Add Trusted Publisher Certificates in Intune with PowerShell
All / Intune / Powershell / Windows

Add Trusted Publisher Certificates in Intune with PowerShell

jannikreinhard2 Comments

Microsoft has described in a blog post (Adding a Certificate to Trusted Publishers using Intune) how to create a custom config profile to get a certificate into the trusted publisher store. Since there are several manual steps to read the thumbprint from the certificate and encode it to a base64 string I wrote a script that does all this for you and automatically creates a new configuration policy.

How does it work

The certificate thumbprint is read and a base 64 string is generated from the certificate:

$certThumbprint = ([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificatePath)).thumbprint
$encodeCertificate = [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificatePath)).Export('Cert'), 'InsertLineBreaks')

After that the omaUri is created which contains the thumbprint:

$omaUri = "./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/$certThumbprint/EncodedCertificate"

With this information the JSON is created and then imported into Intune. For another Intune-focused workflow, have a look at Easy and Effective App Management in Intune.

$customConfigProfile = @"
{
    "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
    "description": "",
    "displayName": "$confProfileName",
    "omaSettings": [
        {
            "@odata.type": "#microsoft.graph.omaSettingString",
            "displayName": "$fileName",
            "description": "",
            "omaUri": "$omaUri",
            "value":  "$encodeCertificate"
        }
    ]
}
"@

Import-ConfigurationProfile  -ConfigProfile $customConfigProfile

What you need to do

  • Download the script from my GitHub repository
  • Run the Add-CertificateToTrustedStore.ps1 PowerShell script
  • Enter the UPN to get an auth token for the Graph API
Microsoft Intune configuration profile for trusted certificate
  • Perform the authentication
Microsoft Intune certificate trusted publishers configuration profile
  • When the authentication is completed a file browser will pop up. Here you can select the certificate (.cer file base-64 encoded X.509) that you want to distribute as a trusted certificate
Microsoft Intune certificate configuration profile script
  • Next you need to enter a name for the Configuration Profile in Intune
Microsoft Intune configuration profile for trusted publisher certificate
  • That’s all you need to do. The configuration profile is now successfully created in Intune.
Microsoft Intune configuration profile for trusted publisher certificate
  • Now you can assign the Configuration Profile to a group
Add Trusted Publisher Certificates in Intune with PowerShell

Hope I could simplify your work with this script to create a configuration profile which imports a certificate into the Trusted Publisher store.

Stay healthy, Cheers
Jannik

Update 02.08.2022:

You can also download my script from the PowerShell Gallery:

If you are interested in more Intune tips, you might also like my post about how to re-enroll devices without a wipe.

If you are just getting started with Intune, you might also like my Intune Quick Start Guide.

If you want to deploy configurations more gradually, check out my post about creating smart groups for wave deployment of configurations in Intune.

Install-Script -Name Add-CertificateToTrustedStore

2 thoughts on “Add Trusted Publisher Certificates in Intune with PowerShell

Comments are closed.