top of page
Search

How to Add a Certificate to the Trusted Publisher Store using Intune

Writer's picture: Gareth OxendineGareth Oxendine
Oct 29, 20243 min read

Updated: Feb 1

SUMMARY:

You may need to deploy your own or a third-party's public certificate to the trusted publisher's store of all Windows devices in your environment. Perhaps you are deploying signed applications, patches, or scripts. To prevent the Do you want to run software from this untrusted publisher? message from appearing, you can use Intune to deploy the publisher's certificate to the Trusted Publishers store of your Windows devices.

Table of Contents



Step 1: Grab the Certificate's Thumbprint

You will need the thumbprint of the signing certificate later on. To retrieve it, follow the steps below:


  1. Locate the certificate. It may be exported and saved on a computer, server, or in the current user's personal certificate store in the Certificate Manager.

  2. Double-click the certificate and select the Details tab.

  3. Select Thumbprint and copy the value; save it for later.

    Viewing the thumbprint of a certificate.

Step 2: Grab the Base64 Contents of the Certificate

Currently, you cannot upload a CER file to Intune. Instead, you must convert the certificate to the Base64 format and copy its contents to upload to Intune.

NOTE:

I recommend using the application, Notepad++, to edit the contents of the converted Base64 certificate. Notepad++ simplifies the process needed for deploying CER certificates using Intune.

Download Notepad++

Use the Certificate Manager and Notepad ++

  • Open the User Certificate Manager and expand the personal certificate store.

  • Right-click the certificate and select All Tasks > Export.

  • Go through the export wizard; select Base-64 encoded X.509 (.CER) on the format page.

    Exporting the public certificate in Base-64 encoded X.509 format.

  • Once the certificate has been exported, right-click on it and select Edit with Notepad++.

  • Ensure that Word Wrap and Show All Characters are toggled on.

    Using Notepad++ to view the contents of a Base-64 encoded certificate.

  • If you see the CR and LF characters, then follow the steps below to remove them:

    • Select Search > Replace

    • Find what: \r\n

    • Replace with: leave blank

    • Ensure Wrap Around is selected.

    • Ensure Extended is selected under the Search Mode.

    • Select Replace All.

    Using Notepad++ to search for and replace EOL segments.

  • All of the line breaks should be removed now.

  • Copy only the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Don't copy the dashes. You'll need this content for Step 3 below.


Step 3: Create the Configuration Profile in Intune

Now that we have all the necessary data, we can create the custom configuration profile to deploy the certificate to the devices' Trusted Publishers certificate store.

NOTE:

This configuration profile will deploy the certificate to the local machine's certificate store, meaning that all users of the targeted devices will be able to use the certificate to verify the publisher's signature.

According to Microsoft, certificates deployed to the local machine's trusted publisher store are global to all users on the computer and will also be installed under the current user's trusted publisher store.

Creating a Windows custom configuration profile in Intune.

























  • Launch Intune.

  • Select Devices > Windows > Configuration.

  • Select + Create > + New Policy.

  • Under Profile Type, select Templates > Custom.

  • Select Create.

  • Add a Name and optionally a Description.


Adding an OMA-URI row in a custom configuration profile in Intune.

  • Under the Configuration Settings tab, select Add.

    • Name: enter whatever you'd like for the name.

    • Description: optionally, describe the purpose of this OMA-URI setting.

    • OMA-URI: copy and paste the value below; replace insert_thumbprint with the value copied from Step 1.

./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/insert_thumbprint/EncodedCertificate

  • Data Type: String

  • Value: paste the value from Step 2.

  • Select Save then select Next.

  • Add the appropriate user/device assignment, configure applicability rules if necessary, and review and create the profile.

TIP:

To learn what OMA-URIs are and how Intune uses them in custom configuration profiles, click the link below: What are OMA-URIs and CSPs in Intune?





Cover picture provided by Freepik

 
 
 

2 comentarios

Sebastian Schlabs
26 nov 2024

Hi, nicely described. The 2nd step could be simplified by using the following Powershell script: ##Grab the Signature from the DLL#

$Signature = Get-AuthenticodeSignature -FilePath "PATH TO .dll FILE"

##Extract the Certificate

$certificate = $signature.SignerCertificate

##Capture the Base 64 and Output It

$base64Cert = [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificate)).Export('Cert'))

Write-Output $base64Cert

##Output the Thumbprint

Write-Output $certificate.thumbprint You then just need to copy the well formatted content. Kudos to Fixing Issues with Add-ins & Office Apps Security Baselines

Me gusta
Gareth Oxendine
Gareth Oxendine
30 nov 2024
Contestando a

Hi Sebastian,


Appreciate the feedback! PowerShell for the win :)

Me gusta

Recent Posts

Click the Heart to Like!

If this post is helpful,please click the heart at the bottom of the page. 

Follow us on LinkedIn!

We'd like to invite you to follow us on LinkedIn! Click the icon to follow.

Never Miss a Post. Subscribe Now!

Want to be notified whenever a new article is posted? Enter your email address and subscribe!

Thanks for submitting!

Donate to the Blog?

We hope the blog was helpful to you! If so, we'll take a donation as a form of thanks! :) 

© 2024 by DMTT. Powered and secured by Wix

$

Thank you for your donation!

bottom of page