Add certificates and pre-shared keys to the tenant repository for Device Configurations

  • Last update on September 27th, 2024

Configuration Manager does not export certificates or pre-shared keys for App registrations or DeviceConfigurations. 

App registrations and DeviceConfigurations deployed from one tenant to another need to have the certificate/pre-shared key manually configured in the tenant repository.

In the portal, you can upload the files for these properties and it will convert to base64 for you, but once uploaded, it cannot be read back by Configuration Manager. So, we need to put it directly in the repository to make it cross-tenant deployable.

If you need assistance with the below, please contact our support.

 

To manage these properties in Configuration Manager do the following:

Step 1: run PowerShell

Run the following in PowerShell.
Replace $cerFilePath with the PreSharedKey.

# Read the .cer file as bytes
$cerFilePath = "{path to .cer file}"
$bytes = [System.IO.File]::ReadAllBytes($cerFilePath)
[System.Convert]::ToBase64String($bytes)

Take the output and save it to the contents of the JSON file in your Configuration Manager environment/Azure DevOps organization.

Step 2: locate the file

Access “Reconcile” in Configuration Manager.
Click on the name of a configuration to open the menu. Then, click “View in repository”.

In Azure DevOps click “Edit” in the top right of the screen.

Step 3: replace the preSharedKeys property's value

Replace the [TODO: ENTER VALUE] for the the preSharedKeys property:

"preSharedKeys": "[TODO: ENTER VALUE]",

Step 4: replace the trustedRootCertificate property's value

Enter the value for the trustedRootCertificate property:

"trustedRootCertificate": "[TODO: ENTER VALUE]",

Step 5: commit

On the top right of the screen, click “Commit”.

Step 6: deploy the configuration to another tenant (optional)

You can now deploy the configuration to another tenant using reconcile.