Untrusted Certificate when installing Microsoft Edge

%3CLINGO-SUB%20id%3D%22lingo-sub-1479788%22%20slang%3D%22en-US%22%3EUntrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1479788%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20when%20I%20create%20a%20deployment%20using%20the%20Microsoft%20Edge%20Wizard%20in%20MECM%202002%2C%20then%20deploy%20it%2C%20the%20install%20times%20out.%20If%20I%20run%20the%20automatically%20created%20command%20manually%2C%20I%20get%20a%20message%20%22Do%20you%20want%20to%20run%20software%20from%20this%20untrusted%20publisher.%20CN%3DMicrosoft%20Corporation%2C%20O%3DMicrosoft%20Corporation%2CL%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%20and%20is%20not%20trusted%20on%20your%20system.%20Only%20run%20scripts%20from%20trusted%20publishers.%22%20.%20I'm%20assuming%20this%20is%20related%20to%20the%20fact%20that%20the%20ps1%20scripts%20are%20now%20signed.%26nbsp%3B%20Can%20anyone%20tell%20me%20how%20I%20acquire%20this%20cert%3F%26nbsp%3B%20I'm%20assuming%20i%20need%20to%20add%20it%20to%20group%20policy...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480247%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480247%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F304933%22%20target%3D%22_blank%22%3E%40PaulKlerkx%3C%2FA%3E%26nbsp%3BThe%20PowerShell%20script%20cert%20chains%20to%20the%20%22Microsoft%20Code%20Signing%20PCA%202011%22%20cert%2C%20which%20in%20turn%20chains%20to%20the%20%22Microsoft%20Root%20Certificate%20Authority%202011%22%20cert.%20Both%20of%20these%20should%20be%20present%20on%20a%20Windows%20system%2C%20in%20the%20%22Intermediate%20Certification%20Authorities%22%20and%20%22Trusted%20Root%20Certification%20Authorities%22%20stores%20respectively.%20If%20they%20aren't%20there%20on%20your%20systems%2C%20I%20guess%20they%20were%20removed%20for%20some%20reason.%20If%20they%20are%20there%2C%20make%20sure%20the%20PowerShell%20execution%20policy%20isn't%20set%20to%20Restricted%20in%20your%20ConfigMgr%20client%20settings.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1484891%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484891%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%20We%20have%20the%20%22%3CSPAN%3EMicrosoft%20Root%20Certificate%20Authority%202011%22%20cert%20in%20Trusted%20root%20certification%20Authorities%2C%20however%20we%20don't%20have%20the%20%22Microsoft%20Code%20Signing%20PCA%202011%22%20anywhere.%26nbsp%3B%20U%3C%2FSPAN%3Ender%20trusted%20publishers%2C%20we%20only%20have%20our%20inhouse%20code%20signing%20certs%20listed.%20I%20did%20a%20search%20for%20all%20certs%20issued%20by%20and%20issued%20to%20Microsoft%20and%20it%20definitely%20isn't%20on%20our%20Windows%2010%20machines%20which%20are%20on%20May%2FJune%202020%20update%20level.%26nbsp%3B%20the%20only%20code%20signing%20certs%20from%20MS%20we%20have%20are%20for%20%22Microsoft%20Windows%20Hardware%20compatibility%22%20and%20%22Symantec%20Enterprise%20Mobile%20Root%20for%20Microsoft%22%26nbsp%3B%20.%3C%2FP%3E%3CP%3EI%20checked%20our%20SOE%20build%2C%20a%20fresh%20build%20of%20windows%2010%20enterprise%20and%20my%20personal%20windows%2010%20home%20and%20the%20cert%20isn't%20on%20any%20of%20them.%26nbsp%3B%20%26nbsp%3BAny%20idea%20where%20I%20can%20get%20it%20from%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1484900%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484900%22%20slang%3D%22en-US%22%3E%3CP%3Eforgot%20to%20mention%3C%2FP%3E%3CP%3Ewin%2010%20enterprise%20was%201909%2C%20our%20SOE%20is%201809%20and%20home%20version%20is%201909%2C%20in%20case%20it%20was%20only%20made%20part%20of%20a%20particular%20Win10%20build%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1484901%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484901%22%20slang%3D%22en-US%22%3E%3CP%3Ealso%20verified%20not%20in%20intermediate%20CA%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1485789%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1485789%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F304933%22%20target%3D%22_blank%22%3E%40PaulKlerkx%3C%2FA%3E%26nbsp%3BI%20ran%20a%20quick%20test%20in%20my%20lab%20environment%2C%20and%20it%20appears%20that%20the%20%22Microsoft%20Code%20Signing%20PCA%202011%22%20certificate%20is%20added%20to%20the%20Intermediate%20Certification%20Authorities%20on%20the%20system%20where%20the%20ConfigMgr%20console%20was%20used%20to%20create%20the%20Edge%20application.%20In%20my%20environment%2C%20this%20hasn't%20caused%20any%20issues%2C%20but%20application%20installation%20policies%20might%20be%20a%20bit%20more%20strict%20in%20yours.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20I'd%20try%20next%20is%3A%20export%20the%20certificate%20on%20the%20ConfigMgr%20console%20computer%2C%20and%20then%20import%20that%20into%20a%20GPO%20so%20it%20can%20be%20distributed%20to%20all%20ConfigMgr%20client%20computers.