Adding a Certificate to Trusted Publishers using Intune

Published Dec 10 2020 09:15 AM 10.4K Views

By Jason Sandys – Sr. Program Manager | Microsoft Endpoint Manager

 

Two significant actions on Windows devices require code-signing using a trusted, code-signing certificate:

In the case of third-party application updates, the tool used to inject the updates into the WSUS catalog signs the updates using a code-signing certificate that you provide. This signing is strictly required and enforced by Windows.

 

You must manually sign PowerShell scripts; this is also strictly required and enforced by Windows if the system's execution policy mandates this. See about signing in the PowerShell documentation for more details on script signing and the execution policy. See Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI? for a detailed step-by-step of signing a script.

 

In addition to Windows trusting the code-signing certificate used to sign third-party application updates and PowerShell scripts, the certificate must also exist in the Trusted Publishers certificate store on systems installing the third-party update or running the PowerShell script. Adding a certificate to the Trusted Publishers store for a Windows device using Intune is straight forward but involves a few steps as outlined below.

 

What's needed

You need the following three items to add a certificate to the Trusted Publishers store using Intune.

  1. The code-signing certificate you wish to add.
  2. The base-64 encoded version of the code-signing certificate.
  3. The thumbprint of the code-signing certificate.

 

You do not require the private key for the certificate; you only need the private key when signing a file including scripts and third-party updates.

 

The code-signing certificate

If you do not have a copy of the code-signing certificate, you can extract it from a file previously signed by the certificate using the following steps:

  1. Right-click on the signed file and choose Properties.

  2. Choose the Digital Signatures tab. If this tab does not appear, then the file is not signed.

  3. Choose the appropriate signature from the Signatures list and then press the Details button. Most files will only have a single signature.

  4. In the Digital Signature Details dialog, choose View Certificate.

  5. In the Certificate dialog, choose the Details tab and press Copy to File.

  6. Complete the Certificate Export Wizard to create a CER file containing the certificate. Choose Base-64 encoded x.509 (.CER) for the Export File Format.

  7. Press OK on the three open dialogs.

    Code-signing certificate dialog boxesCode-signing certificate dialog boxes

 

Thumbprint of the certificate

A certificate's thumbprint is a dynamically computed identifier that uniquely distinguishes it from other certificates. You can retrieve the thumbprint of a certificate in various ways, including the following:

  1. From the properties of the certificate. You can do this for either a certificate stored in a file (like the .CER file extracted above) or a certificate stored in the Windows certificate store:
    1. Open the certificate by double-clicking the file or the certificate's entry in the MMC Certificates snap-in. You can also right-click on the certificate and choose Open from the context menu.
    2. On the Details tab, scroll down to and select the Thumbprint item in the list box.
    3. Copy the thumbprint from the details pane in the dialog.
    4. Press OK to close the open Certificate dialog.
  2. Using PowerShell:
    1. For a certificate stored in a file (like the .CER file extracted above):
      [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<path_to_certificate>")).thumbprint​

      PowerShell terminal displaying the thumbprint of certs stored in a filePowerShell terminal displaying the thumbprint of certs stored in a file
    2. For a certificate stored in your Personal certificate store:
      Get-ChildItem -Path Cert:\CurrentUser\My | Format-Lis​t

      PowerShell terminal displaying the thumbprint of certs stored in a Personal certificate storePowerShell terminal displaying the thumbprint of certs stored in a Personal certificate store

Base-64 encoded version of the certificate

The base-64 encoded version of a certificate is a string-based representation of the certificate. This version contains the complete certificate but in a more portable format that is not bound to a file. Similar to the thumbprint, you can obtain the base-64 encoded version of a certain in several ways, including the following:

  1. From a base-64 encoded .CER file (like the .CER file extracted above):
    1. Open the created .CER file with Notepad.
    2. Copy the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
    3. Close Notepad.
  2. Using PowerShell:
    1. For a certificate stored in your Personal certificate store:
      [System.Convert]::ToBase64String((Get-Item -Path Cert:\CurrentUser\My\<thumbprint>).RawData, 'InsertLineBreaks')​

      PowerShell terminal displaying the thumbprint of Base-64 certs stored in a Personal certificate storePowerShell terminal displaying the thumbprint of Base-64 certs stored in a Personal certificate store
    2. For a certificate stored in a .CER file:
      [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<path_to_certificate>")).Export('Cert'), 'InsertLineBreaks')​

      PowerShell terminal displaying the thumbprint of Base-64 certs stored in a .CER filePowerShell terminal displaying the thumbprint of Base-64 certs stored in a .CER file

The Step-By-Step Guide

To add a certificate to the Trusted Publishers store using Intune, use a custom profile and an OMA-URI to apply a setting from the RootCATrustedCertificates CSP.

 

  1. Follow the instructions at Create a profile with custom settings in Intune to create a new, custom, Windows 10 device configuration profile.
  2. Use the following values for the fields in the custom profile:
    1. Name: The name of the certificate.
    2. OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/<thumbprint>/EncodedCertificate
    3. Data type: String
    4. Value: The base-64 encoded version of the certificate without any line breaks.

