I’ve copied this article from jannikreinhard and added some of my own findings.
Microsoft has described in a blog post (Adding a Certificate to Trusted Publishers using Intune) how to create a custom config profile to get a certificate into the trusted publisher store. Since there are several manual steps to read the thumbprint from the certificate and encode it to a base64 string I wrote a script that does all this for you and automatically creates a new configuration policy.
What you need to do
I needed to export my certificate to base64 cer. I had some issues when using the DER encoded binary type. The var of thumbprint wasnt filled by the script when using DER, so the script threw some errors.
- Install-Script -Name Add-CertificateToTrustedStore
- Run the Add-CertificateToTrustedStore.ps1 Powershell script
- Enter the UPN to get an auth token for the graph api

- Perform the authentication

- When the authentication is completed a file browser will pop up. Here you can select the certificate (.cer file base-64 encoded X. 509) that you want to distribute as a trusted certificate

- Next you need to enter a name for the Configuration Profile in Intune

- That’s all you need to do. The configuration profile is now successfully created in Intune.

- Now you can assign the Configuration Profile to a group

Hope I could simplify your work with this script to create a configuration profile which imports a certificate into the Trusted Publisher store.