%20You%20could%20probably%20do%20the%20same%20using%20ConfigMgr%20Certificate%20Profiles.%20Good%20luck!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1487775%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1487775%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3B%20Awesome%2C%20thanks%2C%20Michiel%2C%2C%20found%20the%20cert%20on%20the%20MECM%20server%2C%20will%20respond%20here%20once%20I%20have%20tested.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1487791%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1487791%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20didn't%20work%2C%20I%20tried%20in%20both%20intermediate%20certification%20authority%20and%20trusted%20publishers%2C%20Edge%20still%20won't%20install%2C%20the%20message%20is%26nbsp%3B%3C%2FP%3E%3CP%3EInstall-Edge.ps1%20is%20published%20by%20CN%3DMicrosoft%26nbsp%3BCorporation%2C%20O%3DMicrosoft%20Corporation%2C%20L%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%20and%20is%20not%20trusted%20on%20your%20system.%20Only%20run%20scripts%26nbsp%3Bfrom%20trusted%20publishers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20Execution%20policy%20is%20set%20to%20allsigned.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1492040%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1492040%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F304933%22%20target%3D%22_blank%22%3E%40PaulKlerkx%3C%2FA%3E%26nbsp%3BSorry%2C%20I'm%20out%20of%20ideas.%20I%20have%20been%20unable%20to%20reproduce%20this%20in%20my%20test%20environment%2C%20with%20or%20without%20the%20code%20signing%20certificate%20installed%20on%20the%20client%2C%20and%20with%20any%20one%20of%20the%20PowerShell%20execution%20policies%20configured%20in%20the%20client%20settings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20note%20that%20the%20PowerShell%20execution%20policy%20specified%20in%20the%20ConfigMgr%20client%20settings%20applies%20to%20PowerShell%20scripts%20run%20by%20ConfigMgr%20only.%20If%20you're%20running%20the%20installation%20command%20line%20manually%2C%20a%20different%20execution%20policy%20might%20apply%20to%20your%20user%20session.%20You%20might%20want%20to%20try%20again%20with%20the%20policy%20set%20to%20Bypass%20(in%20your%20user%20session)%20explicitly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1493711%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1493711%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20help%20on%20this%2C%20I%20tried%20running%20both%20from%20config%20manager%20and%20dot%20sourcing%20install%20script%20via%20power%20shell%20command%20line.%20%26nbsp%3BI%20am%20on%20two%20weeks%20leave%20from%20now%20so%20won%E2%80%99t%20be%20able%20to%20check%20this%20till%20I%20get%20back.%20%26nbsp%3B%3CBR%20%2F%3EI%20did%20have%20one%20thought%2C%20obviously%20better%20if%20it%20works%20as%20is%2C%20but%20as%20that%20doesn%E2%80%99t%20appear%20to%20be%20working%2C%20I%E2%80%99ll%20resign%20the%20script%20with%20my%20own%20code%20signing%20cert%20and%20deploy%20it%20that%20way.%20%26nbsp%3BWe%20have%20allsigned%20as%20our%20execution%20policy%20both%20via%20group%20policy%20and%20config%20manager%2C%20so%20all%20our%20scripts%20are%20signed%20and%20I%20know%20my%20cert%20works.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1494533%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494533%22%20slang%3D%22en-US%22%3ESounds%20like%20a%20plan%3B%20let%20us%20know%20how%20it%20goes!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532347%22%20slang%3D%22en-US%22%3ERe%3A%20Untrusted%20Certificate%20when%20installing%20Microsoft%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532347%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3BAfter%20signing%20with%20my%20own%20code%20signing%20cert%2C%20edge%20installed%20fine%20both%20manually%20and%20from%20MECM.%26nbsp%3B%20I%20noticed%20that%20V84%20of%20edge%20is%20now%20available%2C%20so%20I%20created%20a%20package%20for%2084.0.522.40%20and%20it%20installs%20fine.%26nbsp%3B%20It%20seems%20the%20issue%20was%20limited%20to%20the%20my%20V83%20package%20certificate%20signing.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%20resolved%2C%20thankyou%20for%20you%20assistance.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi, when I create a deployment using the Microsoft Edge Wizard in MECM 2002, then deploy it, the install times out. If I run the automatically created command manually, I get a message "Do you want to run software from this untrusted publisher. CN=Microsoft Corporation, O=Microsoft Corporation,L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers." . I'm assuming this is related to the fact that the ps1 scripts are now signed.  Can anyone tell me how I acquire this cert?  I'm assuming i need to add it to group policy...

