cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Adding a Certificate to Trusted Publishers using Microsoft Intune
By
Intune_Support_Team
Published Dec 10 2020 09:15 AM 49.2K Views
Intune_Support_Team
Microsoft
‎Dec 10 2020 09:15 AM

Adding a Certificate to Trusted Publishers using Microsoft Intune

‎Dec 10 2020 09:15 AM

By Jason Sandys – Sr. Program Manager | Microsoft Intune

 

Two significant actions on Windows devices require code-signing using a trusted, code-signing certificate:

 

In the case of third-party application updates, the tool used to inject the updates into the WSUS catalog signs the updates using a code-signing certificate that you provide. This signing is strictly required and enforced by Windows.

 

You must manually sign PowerShell scripts; this is also strictly required and enforced by Windows if the system's execution policy mandates this. See about signing in the PowerShell documentation for more details on script signing and the execution policy. See Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI? for a detailed step-by-step of signing a script.

 

In addition to Windows trusting the code-signing certificate used to sign third-party application updates and PowerShell scripts, the certificate must also exist in the Trusted Publishers certificate store on systems installing the third-party update or running the PowerShell script. Adding a certificate to the Trusted Publishers store for a Windows device using Intune is straight forward but involves a few steps as outlined below.

 

Note: That the Base-64 string value cannot include extra formatting characters, such as embedded linefeeds (see RootCATrustedCertificates CSP for more information). Remove linefeeds by searching for “\r\b” and replace them with an empty string.

 

What's needed

You need the following three items to add a certificate to the Trusted Publishers store using Intune.

  • The code-signing certificate you wish to add.
  • The base-64 encoded version of the code-signing certificate.
  • The thumbprint of the code-signing certificate.

 

You don't need the private key for the certificate. You only need the private key when signing a file including scripts and third-party updates.

 

The code-signing certificate

If you don't have a copy of the code-signing certificate, you can extract it from a file previously signed by the certificate using the following steps:

  1. Right-click on the signed file and choose Properties.

  2. Choose the Digital Signatures tab. If this tab does not appear, then the file is not signed.

  3. Choose the appropriate signature from the Signatures list and then select Details. Most files will only have a single signature.

  4. In the Digital Signature Details dialog, choose View Certificate.

  5. In the Certificate dialog, choose the Details tab and select Copy to File.

  6. Complete the Certificate Export Wizard to create a CER file containing the certificate. Choose Base-64 encoded x.509 (.CER) for the Export File Format.

  7. Select OK on the three open dialogs.

    Code-signing certificate dialog boxes on a Windows device.Code-signing certificate dialog boxes on a Windows device.

 

Thumbprint of the certificate

A certificate's thumbprint is a dynamically computed identifier that uniquely distinguishes it from other certificates. You can retrieve the thumbprint of a certificate in various ways, including the following:

  1. From the properties of the certificate. You can do this for either a certificate stored in a file (like the .CER file extracted above) or a certificate stored in the Windows certificate store:
    1. Open the certificate by double-clicking the file or the certificate's entry in the MMC Certificates snap-in. You can also right-click on the certificate and choose Open from the context menu.
    2. On the Details tab, scroll down to and select the Thumbprint item in the list box.
    3. Copy the thumbprint from the details pane in the dialog.
    4. Press OK to close the open Certificate dialog.
  2. Using PowerShell:
    1. For a certificate stored in a file (like the .CER file extracted above):
      ([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<path_to_certificate>")).thumbprint​

      PowerShell terminal displaying the thumbprint of certs stored in a file.PowerShell terminal displaying the thumbprint of certs stored in a file.
    2. For a certificate stored in your Personal certificate store:
      Get-ChildItem -Path Cert:\CurrentUser\My | Format-Lis​t

      PowerShell terminal displaying the thumbprint of certs stored in a Personal certificate store.PowerShell terminal displaying the thumbprint of certs stored in a Personal certificate store.