      Intune - OMA-URI policy settingsIntune - OMA-URI policy settings

  3. Add scope tags and assignments as necessary.

 

Additional Notes

  • Windows systems should already trust certificates issued by a public CA. When using a certificate from an alternate source for any purpose, including those listed in this article, you need to add the root certificates for the PKI that issued the certificate to your managed Windows devices. See Create trusted certificate profiles in Microsoft Intune for steps to do this using Intune.
  • Through the magic of Authenticode, a signature is still valid even if the code-signing certificate used to sign a file is past its expiration date. As long as the certificate was valid when it was used to sign a file, then the expiration of the certificate itself does not impact the validity of the signature.
  • Driver and Windows update installation also require signing using a trusted code-signing certificate, however, either Microsoft or the hardware vendor that creates and supplies the associated files signs them. Administrators do not have to add any certificates to the Trusted Publishers store and no additional action is necessary to install either of these.
  • If you're not signing your PowerShell scripts and configuring an execution policy to require signing of PowerShell scripts, you should strongly reconsider your practices as this is a very important safety measure (more on this in a follow-up post).
  • You can also use certutil.exe for all of the operations above. Official documentation on certutil.exe is sparse, though, so this is left as an exercise for the reader if desired.

 

Let us know if you have any additional questions on this by replying back to this post or tagging @JasonSandys or @IntuneSuppTeam out on Twitter.

19 Comments
Occasional Contributor

Hi Jason,

Much appreciated post, thanks for documenting and formalizing this process!

When I tested this same approach I noticed that the base-64 encoded version of the certificate (the really long value between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) seems to only work if it does not contain any linefeeds etc. Using a tool like Notepad+ these can easily be removed by searching for '\r\b' and replacing it with an empty string ''.

The CSP documentation mentions this ('The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. '), but it might be useful to call this out to make sure people don't trip over that.

Regards,

Jan

Microsoft

Hi Jan. Thank you for the comment. You are 100% correct and I've slightly adjusted the post above to reflect this. Thank you.

New Contributor

This works as designed, however the reporting in Intune gives some errors.

 

This happens in multiple tenants. any idea what causes this?

 

EncodedCertificate [./Device/Vendor/MSFT/RootCaTrustedCertificates/TrustedPublisher/<thumbprint>/EncodedCertificate]

STATE
Error
ERROR CODE
0x87d1fde8
ERROR DETAILS
Remediation failed

Hi Jason,

 

Looks like something went wrong with the command to retrieve the Bae64 from a cer file. I believe the opening bracket is missing.

I believe the new method is something added in later .Net versions, so that could be another challenge.

This command did work for me:

[System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile("<path_to_certificate>")).Export('Cert'), 'InsertLineBreaks')

 

Best,

Kim

 

Hi @kim oppalfens, the post has been updated with the missing bracket. Thanks for the feedback!

Senior Member

Just like @Sander de Wit , I am also experiencing error 0x87d1fde8 (Remediation Failed). However, the policy is getting applied successfully. Is this a known issue with this particular CSP @JasonSandys or @IntuneSuppTeam?

Occasional Visitor

I see the same thing as @rahuljindal where I pushed it, I see it successfully drop the cert on the machine but on Intune it says Remediation Failed with error code 0x87d1fde8.

Contributor

Nice article thanks!

 

Is there a way to trust *all* code signing certificated my enterprise CA has created (we have one per user so we know who edited last signed file).

In the current case I am signing all my PowerShell scripts used for scheduled tasks. They are stored in sysvol and thus considered untrusted.

I signed the PowerShell script with a users code-signing cert.  The scheduled tasks are run by NTAUTHORITY\SYSTEM,

 

I tried adding the CA cert via GPO to the trusted publishers machine store and that doesn't seem to have worked and generates a 'rejected by administrator' alert in task scheduler.

 

Logging on as domain admin to the machine where the task is to run and manually running the PowerShell script results in the untrusted publisher notification and asking me if i want to trust it.

 

Do I really have to add every code signing cert in the enterprise to trusted publishers? 

Microsoft

Hi @alexbal,

 

I'm assuming you are wanting to have all of the certs added as trusted publishers and not just trusted (as there is a difference). For this, no, there is no way to do this except individually. Adding the cert from the root CA that issued these certs to the trusted publishers store has no effect. Thus, yes, you must add each individual cert used for code-signing to the trusted publisher store. With group policy, this is pretty easy and with the above method, it's also pretty quick in Intune. With a little bit of effort, the above can also be fully automated using the Graph API to create the profile and run against multiple certs with minimal manual effort.

Visitor

@Jason_Sandys thanks for confirming the as-designed behavior, i will stop banging my head against that wall.  This is for a small home lab so i can do that easily (there is only me!). (oops this is alexbal, wasn't paying attention to which account i was using)

 

However it occurred to me that in an IT pro shop when scripts change a lot, by many individuals, one would have to implement a secrets vault and make signing hard to use the one long lived cert and if the cert was compromised or more likely an admin went rogue one has to re-sign everything.

 

If one could issue per-admin code signing certs then just the rogue admin's certs could be revoked.  But for this to be feasible from a management perspective one wouldn't want to distribute potentially hundreds of certs - especially for machines nor domain joined.... (i only learnt about the intune cert connector today, and have no clue how that would work on say, linux).  Was just a thought, can't help being a PM :)

 

Senior Member

I have the same issue ...

 

I see the same thing as @rahuljindal where I pushed it, I see it successfully drop the cert on the machine but on Intune it says Remediation Failed with error code 0x87d1fde8.

Senior Member

I also got the error message.

 

But the certificate is sucessfull applied to the user certificate store.

 

ERROR CODE = 0x87d1fde8
State Details = -2016281112 (Remediation failed)
Occasional Visitor

Same Remediation failed issue here..

Any updates on this  @Intune Support Team  ?

 

Need to deploy a certificate to 500+ devices and not looking forward to all the errors in our Intune Dashboard. I guess there isn't some kind of way to acknowledge or suppress these?

