How to configure macros & self signed certificate using Intune.

-

Recently, I worked on a requirement for configuring a Macro as part of standard build for devices being provisioned using Autopilot. As of now, there is no single complete solution available out of the box in Intune to achieve this and there are a number of steps involved in the process.

At a high-level, the process involves the following:

1.      Install the Macro on a reference device.

2.      Create a self-signing certificate on the same reference device.

3.      Add the certificate against the Macro and capture the .OTM file.

4.      Export the certificate as a Base 64 code.

5.      Configure the Trust setting policy in Intune.

6.      Create a Win32 app to copy the .OTM file in the user’s profile path.

7.      Configure the CSP in Intune to deploy the certificate in Root CA & Trusted Publisher

 

Install Macro on a reference device 

1.      In Outlook, click File > Options 

2.      In the Outlook Options window, click Customize Ribbon 

3.      In the right column, scroll down and click the checkbox next to Developer 

4.      Click OK; you should now see a tab for Developer in the Outlook toolbar


                                    

 

5.      Click the Developer tab 

6.      In the Code group, click Visual Basic or press Alt + F11



7.     In the Visual Basic window that opens, click the + sign next to “Project1” in the upper left mini-window 

8.     Click the + sign next to “Microsoft Outlook Objects” that is now open 

9.     Double-click “ThisOutlookSession” to open a code window 

10.   Copy the desired code and paste it into the code window 

11.   From the Debug menu, click CompileProject1


12.   Click File > Save 

  

Create, Configure & Export the Certificate 

1.  Navigate to C:\Program Files\Microsoft Office\root\Office16 or C:\Program Files (x86)\Microsoft Office\root\Office16 depending on the architecture of the office installed.

2.   Double-click the application SELFCERT.exe

3.   Enter a name for the certificate and click OK


 

4.      Click OK to close the “Self Cert Success” pop-up 

5.      Within Visual Basic, click Tools > Digital Signature 

6.   Click Choose… 

7.   Select the certificate you created and click OK.


 

8.   Close Visual Basic

9.  Head over to %Userprofile%\ AppData\Roaming\Microsoft\Outlook and copy the .OTM file.

    This will be used later to create the Win32 Application in Intune.

10.   Run CertMgr.exe and open User Certificates.

11.   Export the certificate as Base-64.


 

Configure the Trust settings Policy in Intune

  1. Sign-in to the https://endpoint.microsoft.com
  2. Browse to Devices – Windows – Configuration Profiles
  3. Click Create Profile
  4. Select Platform as Windows 10 and later
  5. Select Profile as Administrative Templates
  6. Provide a Name and hit next.
  7. Under Configuration Settings- All Settings, search for Macros
  8. Select Security Settings for Macros and enable it. Chose Warn for singed, disable unsigned. This is same for option – If a macro is digitally signed by a trusted publisher, the macro can run if the user has already trusted the publisher.”

     9. Commit the settings and assign to a device-based group.

Creating a Win32 App for copying .OTM file

Create the following directory structure and place the OTM file in it.


I am using a simple xcopy command to copy the file in the %Userprofile%\ AppData\Roaming\Microsoft\Outlook

Install.cmd

@echo off

xcopy VbaProject.OTM /h /c /k /e /r /y "c:\Users\%username%\AppData\Roaming\Microsoft\Outlook\"

For detection, I am using a custom script. Please see the code below –

Detection.ps1

if (Test-Path "$($env:USERPROFILE)\AppData\Roaming\Microsoft\Outlook\VbaProject.OTM") {

    Write-Host "Found it!"

}

Use the IntuneWinAppUtil.exe to wrap the contents. 

Once done, create the app by following the steps below –

  1. On the endpoint.microsoft.com portal, navigate to Apps – Windows
  2. Click on Add and select App type as Windows app (Win32)
  3. Populate the details as shown below.

App information

Name – zzzMail VBA OTM

Description – zzzMail VBA OTM

Publisher – Inhouse (Or whatever is applicable to you)

Program

Install command – Install.cmd

Uninstall command – Uninstall.cmd (This is a mandatory field so either use a relevant uninstall command or use a dummy file)

Install behavior – User

Requirements

Operating system architecture – x64

Minimum operating system – Windows 10 1607

Detection rules

Rules Format – Use a custom detection script

Script file – Detection.ps1

Run script as 32-bit process on 64-bit – No

Enforce script signature check and run script silently – No

Assignment

Assign to a user based group. (This is particularly important during Autopilot as the app needs to run during the last phase i.e. Account setup )

 

Deploy custom OMA-URI CSP policy to add a certificate in Root CA and Trusted Publisher

Thumbprint of the certificate

  1. Open the certificate by double-clicking the file or the certificate's entry in the MMC Certificates snap-in. You can also right-click on the certificate and choose Open from the context menu.
  2. On the Details tab, scroll down to and select the Thumbprint item in the list box.
  3. Copy the thumbprint from the details pane in the dialog.
  4. Press OK to close the open Certificate dialog.

Base-64 encoded version of the certificate

  1. Open the created .CER file with Notepad.
  2. Copy the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
  3. Close Notepad.

Use the above values to create the CSP policy as shown below –

  1. Sign-in to the https://endpoint.microsoft.com
  2. Browse to Devices – Windows – Configuration Profiles
  3. Click Create Profile
  4. Select Platform as Windows 10 and later
  5. Select Profile as Custom
  6. Use the following values for the fields in the custom profile and assign to a device based group:

Name: TrustedPublisher

Description: TrustedPublisher

OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/<Thumbprint ID>/EncodedCertificate

Data Type: String

Value: <Copy the Base-64 encoded value here>

Name: Root

Description: Root

OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/Root/<Thumbprint ID>/EncodedCertificate

Data Type: String

Value: <Copy the Base-64 encoded value here>

That's it. After the policies apply, the macro should get configured and the certificate will get added in the local Machine certificate store. The user will not be asked to enable or disable the macro at Outlook start-up because the certificate will already be trusted.

Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more