Adding a Certificate to Trusted Publishers using Microsoft Intune

Hi Jason,

Much appreciated post, thanks for documenting and formalizing this process!

When I tested this same approach I noticed that the base-64 encoded version of the certificate (the really long value between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) seems to only work if it does not contain any linefeeds etc. Using a tool like Notepad+ these can easily be removed by searching for '\r\b' and replacing it with an empty string ''.

The CSP documentation mentions this ('The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. '), but it might be useful to call this out to make sure people don't trip over that.

Regards,

Jan

Hi Jan. Thank you for the comment. You are 100% correct and I've slightly adjusted the post above to reflect this. Thank you.

This works as designed, however the reporting in Intune gives some errors.

This happens in multiple tenants. any idea what causes this?

EncodedCertificate [./Device/Vendor/MSFT/RootCaTrustedCertificates/TrustedPublisher/<thumbprint>/EncodedCertificate]

STATE
Error
ERROR CODE
0x87d1fde8
ERROR DETAILS
Remediation failed

Hi Jason,

Looks like something went wrong with the command to retrieve the Bae64 from a cer file. I believe the opening bracket is missing.

I believe the new method is something added in later .Net versions, so that could be another challenge.

This command did work for me:

[System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile("<path_to_certificate>")).Export('Cert'), 'InsertLineBreaks')

Best,

Kim

Hi @kim oppalfens, the post has been updated with the missing bracket. Thanks for the feedback!

Just like @Sander de Wit , I am also experiencing error 0x87d1fde8 (Remediation Failed). However, the policy is getting applied successfully. Is this a known issue with this particular CSP @JasonSandys or @IntuneSuppTeam?

I see the same thing as @rahuljindal-MVP where I pushed it, I see it successfully drop the cert on the machine but on Intune it says Remediation Failed with error code 0x87d1fde8.

Nice article thanks!

Is there a way to trust *all* code signing certificated my enterprise CA has created (we have one per user so we know who edited last signed file).

In the current case I am signing all my PowerShell scripts used for scheduled tasks. They are stored in sysvol and thus considered untrusted.

I signed the PowerShell script with a users code-signing cert.  The scheduled tasks are run by NTAUTHORITY\SYSTEM,

I tried adding the CA cert via GPO to the trusted publishers machine store and that doesn't seem to have worked and generates a 'rejected by administrator' alert in task scheduler.

Logging on as domain admin to the machine where the task is to run and manually running the PowerShell script results in the untrusted publisher notification and asking me if i want to trust it.

Do I really have to add every code signing cert in the enterprise to trusted publishers? 

Hi @alexbal,

I'm assuming you are wanting to have all of the certs added as trusted publishers and not just trusted (as there is a difference). For this, no, there is no way to do this except individually. Adding the cert from the root CA that issued these certs to the trusted publishers store has no effect. Thus, yes, you must add each individual cert used for code-signing to the trusted publisher store. With group policy, this is pretty easy and with the above method, it's also pretty quick in Intune. With a little bit of effort, the above can also be fully automated using the Graph API to create the profile and run against multiple certs with minimal manual effort.

@Jason_Sandys thanks for confirming the as-designed behavior, i will stop banging my head against that wall.  This is for a small home lab so i can do that easily (there is only me!). (oops this is alexbal, wasn't paying attention to which account i was using)

However it occurred to me that in an IT pro shop when scripts change a lot, by many individuals, one would have to implement a secrets vault and make signing hard to use the one long lived cert and if the cert was compromised or more likely an admin went rogue one has to re-sign everything.

If one could issue per-admin code signing certs then just the rogue admin's certs could be revoked.  But for this to be feasible from a management perspective one wouldn't want to distribute potentially hundreds of certs - especially for machines nor domain joined.... (i only learnt about the intune cert connector today, and have no clue how that would work on say, linux).  Was just a thought, can't help being a PM :)

I have the same issue ...

I see the same thing as @rahuljindal where I pushed it, I see it successfully drop the cert on the machine but on Intune it says Remediation Failed with error code 0x87d1fde8.

I also got the error message.

But the certificate is sucessfull applied to the user certificate store.

Same Remediation failed issue here..

Any updates on this  @Intune_Support_Team  ?

Need to deploy a certificate to 500+ devices and not looking forward to all the errors in our Intune Dashboard. I guess there isn't some kind of way to acknowledge or suppress these?

Folks,

the remediation error as mentioned by others above is "an issue by design".

I had a support ticket open with MS and it took a bit of time but eventually MS got back to me to say they had the same result in their lab and it's been reported to the back end team to investigate.

So long as the cert actually appears on the local computer> trusted publishers store then move on.

Might be fixed down the track... maybe.

Hello Jason_Sandys,

first of all, thanks for the great post.
Exactly what I'm searching for. :)

Maybee one question to clarify the need for this.
You mentioned there should be 2 main cases where you need code-signing certificates.

Am I missing something or should there be a third big case, where you need it - Microsoft Office Macro-Code-Signing?

Or am I missing some better way for archiving this?

Thanks.

Hi @SeMeDe.

