How to configure macros & self signed certificate using Intune.

Recently, I worked on a requirement for configuring a Macro as part of standard build for devices being provisioned using Autopilot. As of now, there is no single complete solution available out of the box in Intune to achieve this and there are a number of steps involved in the process.

At a high-level, the process involves the following:

1.      Install the Macro on a reference device.

2.      Create a self-signing certificate on the same reference device.

3.      Add the certificate against the Macro and capture the .OTM file.

4.      Export the certificate as a Base 64 code.

5.      Configure the Trust setting policy in Intune.

6.      Create a Win32 app to copy the .OTM file in the user’s profile path.

7.      Configure the CSP in Intune to deploy the certificate in Root CA & Trusted Publisher

 

Install Macro on a reference device 

1.      In Outlook, click File > Options 

2.      In the Outlook Options window, click Customize Ribbon 

3.      In the right column, scroll down and click the checkbox next to Developer 

4.      Click OK; you should now see a tab for Developer in the Outlook toolbar


                                    

 

5.      Click the Developer tab 

6.      In the Code group, click Visual Basic or press Alt + F11



7.     In the Visual Basic window that opens, click the + sign next to “Project1” in the upper left mini-window 

8.     Click the + sign next to “Microsoft Outlook Objects” that is now open 

9.     Double-click “ThisOutlookSession” to open a code window 

10.   Copy the desired code and paste it into the code window 

11.   From the Debug menu, click CompileProject1


12.   Click File > Save 

  

Create, Configure & Export the Certificate 

1.  Navigate to C:\Program Files\Microsoft Office\root\Office16 or C:\Program Files (x86)\Microsoft Office\root\Office16 depending on the architecture of the office installed.

2.   Double-click the application SELFCERT.exe

3.   Enter a name for the certificate and click OK


 

4.      Click OK to close the “Self Cert Success” pop-up 

5.      Within Visual Basic, click Tools > Digital Signature 

6.   Click Choose… 

7.   Select the certificate you created and click OK.


 

8.   Close Visual Basic

9.  Head over to %Userprofile%\ AppData\Roaming\Microsoft\Outlook and copy the .OTM file.

    This will be used later to create the Win32 Application in Intune.

10.   Run CertMgr.exe and open User Certificates.

11.   Export the certificate as Base-64.


 

Configure the Trust settings Policy in Intune

  1. Sign-in to the https://endpoint.microsoft.com
  2. Browse to Devices – Windows – Configuration Profiles
  3. Click Create Profile
  4. Select Platform as Windows 10 and later
  5. Select Profile as Administrative Templates
  6. Provide a Name and hit next.
  7. Under Configuration Settings- All Settings, search for Macros
  8. Select Security Settings for Macros and enable it. Chose Warn for singed, disable unsigned. This is same for option – If a macro is digitally signed by a trusted publisher, the macro can run if the user has already trusted the publisher.”

     9. Commit the settings and assign to a device-based group.

Creating a Win32 App for copying .OTM file

Create the following directory structure and place the OTM file in it.


I am using a simple xcopy command to copy the file in the %Userprofile%\ AppData\Roaming\Microsoft\Outlook

Install.cmd

@echo off

xcopy VbaProject.OTM /h /c /k /e /r /y "c:\Users\%username%\AppData\Roaming\Microsoft\Outlook\"

For detection, I am using a custom script. Please see the code below –

Detection.ps1

if (Test-Path "$($env:USERPROFILE)\AppData\Roaming\Microsoft\Outlook\VbaProject.OTM") {

    Write-Host "Found it!"

}

Use the IntuneWinAppUtil.exe to wrap the contents. 

Once done, create the app by following the steps below –

  1. On the endpoint.microsoft.com portal, navigate to Apps – Windows
  2. Click on Add and select App type as Windows app (Win32)
  3. Populate the details as shown below.

App information

Name – zzzMail VBA OTM

Description – zzzMail VBA OTM

Publisher – Inhouse (Or whatever is applicable to you)

Program

Install command – Install.cmd

Uninstall command – Uninstall.cmd (This is a mandatory field so either use a relevant uninstall command or use a dummy file)

Install behavior – User

Requirements

Operating system architecture – x64

Minimum operating system – Windows 10 1607

Detection rules

Rules Format – Use a custom detection script

Script file – Detection.ps1

Run script as 32-bit process on 64-bit – No

Enforce script signature check and run script silently – No

Assignment

Assign to a user based group. (This is particularly important during Autopilot as the app needs to run during the last phase i.e. Account setup )

 

Deploy custom OMA-URI CSP policy to add a certificate in Root CA and Trusted Publisher

Thumbprint of the certificate

  1. Open the certificate by double-clicking the file or the certificate's entry in the MMC Certificates snap-in. You can also right-click on the certificate and choose Open from the context menu.
  2. On the Details tab, scroll down to and select the Thumbprint item in the list box.
  3. Copy the thumbprint from the details pane in the dialog.
  4. Press OK to close the open Certificate dialog.

Base-64 encoded version of the certificate

  1. Open the created .CER file with Notepad.
  2. Copy the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
  3. Close Notepad.

Use the above values to create the CSP policy as shown below –

  1. Sign-in to the https://endpoint.microsoft.com
  2. Browse to Devices – Windows – Configuration Profiles
  3. Click Create Profile
  4. Select Platform as Windows 10 and later
  5. Select Profile as Custom
  6. Use the following values for the fields in the custom profile and assign to a device based group:

Name: TrustedPublisher

Description: TrustedPublisher

OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/<Thumbprint ID>/EncodedCertificate

Data Type: String

Value: <Copy the Base-64 encoded value here>

Name: Root

Description: Root

OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/Root/<Thumbprint ID>/EncodedCertificate

Data Type: String

Value: <Copy the Base-64 encoded value here>

That's it. After the policies apply, the macro should get configured and the certificate will get added in the local Machine certificate store. The user will not be asked to enable or disable the macro at Outlook start-up because the certificate will already be trusted.

Until next time..

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users