. |
Launch Intune.
Select Devices > Windows > Configuration.
Select + Create > + New Policy.
Under Profile Type, select Templates > Custom.
Select Create.
Add a Name and optionally a Description.
Under the Configuration Settings tab, select Add.
Name: enter whatever you'd like for the name.
Description: optionally, describe the purpose of this OMA-URI setting.
OMA-URI: copy and paste the value below; replace insert_thumbprint with the value copied from Step 1.
./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/insert_thumbprint/EncodedCertificateData Type: String
Value: paste the value from Step 2.
TIP: |
To learn what OMA-URIs are and how Intune uses them in custom configuration profiles, click the link below: What are OMA-URIs and CSPs in Intune? |
Cover picture provided by Freepik