In my organization all developers are setup to be granted a Code signing certificate via Auto Enrollment. Additionally, PowerShell is configured by group policy to require all scripts to be signed. However, PowerShell does not trust any of the code signing certificates without manual intervention.
I saw this Are code signing certificates automatically trusted across the domain if the root CA is trusted? and have verified that the Code signing certificates are children of the root, and that the root is listed as a trusted CA on all machines in my organization.
However, according to this https://serverfault.com/a/542179 AuthentiCode (what PowerShell uses for validating signatures) does not follow certificate chains. So, I cannot simply add a root and be done. I have to add each certificate manually.
Thus leading to my question.
How can I get all of the Auto Enrollment generated code signing certificates automatically added to "Trusted Publishers"?
All I have been able to find is documentation on how to do it with group policy one certificate at a time, manually. (i.e. http://technet.microsoft.com/en-us/library/cc772491.aspx). I really want an automated process that happens seamlessly when the auto enrollment certificate is created. How can I do that?
Best Answer
In enterprise environments it is not possible. You will have to publish new code signing certificates via group policies manually:
Computer Configuration\Windows Settings\Security Settings\Public Key Services\Trusted Publisherssection.