 

New Contributor

Folks,

the remediation error as mentioned by others above is "an issue by design".

 

I had a support ticket open with MS and it took a bit of time but eventually MS got back to me to say they had the same result in their lab and it's been reported to the back end team to investigate.

 

So long as the cert actually appears on the local computer> trusted publishers store then move on.

 

Might be fixed down the track... maybe.

Senior Member

Hello Jason_Sandys,

first of all, thanks for the great post.
Exactly what I'm searching for. :)

 

Maybee one question to clarify the need for this.
You mentioned there should be 2 main cases where you need code-signing certificates.

Am I missing something or should there be a third big case, where you need it - Microsoft Office Macro-Code-Signing?

Or am I missing some better way for archiving this?

 

Thanks.

Microsoft

Hi @SeMeDe.

 

Thank you. As for the additional use case of signing Office/M365 Apps macros, yes, I think that is certainly valid. Those are just scripts ultimately and for security and validation purposes, they should be signed as well. This does also mean that the cert used to sign them must be trusted and a trusted publisher. More info on signing M365 Apps macros can be found at Digitally sign your macro project (microsoft.com).

New Contributor

Hi there Jason ,

are you able to confirm that the remediation error seen when deploying via Intune as you've described is indeed expected?

 

-2016281112 (Remediation failed)

 

ERROR CODE
0x87d1fde8
ERROR DETAILS
Remediation failed
 
Thanks,
Shane.

 

Microsoft

Hi @shane_foley

 

Unfortunately, at this time, this does appear to be a confirmed issue in at least some versions of Windows (the issue is with how the CSP itself reports its status back). Of course, in my lab, I didn't experience this issue at all so at best, there is at least some inconsistency.

New Contributor

Hi there Jason - thanks for getting back to me.

 

The CSP DDF file would suggest there are additional OMA strings required, eg;

 

<Node> <NodeName>EncodedCertificate</NodeName> <DFProperties> <AccessType> <Add /> <Get /> <Replace /> </AccessType> <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description> <DFFormat> <b64 /> </DFFormat> <Occurrence> <One /> </Occurrence> <Scope> <Dynamic /> </Scope> <CaseSense> <CIS /> </CaseSense> <DFType> <DDFName></DDFName> </DFType> </DFProperties> </Node>

 

RootCATrustedCertificates DDF file - Windows Client Management | Microsoft Docs

 

Is it worth looking at expanding the string out using the DDF?

 

Thanks,

Shane.

