Publish code signing template

On the Certificate Store page, click Place all certificates in the following store , and then click Next. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish. Repeat steps 4 through 8 if you have a self signed certificate or the root ca is not already in the Trusted Root Certificate Authorities. With Intune we have a simple configuration profile to deploy certificates to the trusted Root or Intermediate Certification Authorities stores, but Trusted Publishers are not possible.

Therefore, we have to leverage a PowerShell Script or a custom configuration profile for that. The custom configuration profile option is perfectly described in the Tech Community. Thi s section contains the information the PowerShell way.

First we need to encode the created cer file as base64 with the following snippet. If you have used my first snipped to create the certificate the cer file should be on your desktop and the snippet will just work and create a ps1 script ready to deploy. The content of the. To start the deploymen, open the Microsoft Endpoint Manager admin center and select Devices. In this step browse for the generated ps1 file.

Then click on next. Assign the script to the devices you wish to use code signed scripts in the future. I select All devices and click on next. The environment is now prepared and we can start creating a first script and code sign it.

The creation is up to you, but then you can use the following code snippet to sign the script. After each change to the ps1 file you have to repeat the signing process. When executing the snippet, then you will get a grid view window to select your code sign certificate and get the possibility to specify the path to your PowerShell script.

You can now create and the script in Intune like before, but with one difference: You can now select Enforce script signature check! With these few extra steps you can make your deployments much more secure by adding these two capabilities:. Instead of using script feature in Intune, I could create an app and deploy the PS1 script to all devices, right? In that way, I would ensure that Intune will keep trying to install the certificate instead of running the script once.

No, because the detections is also executed after the installation. It results then in a: The Application was not detected after installation completed successfully 0x87DC. On the General tab, specify the Template display name and Template name.

On the Request Handling tab, select the Allow private key to be exported check box. On the Extensions tab, select the Basic Constraints check box, and then click Edit. If a certificate manager is required to approve any issued certificates, on the Issuance Requirements tab, select CA certificate manager approval. On the Security tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate.

When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps:. Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:. Double-click Certificates , and then select My user account. In the Request Certificate list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.

In the Certificate Properties dialog box, for Type , select Common name. When added, click OK. If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client. Description This document will explain the steps to create signing certificate using Local CA.

Open CertificatIon authority on the machine where you have installed the certification authority. Expand the name of the certification authority and click Certificate Templates. Right-click Certificate Templates , and click Manage to load the Certificate Templates management console.

In the results pane, right-click the entry that displays "Code Signing" in the Template Display Name column, and then right click and select Duplicate Template. Properties of New template console will open. Select General tab, enter the template name for the site server signing certificate.