Hi, when I create a deployment using the Microsoft Edge Wizard in MECM 2002, then deploy it, the install times out. If I run the automatically created command manually, I get a message "Do you want to run software from this untrusted publisher. CN=Microsoft Corporation, O=Microsoft Corporation,L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers." . I'm assuming this is related to the fact that the ps1 scripts are now signed. Can anyone tell me how I acquire this cert? I'm assuming i need to add it to group policy...

PaulKlerkx The PowerShell script cert chains to the "Microsoft Code Signing PCA 2011" cert, which in turn chains to the "Microsoft Root Certificate Authority 2011" cert. Both of these should be present on a Windows system, in the "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" stores respectively. If they aren't there on your systems, I guess they were removed for some reason. If they are there, make sure the PowerShell execution policy isn't set to Restricted in your ConfigMgr client settings.

Michiel Overweel - We have the "Microsoft Root Certificate Authority 2011" cert in Trusted root certification Authorities, however we don't have the "Microsoft Code Signing PCA 2011" anywhere. Under trusted publishers, we only have our inhouse code signing certs listed. I did a search for all certs issued by and issued to Microsoft and it definitely isn't on our Windows 10 machines which are on May/June 2020 update level. the only code signing certs from MS we have are for "Microsoft Windows Hardware compatibility" and "Symantec Enterprise Mobile Root for Microsoft" .I checked our SOE build, a fresh build of windows 10 enterprise and my personal windows 10 home and the cert isn't on any of them. Any idea where I can get it from?

forgot to mentionwin 10 enterprise was 1909, our SOE is 1809 and home version is 1909, in case it was only made part of a particular Win10 build

also verified not in intermediate CA

PaulKlerkx I ran a quick test in my lab environment, and it appears that the "Microsoft Code Signing PCA 2011" certificate is added to the Intermediate Certification Authorities on the system where the ConfigMgr console was used to create the Edge application. In my environment, this hasn't caused any issues, but application installation policies might be a bit more strict in yours. What I'd try next is: export the certificate on the ConfigMgr console computer, and then import that into a GPO so it can be distributed to all ConfigMgr client computers. You could probably do the same using ConfigMgr Certificate Profiles. Good luck!

Untrusted Certificate when installing Microsoft Edge

13 Replies

server-2013
Copper Contributor
Jan 15, 2022
for windows kit
server-2013
Copper Contributor
Jan 15, 2022
PaulKlerkx
Michiel Overweel
Former Employee
Jun 22, 2020
PaulKlerkx The PowerShell script cert chains to the "Microsoft Code Signing PCA 2011" cert, which in turn chains to the "Microsoft Root Certificate Authority 2011" cert. Both of these should be present on a Windows system, in the "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" stores respectively. If they aren't there on your systems, I guess they were removed for some reason. If they are there, make sure the PowerShell execution policy isn't set to Restricted in your ConfigMgr client settings.
- PaulKlerkx
  Iron Contributor
  Jun 24, 2020
  Michiel Overweel - We have the "Microsoft Root Certificate Authority 2011" cert in Trusted root certification Authorities, however we don't have the "Microsoft Code Signing PCA 2011" anywhere. Under trusted publishers, we only have our inhouse code signing certs listed. I did a search for all certs issued by and issued to Microsoft and it definitely isn't on our Windows 10 machines which are on May/June 2020 update level. the only code signing certs from MS we have are for "Microsoft Windows Hardware compatibility" and "Symantec Enterprise Mobile Root for Microsoft" .
  I checked our SOE build, a fresh build of windows 10 enterprise and my personal windows 10 home and the cert isn't on any of them. Any idea where I can get it from?
  - PaulKlerkx
    Iron Contributor
    Jun 24, 2020
    forgot to mention
    win 10 enterprise was 1909, our SOE is 1809 and home version is 1909, in case it was only made part of a particular Win10 build

Forum Discussion

Untrusted Certificate when installing Microsoft Edge

13 Replies

Resources