Add Trusted Publisher Certificates in Intune with PowerShell
Intune

Add Trusted Publisher Certificates in Intune with PowerShell

jannikreinhard2 Comments

Deploying a trusted publisher certificate with Microsoft Intune is something many admins struggle with, because the manual steps are tedious and error-prone. Microsoft has described in a blog post (Adding a Certificate to Trusted Publishers using Intune) how to create a custom config profile to get a certificate into the trusted publisher store. Since there are several manual steps to read the thumbprint from the certificate and encode it to a base64 string, I wrote a script that does all this for you and automatically creates a new configuration policy.

Why deploy a trusted publisher certificate with Intune

When you sign your own applications, scripts, or drivers, Windows will only trust them silently if the signing certificate is present in the local machine’s Trusted Publishers store. Pushing the certificate through Intune means every managed device gets it automatically, so users no longer see security prompts and your signed software just runs. Doing this at scale by hand is not realistic, which is exactly why automating the deployment is so valuable.

How does it work

The certificate thumbprint is read and a base 64 string is generated from the certificate:

$certThumbprint = ([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificatePath)).thumbprint
$encodeCertificate = [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificatePath)).Export('Cert'), 'InsertLineBreaks')

After that the omaUri is created which contains the thumbprint:

$omaUri = "./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/$certThumbprint/EncodedCertificate"

With this information the JSON is created and then imported into Intune so the certificate is delivered to your devices. For another Intune-focused workflow, have a look at Easy and Effective App Management in Intune.

$customConfigProfile = @"
{
    "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
    "description": "",
    "displayName": "$confProfileName",
    "omaSettings": [
        {
            "@odata.type": "#microsoft.graph.omaSettingString",
            "displayName": "$fileName",
            "description": "",
            "omaUri": "$omaUri",
            "value":  "$encodeCertificate"
        }
    ]
}
"@

Import-ConfigurationProfile  -ConfigProfile $customConfigProfile

What you need to do to add the trusted publisher certificate

  • Download the script from my GitHub repository
  • Run the Add-CertificateToTrustedStore.ps1 PowerShell script
  • Enter the UPN to get an auth token for the Graph API
Intune trusted publisher certificate configuration profile
  • Perform the authentication
Microsoft Intune certificate authentication step
  • When the authentication is completed a file browser will pop up. Here you can select the certificate (.cer file base-64 encoded X.509) that you want to distribute as a trusted certificate
Microsoft Intune certificate configuration profile script
  • Next you need to enter a name for the Configuration Profile in Intune
Naming the Intune configuration profile
  • That’s all you need to do. The configuration profile is now successfully created in Intune.
Created Intune configuration profile overview
  • Now you can assign the Configuration Profile to a group
Assigning the certificate configuration profile to a group in Intune

Hope I could simplify your work with this script to create a configuration profile which imports a trusted publisher certificate into the Trusted Publisher store. With one run you have a reusable, fully automated way to roll it out to every device in your tenant.

Stay healthy, Cheers
Jannik

Common pitfalls to watch out for

The most frequent mistake is exporting the certificate in the wrong format. The script expects a Base-64 encoded X.509 file (a .cer with the -----BEGIN CERTIFICATE----- header), not a DER-encoded binary or a .pfx that still contains the private key. A trusted publisher entry only ever needs the public certificate, so never ship the private key to your devices. If devices still prompt after the profile applies, double-check that the certificate is going into the TrustedPublisher store and not the Root or CA store, because the OMA-URI path is what decides the destination.

It is also worth remembering that the OMA-URI key includes the thumbprint. If you ever rotate or renew the signing certificate, the thumbprint changes and you will need a fresh configuration profile rather than an edit of the old one. Plan for this by keeping the script handy so re-running it for a new certificate takes only a minute.

How to verify the deployment

Once the profile shows as Succeeded in the Intune portal, confirm the result on a target device. Open certlm.msc, expand Trusted Publishers > Certificates, and check that your certificate appears with the expected thumbprint. You can also run Get-ChildItem Cert:\LocalMachine\TrustedPublisher in an elevated PowerShell session to list the store from the command line. After that, launching one of your signed applications or scripts should no longer trigger a security warning, which is the real proof that everything worked end to end.

Update 02.08.2022:

You can also download my script from the PowerShell Gallery:

If you are interested in more Intune tips, you might also like my post about how to re-enroll devices without a wipe.

If you are just getting started with Intune, you might also like my Intune Quick Start Guide.

If you want to deploy configurations more gradually, check out my post about creating smart groups for wave deployment of configurations in Intune.

Install-Script -Name Add-CertificateToTrustedStore

2 thoughts on “Add Trusted Publisher Certificates in Intune with PowerShell

  1. The link to the blog post has an extra ‘v’ on the URL. Correct URL is:
    the corrected Microsoft reference

Comments are closed.