Base-64 encoded version of the certificate

The base-64 encoded version of a certificate is a string-based representation of the certificate. This version contains the complete certificate but in a more portable format that is not bound to a file. Similar to the thumbprint, you can obtain the base-64 encoded version of a certificate in several ways, including the following:

  1. From a base-64 encoded .CER file (like the .CER file extracted above):
    1. Open the created .CER file with Notepad.
    2. Copy the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

      Note: The Base-64 string value cannot include extra formatting characters, such as embedded linefeeds (see RootCATrustedCertificates CSP for more information). Remove linefeeds by searching for “\r\b” and replace them with an empty string.
    3. Close Notepad.
  2. Using PowerShell:
    1. For a certificate stored in your Personal certificate store:
      [System.Convert]::ToBase64String((Get-Item -Path Cert:\CurrentUser\My\<thumbprint>).RawData, 'InsertLineBreaks')​

      PowerShell terminal displaying the thumbprint of Base-64 certs stored in a Personal certificate store.PowerShell terminal displaying the thumbprint of Base-64 certs stored in a Personal certificate store.
    2. For a certificate stored in a .CER file:
      [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<path_to_certificate>")).Export('Cert'), 'InsertLineBreaks')​

      PowerShell terminal displaying the thumbprint of Base-64 certs stored in a .CER file.PowerShell terminal displaying the thumbprint of Base-64 certs stored in a .CER file.

The Step-By-Step Guide

To add a certificate to the Trusted Publishers store using Intune, use a custom profile and an OMA-URI to apply a setting from the RootCATrustedCertificates CSP.

 

  1. Follow the instructions at Create a profile with custom settings in Intune to create a new, custom, Windows 10 device configuration profile.
  2. Use the following values for the fields in the custom profile:
    1. Name: The name of the certificate.
    2. OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/<thumbprint>/EncodedCertificate
    3. Data type: String
    4. Value: The base-64 encoded version of the certificate without any line breaks.

      Note: The Base-64 string value cannot include extra formatting characters, such as embedded linefeeds (see RootCATrustedCertificates CSP for more information). Remove linefeeds by searching for “\r\b” and replace them with an empty string.


      Intune - OMA-URI policy settings.Intune - OMA-URI policy settings.

  3. Add scope tags and assignments as necessary.

 

Additional Notes

  • Windows systems should already trust certificates issued by a public CA. When using a certificate from an alternate source for any purpose, including those listed in this article, you need to add the root certificates for the PKI that issued the certificate to your managed Windows devices. See Create trusted certificate profiles in Microsoft Intune for steps to do this using Intune.
  • Through the magic of Authenticode, a signature is still valid even if the code-signing certificate used to sign a file is past its expiration date. As long as the certificate was valid when it was used to sign a file, then the expiration of the certificate itself does not impact the validity of the signature.
  • Driver and Windows update installation also require signing using a trusted code-signing certificate, however, either Microsoft or the hardware vendor that creates and supplies the associated files signs them. Administrators do not have to add any certificates to the Trusted Publishers store and no additional action is necessary to install either of these.
  • If you're not signing your PowerShell scripts and configuring an execution policy to require signing of PowerShell scripts, you should strongly reconsider your practices as this is a very important safety measure (more on this in a follow-up post).
  • You can also use certutil.exe for all of the operations above. Official documentation on certutil.exe is sparse, though, so this is left as an exercise for the reader if desired.

 

Let us know if you have any additional questions on this by replying back to this post below or tagging @JasonSandys or @IntuneSuppTeam out on Twitter.

 

Post updates:

03/14/22: PowerShell formatting fix to include a parenthesis. Thanks for the feedback!

01/09/23: Added note about removing extra formatting characters for the RootCATrustedCertificates CSP. Thanks for the feedback!

32 Comments
Version history
Last update:
‎Nov 30 2023 04:16 PM
Updated by:
Labels