Patch My PC Ideas & Feedback
A community where customers and the community can provide feedback to make a better product for everyone! For more details on how we prioritize requests, please see:
A community where customers and the community can provide feedback to make a better product for everyone! For more details on how we prioritize requests, please see:
hello all,
more and more customers ask to disable macros and unsigned add-ins.
However, not many vendors automatically install their certificate to trusted publisher cert store.
Would it be possible for you to do this ? And nag/push publishers when they fail to deliver ...
Right now, my workflow:
add app and update in PMPC for testing
install app
go to Office to identify the binary path for the addin
go back to PMPC and add a post-install and pre-uninstall script on both app and update:
Update-TrustedPublisher.ps1
eg. Update-TrustedPublisher.ps1 -Add -Files \"C:\Program Files (x86)\LiquidFiles Client V3\LiquidFiles Outlook Plugin\adxloader64.dll"
[CmdletBinding( DefaultParameterSetName = 'Add')]
param (
[Parameter( Mandatory = $false )]
[ValidateSet( 'Add','Remove' )]
[String] $Action = 'Add',
[Parameter( Mandatory = $false, HelpMessage = 'Specify the base path, the files are relative to.' )]
[AllowNull()]
[AllowEmptyString()]
[String[]] $BasePath = $null,
[Parameter( Mandatory = $true, HelpMessage = 'Specify a list of signed files, from which the publisher should taken from.' )]
[String[]] $Files
)
try {
Stop-Transcript | Out-Null
} catch [System.InvalidOperationException] {}
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\TrustedPublisher.log" -Append | Out-Null
if (-not ([String]::IsNullOrEmpty($BasePath))) {
Write-Output "BasePath set to `"$BasePath`"."
}
foreach ($file in $Files) {
if (-not ([String]::IsNullOrEmpty($BasePath))) {
$file = (Resolve-Path (Join-Path $BasePath -Child $file)).Path
}
$file = (Resolve-Path $file).Path
if (!(Test-Path $file)) {
Write-Output "File `"file`" does not exist."
continue
}
Write-Output "Extracting certificate from `"$file`""
$cert = Get-AuthenticodeSignature -FilePath $file | select -ExpandProperty SignerCertificate
$cert.Subject -match 'CN=(?:"(?<subject>[^"]+)"|(?<subject>.+?)(?=(?:,\s*[A-Z]+=)|$))' | Out-Null; $subject = $matches['subject'].Trim()
switch ($Action) {
'Add' {
$tmpFile = [System.IO.Path]::GetTempFileName()
$cert | Export-Certificate -Type Cert -FilePath $tmpFile | Out-Null
Write-Output ("Adding certificate ({0}, {1}) to Trusted Publisher" -f $subject, $cert.Thumbprint)
Import-Certificate -FilePath $tmpFile -CertStoreLocation cert:\LocalMachine\TrustedPublisher | Out-Null
rm -Path $tmpFile -EA SilentlyContinue -Force
}
'Remove' {
Write-Output ("Removing certificate ({0}, {1}) from Trusted Publisher" -f $subject, $cert.Thumbprint)
rm -Path (Join-Path 'cert:\LocalMachine\TrustedPublisher' -Child $cert.Thumbprint) -EA SilentlyContinue -Force
}
}
}
Stop-Transcript
trap {
Stop-Transcript
}
select republish during next sync schedule and enable select sync for both app and update
trigger sync
Manually uninstall app from test device using the LAPS password I have to lookup from Intune
install app again
check for and be satisfied about trusted publisher certificate
Quite a few steps. And as PMPC only downloads the installer when creating the packate and directly uploads, there is no local package I can easily test on a dev machine.
(would be awesome if PMPC allowed to right click an app to "test installation in sandbox")
thanks & regards,
Stefan