%3CLINGO-SUB%20id%3D%22lingo-sub-1978469%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1978469%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jason%2C%3C%2FP%3E%3CP%3EMuch%20appreciated%20post%2C%20thanks%20for%20documenting%20and%20formalizing%20this%20process!%3C%2FP%3E%3CP%3EWhen%20I%20tested%20this%20same%20approach%20I%20noticed%20that%20the%26nbsp%3Bbase-64%20encoded%20version%20of%20the%20certificate%20(the%20really%20long%20value%20between%20-----BEGIN%20CERTIFICATE-----%20and%20-----END%20CERTIFICATE-----)%20seems%20to%20only%20work%20if%20it%20does%20not%20contain%20any%20linefeeds%20etc.%20Using%20a%20tool%20like%20Notepad%2B%20these%20can%20easily%20be%20removed%20by%20searching%20for%20'%5Cr%5Cb'%20and%20replacing%20it%20with%20an%20empty%20string%20''.%3C%2FP%3E%3CP%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Frootcacertificates-csp%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECSP%20documentation%3C%2FA%3E%20mentions%20this%20('%3CEM%3EThe%20Base-64%20string%20value%20cannot%20include%20extra%20formatting%20characters%20such%20as%20embedded%20linefeeds%2C%20etc.%3C%2FEM%3E%20')%2C%20but%20it%20might%20be%20useful%20to%20call%20this%20out%20to%20make%20sure%20people%20don't%20trip%20over%20that.%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EJan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1974488%22%20slang%3D%22en-US%22%3EAdding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1974488%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%20Jason%20Sandys%20%E2%80%93%20Sr.%20Program%20Manager%20%7C%20Microsoft%20Endpoint%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETwo%20significant%20actions%20on%20Windows%20devices%20require%20code-signing%20using%20a%20trusted%2C%20code-signing%20certificate%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThird-party%20application%20update%20installation%20(for%20updates%20injected%20into%20the%20WSUS%20catalog%20by%20tools%20like%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fconfigmgr%2Fsum%2Ftools%2Fupdates-publisher%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESystem%20Center%20Updates%20Publisher%3C%2FA%3E%20or%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fconfigmgr%2Fsum%2Fdeploy-use%2Fthird-party-software-updates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Enative%20third-party%20updates%3C%2FA%3E%20feature%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fconfigmgr%2Fcore%2Fclients%2Fmanage%2Fcmg%2Fplan-cloud-management-gateway%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Endpoint%20Configuration%20Manager%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3ERunning%20a%20PowerShell%20script%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20the%20case%20of%20third-party%20application%20updates%2C%20the%20tool%20used%20to%20inject%20the%20updates%20into%20the%20WSUS%20catalog%20signs%20the%20updates%20using%20a%20code-signing%20certificate%20that%20you%20provide.%20This%20signing%20is%20strictly%20required%20and%20enforced%20by%20Windows.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20must%20manually%20sign%20PowerShell%20scripts%3B%20this%20is%20also%20strictly%20required%20and%20enforced%20by%20Windows%20if%20the%20system's%20execution%20policy%20mandates%20this.%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fmicrosoft.powershell.core%2Fabout%2Fabout_signing%3Fview%3Dpowershell-7.1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eabout%20signing%3C%2FA%3E%20in%20the%20PowerShell%20documentation%20for%20more%20details%20on%20script%20signing%20and%20the%20execution%20policy.%20%3CA%20href%3D%22https%3A%2F%2Fdevblogs.microsoft.com%2Fscripting%2Fhey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESee%20Hey%2C%20Scripting%20Guy!%20How%20Can%20I%20Sign%20Windows%20PowerShell%20Scripts%20with%20an%20Enterprise%20Windows%20PKI%3F%3C%2FA%3E%20for%20a%20detailed%20step-by-step%20of%20signing%20a%20script.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20addition%20to%20Windows%20trusting%20the%20code-signing%20certificate%20used%20to%20sign%20third-party%20application%20updates%20and%20PowerShell%20scripts%2C%20the%20certificate%20must%20also%20exist%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-hardware%2Fdrivers%2Finstall%2Ftrusted-publishers-certificate-store%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETrusted%20Publishers%3C%2FA%3E%20certificate%20store%20on%20systems%20installing%20the%20third-party%20update%20or%20running%20the%20PowerShell%20script.%20Adding%20a%20certificate%20to%20the%20Trusted%20Publishers%20store%20for%20a%20Windows%20device%20using%20Intune%20is%20straight%20forward%20but%20involves%20a%20few%20steps%20as%20outlined%20below.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1180780914%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%20id%3D%22toc-hId--1180780917%22%3E%3CSPAN%3EWhat's%20needed%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EYou%20need%20the%20following%20three%20items%20to%20add%20a%20certificate%20to%20the%20Trusted%20Publishers%20store%20using%20Intune.%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20code-signing%20certificate%20you%20wish%20to%20add.%3C%2FLI%3E%0A%3CLI%3EThe%20base-64%20encoded%20version%20of%20the%20code-signing%20certificate.%3C%2FLI%3E%0A%3CLI%3EThe%20thumbprint%20of%20the%20code-signing%20certificate.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20do%20not%20require%20the%20private%20key%20for%20the%20certificate%3B%20you%20only%20need%20the%20private%20key%20when%20signing%20a%20file%20including%20scripts%20and%20third-party%20updates.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--490219440%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%20id%3D%22toc-hId--490219443%22%3E%3CSPAN%3EThe%20code-signing%20certificate%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EIf%20you%20do%20not%20have%20a%20copy%20of%20the%20code-signing%20certificate%2C%20you%20can%20extract%20it%20from%20a%20file%20previously%20signed%20by%20the%20certificate%20using%20the%20following%20steps%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CP%3ERight-click%20on%20the%20signed%20file%20and%20choose%20%3CSTRONG%3EProperties%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EChoose%20the%20%3CSTRONG%3EDigital%20Signatures%3C%2FSTRONG%3E%20tab.%20If%20this%20tab%20does%20not%20appear%2C%20then%20the%20file%20is%20not%20signed.