Importing Certificates with Remediations

Trusted Certificate profiles in Intune are great. Unfortunately, the only certificate stores you can access with these are the Trusted Root and Trusted Intermediate stores. Sometimes, we may need to import a certificate into a different store; Trusted Publishers and Trusted People are two that come to my mind. Luckily, we can easily use a Remediation to import a certificate into any store we want!

2024-01-02 EDIT: I learned that this has always been possible via custom OMA-URI settings as well, thanks Jeroen Burgerhout, neat!

Gather Certificate Information

First, let’s gather the needed information to put into our script. For this example, I will be using the WSUS signing certificate used to publish third party updates in my ConfigMgr site. Start by exporting the certificate we want, specifically as a base 64 encoded file:

Next, get the thumbprint of the certificate as well; this can easily be done via PowerShell from a device with the certificate already present, otherwise, you can also get it from the exported certificate properties:

Now that we have all of the information we need, we can combine it into our Remediation scripts:

Detection Script

https://github.com/ajf8729/Toolbox/blob/main/Intune/PR/Import%20Certificate/Detection.ps1

In the detection script, we will set $Thumbprint to be the value of the expected certificate we are checking for, and $Store to be the name of the certificate store we are checking.

Remediation Script

https://github.com/ajf8729/Toolbox/blob/main/Intune/PR/Import%20Certificate/Remediation.ps1

In the remediation script, we will set the $Certificate here-string to be the base 64 encoded data from the exported certificate file.

Be sure to update the Store name to the correct value in both scripts if using a store other than Trusted Publishers.

This works fairly simply; the detection script will check to see if the certificate exists. If it does not, the remediation script will output the certificate to a temp file, use Import-Certificate to import it to the correct store, and delete the temp file.

Once your scripts are configured, create a Remediation in Intune, upload the scripts, set your assignments, and you’re all set!

Happy New Year! 🥂

Leave a Reply