06-21-2020 04:31 PM
06-21-2020 04:31 PM
Hi, when I create a deployment using the Microsoft Edge Wizard in MECM 2002, then deploy it, the install times out. If I run the automatically created command manually, I get a message "Do you want to run software from this untrusted publisher. CN=Microsoft Corporation, O=Microsoft Corporation,L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers." . I'm assuming this is related to the fact that the ps1 scripts are now signed. Can anyone tell me how I acquire this cert? I'm assuming i need to add it to group policy...
06-22-2020 01:18 AM
@PaulKlerkx The PowerShell script cert chains to the "Microsoft Code Signing PCA 2011" cert, which in turn chains to the "Microsoft Root Certificate Authority 2011" cert. Both of these should be present on a Windows system, in the "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" stores respectively. If they aren't there on your systems, I guess they were removed for some reason. If they are there, make sure the PowerShell execution policy isn't set to Restricted in your ConfigMgr client settings.
06-23-2020 05:09 PM
@Michiel Overweel - We have the "Microsoft Root Certificate Authority 2011" cert in Trusted root certification Authorities, however we don't have the "Microsoft Code Signing PCA 2011" anywhere. Under trusted publishers, we only have our inhouse code signing certs listed. I did a search for all certs issued by and issued to Microsoft and it definitely isn't on our Windows 10 machines which are on May/June 2020 update level. the only code signing certs from MS we have are for "Microsoft Windows Hardware compatibility" and "Symantec Enterprise Mobile Root for Microsoft" .
I checked our SOE build, a fresh build of windows 10 enterprise and my personal windows 10 home and the cert isn't on any of them. Any idea where I can get it from?
06-23-2020 05:16 PM
forgot to mention
win 10 enterprise was 1909, our SOE is 1809 and home version is 1909, in case it was only made part of a particular Win10 build
06-24-2020 04:57 AM
@PaulKlerkx I ran a quick test in my lab environment, and it appears that the "Microsoft Code Signing PCA 2011" certificate is added to the Intermediate Certification Authorities on the system where the ConfigMgr console was used to create the Edge application. In my environment, this hasn't caused any issues, but application installation policies might be a bit more strict in yours.
What I'd try next is: export the certificate on the ConfigMgr console computer, and then import that into a GPO so it can be distributed to all ConfigMgr client computers. You could probably do the same using ConfigMgr Certificate Profiles. Good luck!
06-24-2020 04:36 PM
@Michiel Overweel Awesome, thanks, Michiel,, found the cert on the MECM server, will respond here once I have tested.
06-24-2020 04:57 PM
That didn't work, I tried in both intermediate certification authority and trusted publishers, Edge still won't install, the message is
Install-Edge.ps1 is published by CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.
Our Execution policy is set to allsigned.
06-26-2020 06:26 AM
@PaulKlerkx Sorry, I'm out of ideas. I have been unable to reproduce this in my test environment, with or without the code signing certificate installed on the client, and with any one of the PowerShell execution policies configured in the client settings.
Please note that the PowerShell execution policy specified in the ConfigMgr client settings applies to PowerShell scripts run by ConfigMgr only. If you're running the installation command line manually, a different execution policy might apply to your user session. You might want to try again with the policy set to Bypass (in your user session) explicitly.
06-27-2020 04:29 AM
@Michiel Overweel thanks for your help on this, I tried running both from config manager and dot sourcing install script via power shell command line. I am on two weeks leave from now so won’t be able to check this till I get back.
I did have one thought, obviously better if it works as is, but as that doesn’t appear to be working, I’ll resign the script with my own code signing cert and deploy it that way. We have allsigned as our execution policy both via group policy and config manager, so all our scripts are signed and I know my cert works.
07-19-2020 07:26 PM
@Michiel Overweel After signing with my own code signing cert, edge installed fine both manually and from MECM. I noticed that V84 of edge is now available, so I created a package for 84.0.522.40 and it installs fine. It seems the issue was limited to the my V83 package certificate signing.
Problem resolved, thankyou for you assistance.