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EChoose%20the%20appropriate%20signature%20from%20the%20%3CSTRONG%3ESignatures%20list%3C%2FSTRONG%3E%20and%20then%20press%20the%20%3CSTRONG%3EDetails%3C%2FSTRONG%3E%20button.%20Most%20files%20will%20only%20have%20a%20single%20signature.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EIn%20the%20%3CSTRONG%3EDigital%20Signature%20Details%3C%2FSTRONG%3E%20dialog%2C%20choose%20%3CSTRONG%3EView%20Certificate%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EIn%20the%20%3CSTRONG%3ECertificate%3C%2FSTRONG%3E%20dialog%2C%20choose%20the%20%3CSTRONG%3EDetails%3C%2FSTRONG%3E%20tab%20and%20press%20%3CSTRONG%3ECopy%20to%20File%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EComplete%20the%20%3CSTRONG%3ECertificate%20Export%20Wizard%3C%2FSTRONG%3E%20to%20create%20a%20CER%20file%20containing%20the%20certificate.%20Choose%20%3CSTRONG%3EBase-64%20encoded%20x.509%20(.CER)%3C%2FSTRONG%3E%20for%20the%20%3CSTRONG%3EExport%20File%20Format%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EPress%20%3CSTRONG%3EOK%3C%2FSTRONG%3E%20on%20the%20three%20open%20dialogs.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Code-signing%20Certificates.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239605iE5631D0E2FBC007C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Code-signing%20Certificates.png%22%20alt%3D%22Code-signing%20certificate%20dialog%20boxes%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECode-signing%20certificate%20dialog%20boxes%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1997293393%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%20id%3D%22toc-hId-1997293390%22%3E%3CSPAN%3EThumbprint%20of%20the%20certificate%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EA%20certificate's%20thumbprint%20is%20a%20dynamically%20computed%20identifier%20that%20uniquely%20distinguishes%20it%20from%20other%20certificates.%20You%20can%20retrieve%20the%20thumbprint%20of%20a%20certificate%20in%20various%20ways%2C%20including%20the%20following%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EFrom%20the%20properties%20of%20the%20certificate.%20You%20can%20do%20this%20for%20either%20a%20certificate%20stored%20in%20a%20file%20(like%20the%20.CER%20file%20extracted%20above)%20or%20a%20certificate%20stored%20in%20the%20Windows%20certificate%20store%3A%3COL%3E%0A%3CLI%3EOpen%20the%20certificate%20by%20double-clicking%20the%20file%20or%20the%20certificate's%20entry%20in%20the%20MMC%20Certificates%20snap-in.%20You%20can%20also%20right-click%20on%20the%20certificate%20and%20choose%20%3CSTRONG%3EOpen%3C%2FSTRONG%3E%20from%20the%20context%20menu.%3C%2FLI%3E%0A%3CLI%3EOn%20the%20%3CSTRONG%3EDetails%3C%2FSTRONG%3E%20tab%2C%20scroll%20down%20to%20and%20select%20the%20%3CSTRONG%3EThumbprint%3C%2FSTRONG%3E%20item%20in%20the%20list%20box.%3C%2FLI%3E%0A%3CLI%3ECopy%20the%20thumbprint%20from%20the%20details%20pane%20in%20the%20dialog.%3C%2FLI%3E%0A%3CLI%3EPress%20%3CSTRONG%3EOK%3C%2FSTRONG%3E%20to%20close%20the%20open%20%3CSTRONG%3ECertificate%3C%2FSTRONG%3E%20dialog.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EUsing%20PowerShell%3A%3COL%3E%0A%3CLI%3EFor%20a%20certificate%20stored%20in%20a%20file%20(like%20the%20.CER%20file%20extracted%20above)%3A%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%5BSystem.Security.Cryptography.X509Certificates.X509Certificate2%5D%3A%3Anew(%22%3CPATH_TO_CERTIFICATE%3E%22)).thumbprint%E2%80%8B%3C%2FPATH_TO_CERTIFICATE%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PowerShell%20Step%201.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239606iDA5A1D42953695A6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PowerShell%20Step%201.png%22%20alt%3D%22PowerShell%20terminal%20displaying%20the%20thumbprint%20of%20certs%20stored%20in%20a%20file%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPowerShell%20terminal%20displaying%20the%20thumbprint%20of%20certs%20stored%20in%20a%20file%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EFor%20a%20certificate%20stored%20in%20your%20Personal%20certificate%20store%3A%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-ChildItem%20-Path%20Cert%3A%5CCurrentUser%5CMy%20%7C%20Format-Lis%E2%80%8Bt%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PowerShell%20Step%202.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239607i753EC6B0334C0253%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PowerShell%20Step%202.png%22%20alt%3D%22PowerShell%20terminal%20displaying%20the%20thumbprint%20of%20certs%20stored%20in%20a%20Personal%20certificate%20store%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPowerShell%20terminal%20displaying%20the%20thumbprint%20of%20certs%20stored%20in%20a%20Personal%20certificate%20store%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId-189838930%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%20id%3D%22toc-hId-189838927%22%3EBase-64%20encoded%20version%20of%20the%20certificate%3C%2FH3%3E%0A%3CP%3EThe%20base-64%20encoded%20version%20of%20a%20certificate%20is%20a%20string-based%20representation%20of%20the%20certificate.%20This%20version%20contains%20the%20complete%20certificate%20but%20in%20a%20more%20portable%20format%20that%20is%20not%20bound%20to%20a%20file.%20Similar%20to%20the%20thumbprint%2C%20you%20can%20obtain%20the%20base-64%20encoded%20version%20of%20a%20certain%20in%20several%20ways%2C%20including%20the%20following%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EFrom%20a%20base-64%20encoded%20.CER%20file%20(like%20the%20.CER%20file%20extracted%20above)%3A%3COL%3E%0A%3CLI%3EOpen%20the%20created%20.CER%20file%20with%20Notepad.%3C%2FLI%3E%0A%3CLI%3ECopy%20the%20lines%20between%20%3CSTRONG%3E-----BEGIN%20CERTIFICATE-----%3C%2FSTRONG%3E%20and%20%3CSTRONG%3E-----END%20CERTIFICATE-----%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EClose%20Notepad.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EUsing%20PowerShell%3A%3COL%3E%0A%3CLI%3EFor%20a%20certificate%20stored%20in%20your%20Personal%20certificate%20store%3A%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%5BSystem.Convert%5D%3A%3AToBase64String((Get-Item%20-Path%20Cert%3A%5CCurrentUser%5CMy%5C%3CTHUMBPRINT%3E).RawData%2C%20'InsertLineBreaks')%E2%80%8B%3C%2FTHUMBPRINT%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Base64%20Step%201.