Forum Discussion
Untrusted Certificate when installing Microsoft Edge
PaulKlerkx The PowerShell script cert chains to the "Microsoft Code Signing PCA 2011" cert, which in turn chains to the "Microsoft Root Certificate Authority 2011" cert. Both of these should be present on a Windows system, in the "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" stores respectively. If they aren't there on your systems, I guess they were removed for some reason. If they are there, make sure the PowerShell execution policy isn't set to Restricted in your ConfigMgr client settings.
Michiel Overweel - We have the "Microsoft Root Certificate Authority 2011" cert in Trusted root certification Authorities, however we don't have the "Microsoft Code Signing PCA 2011" anywhere. Under trusted publishers, we only have our inhouse code signing certs listed. I did a search for all certs issued by and issued to Microsoft and it definitely isn't on our Windows 10 machines which are on May/June 2020 update level. the only code signing certs from MS we have are for "Microsoft Windows Hardware compatibility" and "Symantec Enterprise Mobile Root for Microsoft" .
I checked our SOE build, a fresh build of windows 10 enterprise and my personal windows 10 home and the cert isn't on any of them. Any idea where I can get it from?
forgot to mention
win 10 enterprise was 1909, our SOE is 1809 and home version is 1909, in case it was only made part of a particular Win10 build
also verified not in intermediate CA
PaulKlerkx I ran a quick test in my lab environment, and it appears that the "Microsoft Code Signing PCA 2011" certificate is added to the Intermediate Certification Authorities on the system where the ConfigMgr console was used to create the Edge application. In my environment, this hasn't caused any issues, but application installation policies might be a bit more strict in yours.
What I'd try next is: export the certificate on the ConfigMgr console computer, and then import that into a GPO so it can be distributed to all ConfigMgr client computers. You could probably do the same using ConfigMgr Certificate Profiles. Good luck!