I recently needed to deploy certificates to the Trusted Publishers store on Windows devices with Microsoft Intune. And where the deployment of the certificates itself went fine (I could see the certificates show up in the store), the reporting in the Intune portal showed an error code -2016281112 for every certificate.
I followed the steps from this Tech community article, but still, I saw the errors. I even opened a support case at Microsoft and one of the responses from the support engineer was, that this is a known error. It is on the backlog of the product group, but no idea when it will be fixed.
I’m glad I’m sometimes a bit stubborn and didn’t want to close the support case immediately, because after some days I received a new update from an escalation engineer. He sent me a few screenshots and some additional information. He mentioned that the certificates could be easily deployed without reporting errors, by opening the certificate (.cer) file in Notepad, removing the break lines, and using that as the value in the custom Intune profile. OK, is it that simple, did I miss that 🙂
Well, thanks Microsoft support for pointing me to that failure.
So that’s it for this post, read the Tech community article, and don’t forget to remove the break lines 🙂
No, let’s briefly walk through the steps I took to deploy the certificates to the Trusted Publisher store.
Deploy the certificate with Intune
The deployment of the certificates is done using a custom configuration profile with Microsoft Intune.
To deploy the certificate we need to have the certificate in .cer format. We need to have the thumbprint of the certificate as we need to put that in the custom OMA-URI.
There are several ways to retrieve the thumbprint, when you have the cer file, you can easily open the file and find the thumbprint on the details tab.
Now open the cer file with Notepadd++.
From the menu op Notepadd++, go to View, Show Symbol and check Show all Characters.
And we now see we have a lot of break lines in the certificate file, which we need to remove.
When we have removed the break lines, we need to copy everything between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
We are going to use this in a custom configuration profile as the value.
Time to switch to the Microsoft Intune portal.
- Sign in to the Microsoft Endpoint Manager admin center
- Browse to Devices, Windows, Configuration profiles
- Click +Create profile
- Select Windows 10 and later as Platform
- Select Templates as Profile type
- Select Custom and click Create
- Enter a Name
- Click Next
- Click Add to add a new OMA-URI row
Fill in this information:
Name: Trusted Publishers – certificate name (enter what fits your needs)
OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/[thumbprint]/EncodedCertificate
Data Type: String
Value: the copied information from Notepad++
Replace [thumbprint] with the thumbprint of the certificate.
Click OK and add a row for every certificate you need to deploy.
Deploy the configuration profile to the group of your needs.
This is an example of a Microsoft certificate;
URI:
./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/8be3a0cd11b786fdd08057e34d82fc5488eb7286/EncodedCertificate
Value:
MIIGCTCCA/GgAwIBAgITMwAAA4TZaH1mzHVLoQAAAAADhDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTIzMDcxMzIzNDUzOFoXDTI0MDkxNTIzNDUzOFowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCAzcmQgUGFydHkgQXBwbGljYXRpb24gQ29tcG9uZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAznLqoz/10YOqShXjGln6TE4BGUwZ3uJsXV3BIhK2/5WfWH8YMWvFoTgOul1PrrDlA5qOs/1qSNylRSLn+DKx4e+sQC/x8qVPWx+4bwhuNHaNGEMZsppPjtuc10OmdECsioQzVOyu/TlVohP0DUT1w8V4+uR06k9qm+XVcw84nrH6xac865B7TswYpBBBZdaGX5mTst5UnoomlS8JIGqD6WDAyvlmwDRl0C0Omj+b8lg7ZJ4wz9hfYI6eo/kOu2wgYyLPBaXR9iDehwLxN1/xOGDiDq2WNiWFM/aaBYda645BrjOAk9rc3aoX5AdvEDp7oRMifgJgdwdNaC/WoTUomQIDAQABo4IBczCCAW8wHwYDVR0lBBgwFgYKKwYBBAGCN0wRAQYIKwYBBQUHAwMwHQYDVR0OBBYEFBzcFkQMR/V8OGV/cF0ZRXO9ery8MEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMTUyMis1MDExNDgwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAnvqLcbzrt8+kzifeRGz6bUaHMp1aMqJtfMarjiUinqgzSLbtqZslaWomQ4T7LS8rqNJl8jSz4d0wJfm6LblH6RWQzhs4JqllQa3R0MbLt7fvsehsNASX0L5/3NP5VP40U0UwKe0u4wKo6qcjHNMr66y+sb1DZ965C5Hctslwx1qR3RMeSXaSQ6YJ+Y9bb9xhnbXmHYWZW9h6JWnFYriUm3jHRubAw7KXMPMWNQ7OBTF6uzGKi2ELK/CsFyWfeUm6GdPVf+TDsKShhoZXtAXOZwBK3SQTY42gSwTBg4oPTldGd2SH2OIzhZXkxLCuSzk0LUmjVQ+K2xvkJzLMHi2oO6lTO8+SHjqhO1GPwnwhJLJfoaynNzAb3XMj3CdvPcd4EZDh9PRSI0SAHxaQQ0pD4+B1uSyqjUr9wGxZbisemYGzWIcB8UEsQ6mLE5QI7Z2zI2CNkU60iDI4BmEb38Gue8qcj3Zcs5teEOVDYILFsq9ToPkG0HluvkQhuhblf5xAGKzIHh5TEAXedGlYU3QXquQkdxs+quGlS+5xHQ0enmLi9FNXuBKC9jmAaJN8uKwS96+e5yxBGesTBgHuXhwT7YHLj8OUv2iQ66KXrvuAV0ouUf6hpLU5Gyn5STAJX1xy+muuKPPIfIvGWeBxxzONasTAedo/W4GggkBSRZSyT7w==
The end-result
The end-result is what we expect, the certificate is deployed to the Trusted Publisher store.
Only devices which show a Success status.
And no error code -2016281112 anymore.
I hope this post will save you some time when you faced the same error as I had.
And a note to the mentioned Tech Community article, it does very briefly mention the value shouldn’t have break lines (but PG why mention to your support organization it’s a known issue?)
13 Comments
Thank you soooooo much!!!!! I don’t know how long and far I searched for this
Thank you for this guide.
I have one question:
The thumbprint shows spaces in the cert details (11 22 33) dialogue windows. If i check with powershell in the cert store the thumbprint doesnt use spaces (112233).
I tried the thumbprint path without spaces but i am getting erros. Could this be a problem ?
Spaces should be avoided in the OMA-URI, this will cause issues.
Mine ended up under current user. I do not see where it can be specified. I followed the article and deployed to devices. What am I missing?
Thanks! Cert is getting deploy fine However i still have error -2016281112
I am getting the same error. did you figure this out?
Today I needed to push a .cer to the trusted publishers and the push works but even with all the instructions and steps within onenote++ I also still get the -2016281112 error in the intune report blade.
Make sure that absolutely no break lines or spaces are in the text. Some people get spaces back when the break lines are removed. Otherwise give the example of the blog post a try.
Custom settings for NRPT rules
I have 5 domain for them dns server configured, proxy not configured, automatically enabled , persistent not configured.
How do I create a custom setting for it…….what will have Oma-URI, data type and value ?
Is there a way to get the certificate to deploy into the Personal Certificates store rather than Trusted Publishers?
If any device escapes or fails to download the certificate, we want to mark it as non-compliant, and we want to enforce conditional access: if a certificate is missing, access will be blocked for users.
how we can implement this in intune
Any chance you know how to deploy a certificate to ” trusted root certificate authorities”?
Nevermind – was simply using ‘Root’ instead of TrustedPublisher. Cheers.