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239609iA5D6D426307602D2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Base64%20Step%201.png%22%20alt%3D%22PowerShell%20terminal%20displaying%20the%20thumbprint%20of%20Base-64%20certs%20stored%20in%20a%20Personal%20certificate%20store%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPowerShell%20terminal%20displaying%20the%20thumbprint%20of%20Base-64%20certs%20stored%20in%20a%20Personal%20certificate%20store%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EFor%20a%20certificate%20stored%20in%20a%20.CER%20file%3A%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESystem.Convert%5D%3A%3AToBase64String((%5BSystem.Security.Cryptography.X509Certificates.X509Certificate2%5D%3A%3Anew(%22%3CPATH_TO_CERTIFICATE%3E%22)).Export('Cert')%2C%20'InsertLineBreaks')%E2%80%8B%3C%2FPATH_TO_CERTIFICATE%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Base64%20Step%202.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239610i736A45C871624ADA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Base64%20Step%202.png%22%20alt%3D%22PowerShell%20terminal%20displaying%20the%20thumbprint%20of%20Base-64%20certs%20stored%20in%20a%20.CER%20file%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPowerShell%20terminal%20displaying%20the%20thumbprint%20of%20Base-64%20certs%20stored%20in%20a%20.CER%20file%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-179335826%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%20id%3D%22toc-hId-179335823%22%3EThe%20Step-By-Step%20Guide%3C%2FH2%3E%0A%3CP%3ETo%20add%20a%20certificate%20to%20the%20Trusted%20Publishers%20store%20using%20Intune%2C%20use%20a%20custom%20profile%20and%20an%20OMA-URI%20to%20apply%20a%20setting%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Frootcacertificates-csp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERootCATrustedCertificates%20CSP%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EFollow%20the%20instructions%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fconfiguration%2Fcustom-settings-configure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20a%20profile%20with%20custom%20settings%20in%20Intune%3C%2FA%3E%20to%20create%20a%20new%2C%20custom%2C%20Windows%2010%20device%20configuration%20profile.%3C%2FLI%3E%0A%3CLI%3EUse%20the%20following%20values%20for%20the%20fields%20in%20the%20custom%20profile%3A%3COL%3E%0A%3CLI%3E%3CSTRONG%3EName%3C%2FSTRONG%3E%3A%20The%20name%20of%20the%20certificate.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EOMA-URI%3C%2FSTRONG%3E%3A%20.%2FDevice%2FVendor%2FMSFT%2FRootCATrustedCertificates%2FTrustedPublisher%2F%3CTHUMBPRINT%3E%2FEncodedCertificate%3C%2FTHUMBPRINT%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EData%20type%3C%2FSTRONG%3E%3A%20String%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EValue%3C%2FSTRONG%3E%3A%20The%20base-64%20encoded%20version%20of%20the%20certificate%26nbsp%3Bwithout%20any%20line%20breaks.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Custom%20Windows%2010%20Policy.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239612iC1D8FD9C9584CBA2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Custom%20Windows%2010%20Policy.png%22%20alt%3D%22Intune%20-%20OMA-URI%20policy%20settings%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EIntune%20-%20OMA-URI%20policy%20settings%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAdd%20scope%20tags%20and%20assignments%20as%20necessary.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-869897300%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%20id%3D%22toc-hId-869897297%22%3E%3CSPAN%3EAdditional%20Notes%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EWindows%20systems%20should%20already%20trust%20certificates%20issued%20by%20a%20public%20CA.%20When%20using%20a%20certificate%20from%20an%20alternate%20source%20for%20any%20purpose%2C%20including%20those%20listed%20in%20this%20article%2C%20you%20need%20to%20add%20the%20root%20certificates%20for%20the%20PKI%20that%20issued%20the%20certificate%20to%20your%20managed%20Windows%20devices.%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fcertificates-trusted-root%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20trusted%20certificate%20profiles%20in%20Microsoft%20Intune%3C%2FA%3E%20for%20steps%20to%20do%20this%20using%20Intune.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EThrough%20the%20magic%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-hardware%2Fdrivers%2Finstall%2Fauthenticode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAuthenticode%3C%2FA%3E%2C%20a%20signature%20is%20still%20valid%20even%20if%20the%20code-signing%20certificate%20used%20to%20sign%20a%20file%20is%20past%20its%20expiration%20date.%20As%20long%20as%20the%20certificate%20was%20valid%20when%20it%20was%20used%20to%20sign%20a%20file%2C%20then%20the%20expiration%20of%20the%20certificate%20itself%20does%20not%20impact%20the%20validity%20of%20the%20signature.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EDriver%20and%20Windows%20update%20installation%20also%20require%20signing%20using%20a%20trusted%20code-signing%20certificate%2C%20however%2C%20either%20Microsoft%20or%20the%20hardware%20vendor%20that%20creates%20and%20supplies%20the%20associated%20files%20signs%20them.%20Administrators%20do%20not%20have%20to%20add%20any%20certificates%20to%20the%20Trusted%20Publishers%20store%20and%20no%20additional%20action%20is%20necessary%20to%20install%20either%20of%20these.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIf%20you're%20not%20signing%20your%20PowerShell%20scripts%20and%20configuring%20an%20execution%20policy%20to%20require%20signing%20of%20PowerShell%20scripts%2C%20you%20should%20strongly%20reconsider%20your%20practices%20as%20this%20is%20a%20very%20important%20safety%20measure%20(more%20on%20this%20in%20a%20follow-up%20post).%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EYou%20can%20also%20use%20certutil.exe%20for%20all%20of%20the%20operations%20above.%20Official%20documentation%20on%20certutil.exe%20is%20sparse%2C%20though%2C%20so%20this%20is%20left%20as%20an%20exercise%20for%20the%20reader%20if%20desired.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELet%20us%20know%20if%20you%20have%20any%20additional%20questions%20on%20this%20by%20replying%20back%20to%20this%20post%20or%20tagging%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FJasonSandys%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40JasonSandys%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%20out%20on%20Twitter.