Add a certificate to the Trusted Publishers with Intune without reporting errors

I recently needed to deploy certificates to the Trusted Publishers store on Windows devices with Microsoft Intune. And where the deployment of the certificates itself went fine (I could see the certificates show up in the store), the reporting in the Intune portal showed an error code -2016281112 for every certificate.

I followed the steps from this Tech community article, but still, I saw the errors. I even opened a support case at Microsoft and one of the responses from the support engineer was, that this is a known error. It is on the backlog of the product group, but no idea when it will be fixed.

I’m glad I’m sometimes a bit stubborn and didn’t want to close the support case immediately, because after some days I received a new update from an escalation engineer. He sent me a few screenshots and some additional information. He mentioned that the certificates could be easily deployed without reporting errors, by opening the certificate (.cer) file in Notepad, removing the break lines, and using that as the value in the custom Intune profile. OK, is it that simple, did I miss that 🙂
Well, thanks Microsoft support for pointing me to that failure.

So that’s it for this post, read the Tech community article, and don’t forget to remove the break lines 🙂
No, let’s briefly walk through the steps I took to deploy the certificates to the Trusted Publisher store.

Deploy the certificate with Intune

The deployment of the certificates is done using a custom configuration profile with Microsoft Intune.
To deploy the certificate we need to have the certificate in .cer format. We need to have the thumbprint of the certificate as we need to put that in the custom OMA-URI.

There are several ways to retrieve the thumbprint, when you have the cer file, you can easily open the file and find the thumbprint on the details tab.

Now open the cer file with Notepadd++.
From the menu op Notepadd++, go to View, Show Symbol and check Show all Characters.

And we now see we have a lot of break lines in the certificate file, which we need to remove.

When we have removed the break lines, we need to copy everything between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
We are going to use this in a custom configuration profile as the value.

Time to switch to the Microsoft Intune portal.

  • Sign in to the Microsoft Endpoint Manager admin center
  • Browse to DevicesWindowsConfiguration profiles
  • Click +Create profile
  • Select Windows 10 and later as Platform
  • Select Templates as Profile type
  • Select Custom and click Create
  • Enter a Name
  • Click Next
  • Click Add to add a new OMA-URI row

Fill in this information:

Name: Trusted Publishers – certificate name (enter what fits your needs)
OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/[thumbprint]/EncodedCertificate
Data Type: String
Value: the copied information from Notepad++

Replace [thumbprint] with the thumbprint of the certificate.

Click OK and add a row for every certificate you need to deploy.
Deploy the configuration profile to the group of your needs.

The end-result

The end-result is what we expect, the certificate is deployed to the Trusted Publisher store.

Only devices which show a Success status.

And no error code -2016281112 anymore.

I hope this post will save you some time when you faced the same error as I had.
And a note to the mentioned Tech Community article, it does very briefly mention the value shouldn’t have break lines (but PG why mention to your support organization it’s a known issue?)

8 Comments

  1. Thank you for this guide.

    I have one question:

    The thumbprint shows spaces in the cert details (11 22 33) dialogue windows. If i check with powershell in the cert store the thumbprint doesnt use spaces (112233).

    I tried the thumbprint path without spaces but i am getting erros. Could this be a problem ?

  2. Mine ended up under current user. I do not see where it can be specified. I followed the article and deployed to devices. What am I missing?

  3. Custom settings for NRPT rules

    I have 5 domain for them dns server configured, proxy not configured, automatically enabled , persistent not configured.

    How do I create a custom setting for it…….what will have Oma-URI, data type and value ?

  4. Is there a way to get the certificate to deploy into the Personal Certificates store rather than Trusted Publishers?

Leave a Reply

Your email address will not be published.


*