worklet - installing a local personal store certificate
need help with creating a worklet to install a personal certificate store and be able to deploy thos to multiple machines. I came across this but need help on how to apply in automox and start testing
You are pretty close with this worklet! I want to call out a few things though before providing my suggestions.
For certificates that require a password, you can use the ConvertTo-SecureString cmdlet within your worklet. It should be noted though that we don’t condone passing credentials through a worklet’s code as they are exposed in plain text. Please use your own discretion if deciding to use this method.
One other caveat is that Automox Worklet’s run as SYSTEM. Because of this, the certificate store targeted in your Worklet should point to the LocalMachine store. If you wanted to install a certificate to the CurrentUser store, the worklet would need to run under the current user’s runspace. This can be achieved by running your script as a scheduled task. Check out this Catalog Worklet as an example.
That said, I modified your script some and created evaluation logic as well. The evaluation logic is optional, but it will use the cert’s thumbprint to check to see if a certificate exists already in the store.
Here’s the updated code:
Evaluation Code:
<#
.SYNOPSIS Windows - Configuration - Add Certificate to Store
.DESCRIPTION This worklet adds a certificate to the local device's certificate store.
The evaluation code will use the certificate's thumbprint to determine if the certificate is already installed. If it is not found, the device will be flagged for remediation. If the certificate is found, the worklet run will exit as the device is compliant.
The remediation code will then install the .pfx certificate that is attached to the Worklet's payload.
.NOTES Author: John Guarracino Date: May 26, 2023
.USAGE .\evaluation.ps1
Upload the certificate to the Worklet's payload. Define the $certThumbprint variable with target certificates thumbprint.
#>
# Define the certificate's Thumbprint and Store Location $certThumbprint = "" $certStoreLocation = "Cert:\LocalMachine\My" $certificate = Get-ChildItem -Path $certStoreLocation | Where-Object { $_.Thumbprint -eq $certThumbprint }
if ($certificate) { Write-Output "A Certificate thumbprint match found in the Local Machine's certificate store." Write-Output "Device is compliant. Now Exiting." Exit 0 }
else { Write-Output "A Certificate thumbprint match was not found in the Local Machine's certificate store." Write-Output "Flagging device for remediation." Exit 1 }
Remediation Code:
<#
.SYNOPSIS Windows - Configuration - Add Certificate to Store
.DESCRIPTION This worklet adds a certificate to the local device's certificate store.
The evaluation code will use the certificate's thumbprint to determine if the certificate is already installed. If it is not found, the device will be flagged for remediation. If the certificate is found, the worklet run will exit as the device is compliant.
The remediation code will then install the .pfx certificate that is attached to the Worklet's payload.
.NOTES Author: John Guarracino Date: May 26, 2023
.USAGE .\remediation.ps1
Upload the certificate to the Worklet's payload. Define the $certPath variable with the name of the pfx file uploaded to the worklet payload. Define the $certPassword variable with the certificate's password.
#>
# Define the following variables. # $certPath should be the name of the pfx file you upload to the worklet payload. $certPath = "" $certPassword = ""
# Import the certificate into the certificate store $cert = Import-PfxCertificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString -String $certPassword -AsPlainText -Force)
if ($cert) { Write-Output "Certificate imported successfully." Exit 0 }
else { Write-Output "Failed to import the certificate." Exit 1 }
Here are some quick instructions for using the new code:
Upload the .pfx file to the Worklet’s payload.
In the Evaluation Code, complete the $certThumbprint variable with your certificate’s thumbprint.
In the Remediation Code, fill in the $certPath variable with the exact name of the .pfx file you uploaded to the Worklet’s Payload
In the Remediation Code, complete the $certPassword variable with the password for the cert.
When the worklet’s remediation code runs, you’ll receive an indication in your Automox Activity Log to the success or failure of installing the certificate:
As a side note, I’ve also submitted a feature request on your behalf for adding a Secret Management vault to worklets. Such a feature would help mitigate any security concerns of passing a plain text password within the body of a worklet’s code block. You can check the status of existing feature requests or submit new ones by reaching out to your Customer Success Manager.
I hope this helps!
Have a great weekend!
Thank you John for your time and assistance, I will surely test that our and hopefully will work as instructed