By Jason Sandys – Sr. Program Manager | Microsoft Endpoint Manager
Two significant actions on Windows devices require code-signing using a trusted, code-signing certificate:
In the case of third-party application updates, the tool used to inject the updates into the WSUS catalog signs the updates using a code-signing certificate that you provide. This signing is strictly required and enforced by Windows.
You must manually sign PowerShell scripts; this is also strictly required and enforced by Windows if the system's execution policy mandates this. See about signing in the PowerShell documentation for more details on script signing and the execution policy. See Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI? for a detailed step-by-step of signing a script.
In addition to Windows trusting the code-signing certificate used to sign third-party application updates and PowerShell scripts, the certificate must also exist in the Trusted Publishers certificate store on systems installing the third-party update or running the PowerShell script. Adding a certificate to the Trusted Publishers store for a Windows device using Intune is straight forward but involves a few steps as outlined below.
You need the following three items to add a certificate to the Trusted Publishers store using Intune.
You do not require the private key for the certificate; you only need the private key when signing a file including scripts and third-party updates.
If you do not have a copy of the code-signing certificate, you can extract it from a file previously signed by the certificate using the following steps:
Right-click on the signed file and choose Properties.
Choose the Digital Signatures tab. If this tab does not appear, then the file is not signed.
Choose the appropriate signature from the Signatures list and then press the Details button. Most files will only have a single signature.
In the Digital Signature Details dialog, choose View Certificate.
In the Certificate dialog, choose the Details tab and press Copy to File.
Complete the Certificate Export Wizard to create a CER file containing the certificate. Choose Base-64 encoded x.509 (.CER) for the Export File Format.
Press OK on the three open dialogs.Code-signing certificate dialog boxes
A certificate's thumbprint is a dynamically computed identifier that uniquely distinguishes it from other certificates. You can retrieve the thumbprint of a certificate in various ways, including the following:
([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<path_to_certificate>")).thumbprint
Get-ChildItem -Path Cert:\CurrentUser\My | Format-List
The base-64 encoded version of a certificate is a string-based representation of the certificate. This version contains the complete certificate but in a more portable format that is not bound to a file. Similar to the thumbprint, you can obtain the base-64 encoded version of a certain in several ways, including the following:
[System.Convert]::ToBase64String((Get-Item -Path Cert:\CurrentUser\My\<thumbprint>).RawData, 'InsertLineBreaks')
[System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<path_to_certificate>")).Export('Cert'), 'InsertLineBreaks')
To add a certificate to the Trusted Publishers store using Intune, use a custom profile and an OMA-URI to apply a setting from the RootCATrustedCertificates CSP.
Let us know if you have any additional questions on this by replying back to this post or tagging @JasonSandys or @IntuneSuppTeam out on Twitter.
Post updates:
03/14/22: PowerShell formatting fix to include a parenthesis.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.