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1974488%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20to%20learn%20more%20on%20adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Microsoft%20Endpoint%20Manager%20-%20Intune!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1974488%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECode-Signing%20Certificates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETrusted%20Publishers%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1985573%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1985573%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jan.%20Thank%20you%20for%20the%20comment.%20You%20are%20100%25%20correct%20and%20I've%20slightly%20adjusted%20the%20post%20above%20to%20reflect%20this.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1992841%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1992841%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20works%20as%20designed%2C%20however%20the%20reporting%20in%20Intune%20gives%20some%20errors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20happens%20in%20multiple%20tenants.%20any%20idea%20what%20causes%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEncodedCertificate%20%5B.%2FDevice%2FVendor%2FMSFT%2FRootCaTrustedCertificates%2FTrustedPublisher%2F%3CTHUMBPRINT%3E%2FEncodedCertificate%5D%3C%2FTHUMBPRINT%3E%3C%2FP%3E%3CP%3ESTATE%3CBR%20%2F%3EError%3CBR%20%2F%3EERROR%20CODE%3CBR%20%2F%3E0x87d1fde8%3CBR%20%2F%3EERROR%20DETAILS%3CBR%20%2F%3ERemediation%20failed%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1992913%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1992913%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jason%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELooks%20like%20something%20went%20wrong%20with%20the%20command%20to%20retrieve%20the%20Bae64%20from%20a%20cer%20file.%20I%20believe%20the%20opening%20bracket%20is%20missing.%3C%2FP%3E%0A%3CP%3EI%20believe%20the%20new%20method%20is%20something%20added%20in%20later%20.Net%20versions%2C%20so%20that%20could%20be%20another%20challenge.%3C%2FP%3E%0A%3CP%3EThis%20command%20did%20work%20for%20me%3A%3C%2FP%3E%0A%3CP%3E%5BSystem.Convert%5D%3A%3AToBase64String((%5BSystem.Security.Cryptography.X509Certificates.X509Certificate2%5D%3A%3ACreateFromCertFile(%22%3CPATH_TO_CERTIFICATE%3E%22)).Export('Cert')%2C%20'InsertLineBreaks')%3C%2FPATH_TO_CERTIFICATE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%2C%3C%2FP%3E%0A%3CP%3EKim%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1995677%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1995677%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116860%22%20target%3D%22_blank%22%3E%40kim%20oppalfens%3C%2FA%3E%2C%20the%20post%20has%20been%20updated%20with%20the%20missing%20bracket.%20Thanks%20for%20the%20feedback!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2057790%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2057790%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20like%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68368%22%20target%3D%22_blank%22%3E%40Sander%20de%20Wit%3C%2FA%3E%26nbsp%3B%2C%20I%20am%20also%20experiencing%20error%26nbsp%3B%3CSPAN%3E0x87d1fde8%3C%2FSPAN%3E%20(Remediation%20Failed).%20However%2C%20the%20policy%20is%20getting%20applied%20successfully.%20Is%20this%20a%20known%20issue%20with%20this%20particular%20CSP%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FJasonSandys%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40JasonSandys%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bor%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2062443%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2062443%22%20slang%3D%22en-US%22%3E%3CP%3EI%20see%20the%20same%20thing%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447390%22%20target%3D%22_blank%22%3E%40rahuljindal%3C%2FA%3E%26nbsp%3Bwhere%20I%20pushed%20it%2C%20I%20see%20it%20successfully%20drop%20the%20cert%20on%20the%20machine%20but%20on%20Intune%20it%20says%20Remediation%20Failed%20with%20error%20code%20%3CSPAN%3E0x87d1fde8.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2066052%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2066052%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20article%20thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20trust%20*all*%20code%20signing%20certificated%20my%20enterprise%20CA%20has%20created%20(we%20have%20one%20per%20user%20so%20we%20know%20who%20edited%20last%20signed%20file).%3C%2FP%3E%3CP%3EIn%20the%20current%20case%20I%20am%20signing%20all%20my%20PowerShell%20scripts%20used%20for%20scheduled%20tasks.%20They%20are%20stored%20in%20sysvol%20and%20thus%20considered%20untrusted.%3C%2FP%3E%3CP%3EI%20signed%20the%20PowerShell%20script%20with%20a%20users%20code-signing%20cert.%26nbsp%3B%20The%20scheduled%20tasks%20are%20run%20by%20NTAUTHORITY%5CSYSTEM%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20adding%20the%20CA%20cert%20via%20GPO%20to%20the%20trusted%20publishers%20machine%20store%20and%20that%20doesn't%20seem%20to%20have%20worked%20and%20generates%20a%20'rejected%20by%20administrator'%20alert%20in%20task%20scheduler.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELogging%20on%20as%20domain%20admin%20to%20the%20machine%20where%20the%20task%20is%20to%20run%20and%20manually%20running%20the%20PowerShell%20script%20results%20in%20the%20untrusted%20publisher%20notification%20and%20asking%20me%20if%20i%20want%20to%20trust%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20I%20really%20have%20to%20add%20every%20code%20signing%20cert%20in%20the%20enterprise%20to%20trusted%20publishers%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2076705%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2076705%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68368%22%20target%3D%22_blank%22%3E%40Sander%20de%20Wit%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447390%22%20target%3D%22_blank%22%3E%40rahuljindal%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F929749%22%20target%3D%22_blank%22%3E%40Zeddoo%3C%2FA%3E%2C%20thank%20you%20for%20your%20comments%2C%20we're%20looking%20into%20this%20and%20will%20get%20back%20to%20you%20on%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2077267%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2077267%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F316256%22%20target%3D%22_blank%22%3E%40alexbal%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20assuming%20you%20are%20wanting%20to%20have%20all%20of%20the%20certs%20added%20as%20trusted%20publishers%20and%20not%20just%20trusted%20(as%20there%20is%20a%20difference).