cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Tech Accelerator: Microsoft Intune Suite
Apr 11 2023 08:00 AM - Apr 12 2023 11:00 AM (PDT)
Find out more
SOLVED

Deploy Windows 11 device certificate with password through Intune

oryxway
Frequent Contributor

‎Feb 27 2023 10:44 AM

‎Feb 27 2023 10:44 AM

Deploy Windows 11 device certificate with password through Intune

I am using configuration profile to push device cert through Intune and get the cert installed. I am not sure how would I do it for a CERT that has a password.

 

I was trying using OMA-URI custom profile, but then again I do not know the "scope" if this cert needs to be installed under Personal folder. Any ideas or suggestions or any other easy method to push it?

 

oryxway_0-1677523400300.png

 

Labels:
783 Views
0 Likes
19 Replies
Reply
19 Replies
Harm_Veenstra

‎Feb 28 2023 01:51 AM

‎Feb 28 2023 01:51 AM

Re: Deploy Windows 11 device certificate with password through Intune

I don't think that there's a Configuration Profile for it. You could create a Win32 package containing a file and a script based on https://stackoverflow.com/questions/5171117/import-pfx-file-into-particular-certificate-store-from-c... to import it
0 Likes
Reply
oryxway

‎Feb 28 2023 12:14 PM

‎Feb 28 2023 12:14 PM

Re: Deploy Windows 11 device certificate with password through Intune

Thanks Harm. How about installing Certificates through Configuration Profiles and choosing Trusted Certificate. Now, does this install the Certificate? Also, what if the Certificate is already installed, will this method check to see that the Certificate is present and will not install or how does this work.

In general all the different types of Certificates that can be installed like SCEP, Trusted Certificate, PKCS will that get installed on the device if we import the CERT other than the one that needs a password?
0 Likes
Reply
Harm_Veenstra

‎Feb 28 2023 01:29 PM

‎Feb 28 2023 01:29 PM

Re: Deploy Windows 11 device certificate with password through Intune

A trusted certificate configuration profile only puts a Root or Intermediate in your certificate store... SCEP enrollment is better, but if you have a specific one that a few clients need... Then you could create a package for it, but then you would have the password of it in a script... Is it a sensitive (like banking) certificate?
0 Likes
Reply
oryxway

‎Mar 02 2023 06:30 AM

‎Mar 02 2023 06:30 AM

Re: Deploy Windows 11 device certificate with password through Intune

I asked them to go with NDES or SCEPMAN (germany) but we planned to use our own CERT. So, could not do much. I also learnt that there is Microsoft Graph method of deploying PKE cert which is more secure rather than deploying it to the machine and then installing it. It looks complicated process but it is secure I think.
1 Like
Reply
best response confirmed by oryxway (Frequent Contributor)
Harm_Veenstra

‎Mar 02 2023 09:21 AM

‎Mar 02 2023 09:21 AM

Solution

Re: Deploy Windows 11 device certificate with password through Intune

Nice, if it works.. Share :smiling_face_with_smiling_eyes:
0 Likes
Reply
oryxway

‎Mar 02 2023 11:32 AM

‎Mar 02 2023 11:32 AM

Re: Deploy Windows 11 device certificate with password through Intune

Harm I am having an issue with the cert import it is failing actually. I thought it worked.

It says cannot bind parameter 'Password'. Cannot convert the 'password' value of type "system.string' to type "system.security.securestring".
At line:1 char:99
0 Likes
Reply
Harm_Veenstra

‎Mar 02 2023 11:46 AM

‎Mar 02 2023 11:46 AM

Re: Deploy Windows 11 device certificate with password through Intune

Ah :) Use this to set $password = ConvertTo-SecureString -String "passwordhere" -AsPlainText -Force, and then you can use -Password $password
0 Likes
Reply
oryxway

