Adding a Certificate to Trusted Publishers using Intune

Microsoft has described in a blog post (Adding a Certificate to Trusted Publishers using Intune) how to create a custom config profile to get a certificate into the trusted publisher store. Since there are several manual steps to read the thumbprint from the certificate and encode it to a base64 string I wrote a script that does all this for you and automatically creates a new configuration policy.

How does it work

The certificate thumbprint is read and a base 64 string is generated from the certificate:

$certThumbprint = ([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificatePath)).thumbprint
$encodeCertificate = [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificatePath)).Export('Cert'), 'InsertLineBreaks')

After that the omaUri is created which contains the thumbprint:

$omaUri = "./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/$certThumbprint/EncodedCertificate"

With this information the JSON is created and then imported into Intune.

$customConfigProfile = @"
    "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
    "description": "",
    "displayName": "$confProfileName",
    "omaSettings": [
            "@odata.type": "#microsoft.graph.omaSettingString",
            "displayName": "$fileName",
            "description": "",
            "omaUri": "$omaUri",
            "value":  "$encodeCertificate"

Import-ConfigurationProfile  -ConfigProfile $customConfigProfile

What you need to do

  • Download the script from my Git Hub repository
  • Run the Add-CertificateToTrustedStore.ps1 Powershell script
  • Enter the UPN to get an auth token for the graph api
  • Perform the authentication
  • When the authentication is completed a file browser will pop up. Here you can select the certificate (.cer file base-64 encoded X. 509) that you want to distribute as a trusted certificate
  • Next you need to enter a name for the Configuration Profile in Intune
  • That’s all you need to do. The configuration profile is now successfully created in Intune.
  • Now you can assign the Configuration Profile to a group

Hope I could simplify your work with this script to create a configuration profile which imports a certificate into the Trusted Publisher store.

Stay healthy, Cheers

Update 02.08.2022:

You can also download my script from the PowerShell Galery:

Install-Script -Name Add-CertificateToTrustedStore

2 thoughts on “Adding a Certificate to Trusted Publishers using Intune

Comments are closed.