%20For%20this%2C%20no%2C%20there%20is%20no%20way%20to%20do%20this%20except%20individually.%20Adding%20the%20cert%20from%20the%20root%20CA%20that%20issued%20these%20certs%20to%20the%20trusted%20publishers%20store%20has%20no%20effect.%20Thus%2C%20yes%2C%20you%20must%20add%20each%20individual%20cert%20used%20for%20code-signing%20to%20the%20trusted%20publisher%20store.%20With%20group%20policy%2C%20this%20is%20pretty%20easy%20and%20with%20the%20above%20method%2C%20it's%20also%20pretty%20quick%20in%20Intune.%20With%20a%20little%20bit%20of%20effort%2C%20the%20above%20can%20also%20be%20fully%20automated%20using%20the%20Graph%20API%20to%20create%20the%20profile%20and%20run%20against%20multiple%20certs%20with%20minimal%20manual%20effort.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2077321%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2077321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F629631%22%20target%3D%22_blank%22%3E%40Jason_Sandys%3C%2FA%3E%26nbsp%3Bthanks%20for%20confirming%20the%20as-designed%20behavior%2C%20i%20will%20stop%20banging%20my%20head%20against%20that%20wall.%26nbsp%3B%20This%20is%20for%20a%20small%20home%20lab%20so%20i%20can%20do%20that%20easily%20(there%20is%20only%20me!).%20(oops%20this%20is%20alexbal%2C%20wasn't%20paying%20attention%20to%20which%20account%20i%20was%20using)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20it%20occurred%20to%20me%20that%20in%20an%20IT%20pro%20shop%20when%20scripts%20change%20a%20lot%2C%20by%20many%20individuals%2C%20one%20would%20have%20to%20implement%20a%20secrets%20vault%20and%20make%20signing%20hard%20to%20use%20the%20one%20long%20lived%20cert%20and%20if%20the%20cert%20was%20compromised%20or%20more%20likely%20an%20admin%20went%20rogue%20one%20has%20to%20re-sign%20everything.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20one%20could%20issue%20per-admin%20code%20signing%20certs%20then%20just%20the%20rogue%20admin's%20certs%20could%20be%20revoked.%26nbsp%3B%20But%20for%20this%20to%20be%20feasible%20from%20a%20management%20perspective%20one%20wouldn't%20want%20to%20distribute%20potentially%20hundreds%20of%20certs%20-%20especially%20for%20machines%20nor%20domain%20joined....%20(i%20only%20learnt%20about%20the%20intune%20cert%20connector%20today%2C%20and%20have%20no%20clue%20how%20that%20would%20work%20on%20say%2C%20linux).%26nbsp%3B%20Was%20just%20a%20thought%2C%20can't%20help%20being%20a%20PM%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114578%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114578%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20issue%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CEM%3EI%20see%20the%20same%20thing%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447390%22%20target%3D%22_blank%22%3E%40rahuljindal%3C%2FA%3E%26nbsp%3Bwhere%20I%20pushed%20it%2C%20I%20see%20it%20successfully%20drop%20the%20cert%20on%20the%20machine%20but%20on%20Intune%20it%20says%20Remediation%20Failed%20with%20error%20code%26nbsp%3B0x87d1fde8.%3C%2FEM%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2133877%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2133877%22%20slang%3D%22en-US%22%3E%3CP%3EI%20also%20got%20the%20error%20message.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20the%20certificate%20is%20sucessfull%20applied%20to%20the%20user%20certificate%20store.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22msportalfx-text-header-regular%20ext-component-title%22%3EERROR%20CODE%20%3D%26nbsp%3B0x87d1fde8%3C%2FDIV%3E%3CDIV%20class%3D%22msportalfx-text-header-regular%20ext-component-title%22%3EState%20Details%20%3D%26nbsp%3B-2016281112%20(Remediation%20failed)%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165978%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165978%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20Remediation%20failed%20issue%20here..%3C%2FP%3E%3CP%3EAny%20updates%20on%20this%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20to%20deploy%20a%20certificate%20to%20500%2B%20devices%20and%20not%20looking%20forward%20to%20all%20the%20errors%20in%20our%20Intune%20Dashboard.%20I%20guess%20there%20isn't%20some%20kind%20of%20way%20to%20acknowledge%20or%20suppress%20these%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2329629%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2329629%22%20slang%3D%22en-US%22%3E%3CP%3EFolks%2C%3C%2FP%3E%3CP%3Ethe%20remediation%20error%20as%20mentioned%20by%20others%20above%20is%20%22an%20issue%20by%20design%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20a%20support%20ticket%20open%20with%20MS%20and%20it%20took%20a%20bit%20of%20time%20but%20eventually%20MS%20got%20back%20to%20me%20to%20say%20they%20had%20the%20same%20result%20in%20their%20lab%20and%20it's%20been%20reported%20to%20the%20back%20end%20team%20to%20investigate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20long%20as%20the%20cert%20actually%20appears%20on%20the%20local%20computer%26gt%3B%20trusted%20publishers%20store%20then%20move%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMight%20be%20fixed%20down%20the%20track...%20maybe.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2363061%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20a%20Certificate%20to%20Trusted%20Publishers%20using%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2363061%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F629631%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3EJason_Sandys%3C%2FSPAN%3E%3C%2FA%3E%2C%3C%2FP%3E%3CP%3Efirst%20of%20all%2C%20thanks%20for%20the%20great%20post.%3CBR%20%2F%3EExactly%20what%20I'm%20searching%20for.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybee%20one%20question%20to%20clarify%20the%20need%20for%20this.%3CBR%20%2F%3EYou%20mentioned%20there%20should%20be%202%20main%20cases%20where%20you%20need%20code-signing%20certificates.%3C%2FP%3E%3CP%3EAm%20I%20missing%20something%20or%20should%20there%20be%20a%20third%20big%20case%2C%20where%20you%20need%20it%20-%20Microsoft%20Office%20Macro-Code-Signing%3F%3C%2FP%3E%3CP%3EOr%20am%20I%20missing%20some%20better%20way%20for%20archiving%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 16 2020 02:46 PM
Updated by: