SOLVED

Deploy Windows 11 device certificate with password through Intune

Iron Contributor

I am using configuration profile to push device cert through Intune and get the cert installed. I am not sure how would I do it for a CERT that has a password.

 

I was trying using OMA-URI custom profile, but then again I do not know the "scope" if this cert needs to be installed under Personal folder. Any ideas or suggestions or any other easy method to push it?

 

oryxway_0-1677523400300.png

 

19 Replies
I don't think that there's a Configuration Profile for it. You could create a Win32 package containing a file and a script based on https://stackoverflow.com/questions/5171117/import-pfx-file-into-particular-certificate-store-from-c... to import it
Thanks Harm. How about installing Certificates through Configuration Profiles and choosing Trusted Certificate. Now, does this install the Certificate? Also, what if the Certificate is already installed, will this method check to see that the Certificate is present and will not install or how does this work.

In general all the different types of Certificates that can be installed like SCEP, Trusted Certificate, PKCS will that get installed on the device if we import the CERT other than the one that needs a password?
A trusted certificate configuration profile only puts a Root or Intermediate in your certificate store... SCEP enrollment is better, but if you have a specific one that a few clients need... Then you could create a package for it, but then you would have the password of it in a script... Is it a sensitive (like banking) certificate?
I asked them to go with NDES or SCEPMAN (germany) but we planned to use our own CERT. So, could not do much. I also learnt that there is Microsoft Graph method of deploying PKE cert which is more secure rather than deploying it to the machine and then installing it. It looks complicated process but it is secure I think.
best response confirmed by oryxway (Iron Contributor)
Solution
Nice, if it works.. Share :smiling_face_with_smiling_eyes:
Harm I am having an issue with the cert import it is failing actually. I thought it worked.

It says cannot bind parameter 'Password'. Cannot convert the 'password' value of type "system.string' to type "system.security.securestring".
At line:1 char:99
Ah :) Use this to set $password = ConvertTo-SecureString -String "passwordhere" -AsPlainText -Force, and then you can use -Password $password
Cannot convert 'System.String' to the type 'System.Management.Automation.SwitchParameter' required by parameter 'AsPlainText'
C:\Users\HarmVeenstra> $password = ConvertTo-SecureString -String "123" -AsPlainText -Force
C:\Users\HarmVeenstra> Import-PfxCertificate -FilePath D:\temp\test.pfx -Password $password -CertStoreLocation Cert:\CurrentUser\My -Exportable:$false

works for me when importing a pfx file with a password of 123 for example

I missed the - before AsPlainText

 

Import-pfxcertificate : The PFX file you are trying to import requires either a different password or membership in an Active Directory Principal to which it is protected.

Googling this I came across 2 things
Try surrounding the plain text password with single quotes instead of double quotes. I had a password with $ in it that gave me the same error until I swapped the quotes.

With Single quote I get 0x8007005 E_ACCESSDENIED

Are you running it as admin and importing it into the LocalMachine store?
I am running this on the local machine as the Powershell script did not run so testing it first on the local machine importing it and running it as local admin
How does the script look like now?
$SecurePassword = ConvertTo-SecureString -String "Password" -AsPlainText -Force
Import-pfxcertificate -FilePath C:\Temp\Cert.pfx -Exportable:$false -Password $SecurePassword -CertStoreLocation Cert:\LocalMachine\My
Looks good to me... Doing the same steps here just works... Could you export the certificate with a less complex password to avoid having to escape certain characters?
Yes, that is what I thought and another one I am reading is about importing a TripleDES-SHA1 -encrypted certificate works as expected than importing am AES256-SHA256. I am not sure what is mine, is there a way to check that? This I am reading in an article in GitHub

https://github.com/dscommunity/CertificateDsc/issues/153
You can see that in the properties of the certificate in your certificate store on the second tab
1 best response

Accepted Solutions
best response confirmed by oryxway (Iron Contributor)
Solution
Nice, if it works.. Share :smiling_face_with_smiling_eyes:

View solution in original post