‎Mar 02 2023 11:55 AM

‎Mar 02 2023 11:55 AM

Re: Deploy Windows 11 device certificate with password through Intune

Cannot convert 'System.String' to the type 'System.Management.Automation.SwitchParameter' required by parameter 'AsPlainText'
0 Likes
Reply
Harm_Veenstra

‎Mar 02 2023 12:06 PM

‎Mar 02 2023 12:06 PM

Re: Deploy Windows 11 device certificate with password through Intune

C:\Users\HarmVeenstra> $password = ConvertTo-SecureString -String "123" -AsPlainText -Force
C:\Users\HarmVeenstra> Import-PfxCertificate -FilePath D:\temp\test.pfx -Password $password -CertStoreLocation Cert:\CurrentUser\My -Exportable:$false

works for me when importing a pfx file with a password of 123 for example
0 Likes
Reply
oryxway

‎Mar 02 2023 12:25 PM - edited ‎Mar 02 2023 12:29 PM

‎Mar 02 2023 12:25 PM - edited ‎Mar 02 2023 12:29 PM

Re: Deploy Windows 11 device certificate with password through Intune

I missed the - before AsPlainText

 

Import-pfxcertificate : The PFX file you are trying to import requires either a different password or membership in an Active Directory Principal to which it is protected.

Googling this I came across 2 things
Try surrounding the plain text password with single quotes instead of double quotes. I had a password with $ in it that gave me the same error until I swapped the quotes.

With Single quote I get 0x8007005 E_ACCESSDENIED

0 Likes
Reply
Harm_Veenstra

‎Mar 02 2023 12:33 PM

‎Mar 02 2023 12:33 PM

Re: Deploy Windows 11 device certificate with password through Intune

Are you running it as admin and importing it into the LocalMachine store?
0 Likes
Reply
oryxway

‎Mar 02 2023 12:34 PM

‎Mar 02 2023 12:34 PM

Re: Deploy Windows 11 device certificate with password through Intune

I am running this on the local machine as the Powershell script did not run so testing it first on the local machine importing it and running it as local admin
0 Likes
Reply
Harm_Veenstra

‎Mar 02 2023 12:40 PM

‎Mar 02 2023 12:40 PM

Re: Deploy Windows 11 device certificate with password through Intune

How does the script look like now?
0 Likes
Reply
oryxway

‎Mar 02 2023 12:45 PM

‎Mar 02 2023 12:45 PM

Re: Deploy Windows 11 device certificate with password through Intune

$SecurePassword = ConvertTo-SecureString -String "Password" -AsPlainText -Force
Import-pfxcertificate -FilePath C:\Temp\Cert.pfx -Exportable:$false -Password $SecurePassword -CertStoreLocation Cert:\LocalMachine\My
0 Likes
Reply
Harm_Veenstra

‎Mar 02 2023 12:52 PM

‎Mar 02 2023 12:52 PM

Re: Deploy Windows 11 device certificate with password through Intune

Looks good to me... Doing the same steps here just works... Could you export the certificate with a less complex password to avoid having to escape certain characters?
0 Likes
Reply
oryxway

‎Mar 02 2023 12:55 PM

‎Mar 02 2023 12:55 PM

Re: Deploy Windows 11 device certificate with password through Intune

Yes, that is what I thought and another one I am reading is about importing a TripleDES-SHA1 -encrypted certificate works as expected than importing am AES256-SHA256. I am not sure what is mine, is there a way to check that? This I am reading in an article in GitHub

https://github.com/dscommunity/CertificateDsc/issues/153
0 Likes
Reply
Harm_Veenstra

‎Mar 02 2023 12:58 PM

‎Mar 02 2023 12:58 PM

Re: Deploy Windows 11 device certificate with password through Intune

You can see that in the properties of the certificate in your certificate store on the second tab
0 Likes
Reply
Harm_Veenstra

‎Mar 08 2023 06:33 AM

‎Mar 08 2023 06:33 AM

Re: Deploy Windows 11 device certificate with password through Intune

Any update?
0 Likes
Reply