11 Replies

@PaulKlerkx The PowerShell script cert chains to the "Microsoft Code Signing PCA 2011" cert, which in turn chains to the "Microsoft Root Certificate Authority 2011" cert. Both of these should be present on a Windows system, in the "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" stores respectively. If they aren't there on your systems, I guess they were removed for some reason. If they are there, make sure the PowerShell execution policy isn't set to Restricted in your ConfigMgr client settings.

@Michiel Overweel -  We have the "Microsoft Root Certificate Authority 2011" cert in Trusted root certification Authorities, however we don't have the "Microsoft Code Signing PCA 2011" anywhere.  Under trusted publishers, we only have our inhouse code signing certs listed. I did a search for all certs issued by and issued to Microsoft and it definitely isn't on our Windows 10 machines which are on May/June 2020 update level.  the only code signing certs from MS we have are for "Microsoft Windows Hardware compatibility" and "Symantec Enterprise Mobile Root for Microsoft"  .

I checked our SOE build, a fresh build of windows 10 enterprise and my personal windows 10 home and the cert isn't on any of them.   Any idea where I can get it from?

forgot to mention

win 10 enterprise was 1909, our SOE is 1809 and home version is 1909, in case it was only made part of a particular Win10 build

also verified not in intermediate CA

@PaulKlerkx I ran a quick test in my lab environment, and it appears that the "Microsoft Code Signing PCA 2011" certificate is added to the Intermediate Certification Authorities on the system where the ConfigMgr console was used to create the Edge application. In my environment, this hasn't caused any issues, but application installation policies might be a bit more strict in yours.

 

What I'd try next is: export the certificate on the ConfigMgr console computer, and then import that into a GPO so it can be distributed to all ConfigMgr client computers. You could probably do the same using ConfigMgr Certificate Profiles. Good luck!

@Michiel Overweel  Awesome, thanks, Michiel,, found the cert on the MECM server, will respond here once I have tested.  

That didn't work, I tried in both intermediate certification authority and trusted publishers, Edge still won't install, the message is 

Install-Edge.ps1 is published by CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.

 

Our Execution policy is set to allsigned.  

 

@PaulKlerkx Sorry, I'm out of ideas. I have been unable to reproduce this in my test environment, with or without the code signing certificate installed on the client, and with any one of the PowerShell execution policies configured in the client settings.

 

Please note that the PowerShell execution policy specified in the ConfigMgr client settings applies to PowerShell scripts run by ConfigMgr only. If you're running the installation command line manually, a different execution policy might apply to your user session. You might want to try again with the policy set to Bypass (in your user session) explicitly.

@Michiel Overweel thanks for your help on this, I tried running both from config manager and dot sourcing install script via power shell command line.  I am on two weeks leave from now so won’t be able to check this till I get back.  
I did have one thought, obviously better if it works as is, but as that doesn’t appear to be working, I’ll resign the script with my own code signing cert and deploy it that way.  We have allsigned as our execution policy both via group policy and config manager, so all our scripts are signed and I know my cert works.  

Sounds like a plan; let us know how it goes!

@Michiel Overweel After signing with my own code signing cert, edge installed fine both manually and from MECM.  I noticed that V84 of edge is now available, so I created a package for 84.0.522.40 and it installs fine.  It seems the issue was limited to the my V83 package certificate signing.  

 

Problem resolved, thankyou for you assistance.