Thank you. As for the additional use case of signing Office/M365 Apps macros, yes, I think that is certainly valid. Those are just scripts ultimately and for security and validation purposes, they should be signed as well. This does also mean that the cert used to sign them must be trusted and a trusted publisher. More info on signing M365 Apps macros can be found at Digitally sign your macro project (microsoft.com).

Hi there Jason ,

are you able to confirm that the remediation error seen when deploying via Intune as you've described is indeed expected?

-2016281112 (Remediation failed)

Hi @shane_foley

Unfortunately, at this time, this does appear to be a confirmed issue in at least some versions of Windows (the issue is with how the CSP itself reports its status back). Of course, in my lab, I didn't experience this issue at all so at best, there is at least some inconsistency.

Hi there Jason - thanks for getting back to me.

The CSP DDF file would suggest there are additional OMA strings required, eg;

<Node> <NodeName>EncodedCertificate</NodeName> <DFProperties> <AccessType> <Add /> <Get /> <Replace /> </AccessType> <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description> <DFFormat> <b64 /> </DFFormat> <Occurrence> <One /> </Occurrence> <Scope> <Dynamic /> </Scope> <CaseSense> <CIS /> </CaseSense> <DFType> <DDFName></DDFName> </DFType> </DFProperties> </Node>

RootCATrustedCertificates DDF file - Windows Client Management | Microsoft Docs

Is it worth looking at expanding the string out using the DDF?

Thanks,

Shane.

@Jason_Sandys unfortunately, the issue still persists. Two years after @Sander de Wit reported this, it is still there. Do you have an update, please? We are about to deploy this policy to 8.000 (and later to 15.000) devices so it would help if the problem would be solved. Thanks!

Hi @Marco_Dijkshoorn. At this time, there are no further updates as this is still an item being evaluated to be addressed.

I've been unsuccessful in getting this to work. I just keep getting a deployment error, and the certificate is not installed on my test device. I am unclear by what this means in your post above, "When using a certificate from an alternate source for any purpose, including those listed in this article, you need to add the root certificates for the PKI that issued the certificate to your managed Windows devices."

I added my code-signing certificate to the Trusted Root Certification Authorities store, but I am not sure that's what the above line means. Intune did successfully deploy the certificate in this case, but it will not deploy it to the Trusted Publishers store. 

I am also not sure I'm fully understanding the comment about removing line breaks. How do I verify that there are no line breaks or something wrong with my base64 formatting that might be interfering with a successful deployment of my cert?

Well, naturally, after posting the above reply it has assigned it to my test device. I'm still receiving an error in the Intune portal, but that appears to be a bug per your previous replies.

I have written a script which does all this automatically. You only have to select the certificate and the rest what is necessary to create a configuration profile is done by my script.

Adding a Certificate to Trusted Publishers using Intune – Modern Device Management (jannikreinhard.c...

All the folks that are seeing the error remediation, make sure you remove the line breaks from the Base-64 version of the value. Try pasting it in Notepad++ or Word or something. Once those line breaks are removed, copy paste it in the value on Intune and Intune will no longer show "error remediation".

@Zeddoo I did this but it still throws and error. I pasted it into Notepad as well as Sublime Text. Still throws an error, but deploys certificate properly.

@ahelton_kcl That's odd. I was seeing this for the past year until I came across this guide https://www.inthecloud247.com/add-a-certificate-to-the-trusted-publishers-with-intune-without-report.... I made the changes and it fixed immediately on my end. Any chance you have more than 1 certs being pushed and that one of those still have the line breaks? Try following the guide I just posted.

@Zeddoo I was wrong. Just took forever to update in the Intune portal. Free and clear of errors now. Thanks for the tip!

Adding trusted publisher certs is handy for silent install of software that contains drivers. Can deploy the certs before the software. Here is a few lines of powershell to create a text file with information need to create the config. Works without error.

$cert = (get-item .\DriverCert.cer).FullName
$cert >> cert.txt
$thumbprint = ([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($cert)).thumbprint 
"./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/$thumbprint/EncodedCertificate" >> cert.txt
[System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($cert)).Export('Cert')) >> cert.txt

I changed [System.Convert]::ToBase64String((Get-Item -Path Cert:\CurrentUser\My\<thumbprint>).RawData, 'InsertLineBreaks') to [System.Convert]::ToBase64String((Get-Item -Path Cert:\CurrentUser\My\<thumbprint>).RawData) and imported it, now instead of erroring out I'm getting success.

Got remediation error like everyone else at first so just one question.

Why does it say to insert line breakers when the string is suppose to be without line breaks? it just adds extra steps to first add them and then remove them.

[System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<path_to_certificate>")).Export('Cert'), 'InsertLineBreaks')

Value: The base-64 encoded version of the certificate without any line breaks.

Used this and it worked perfectly

[System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<CertPath>")).Export('Cert')) | Set-Clipboard

Thank you for sharing this guide. It worked perfectly.

Also, I do believe @JoakimJarl is correct, as I also removed 'InsertLineBreaks' and this worked for me without error or the need for removing the linefeeds later. I did not use the Set-Clipboard command though so I will add this handy tip for the next time. Thank you for this reply as well