Unfortunately, the Mozilla Firefox browser does not use the Windows certificate store by default. However, we need this if we use Deep Inspection on our firewall, for example, or use internal services that are only available locally, which are dependent on a server or domain certificate, for example. It is important that with Intune managed devices also receive the configuration customization and Firefox uses the Windows certificate store.
In the browser there is a possibility to activate the use of the Windows certificate store. If you use GPOs or have the Firefox ADMX configuration active in Intune, you can do this with them. If not, I have prepared a script for you that you can simply distribute as PowerShell in the Microsoft Endpoint Manager.
Save the following code in a PS1 file or download it from my GitHub.
Code language: PowerShell (powershell)
$PackageName = "Firefox_WindowsCertificateStore" $Path_local = "$Env:Programfiles\_MEM" Start-Transcript -Path "$Path_local\Log\$PackageName-install.log" -Force $localSettings_file = "C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js" $profileCFG_file = "C:\Program Files\Mozilla Firefox\scloud.cfg" $localSettings_content = ' pref("general.config.obscure_value", 0); pref("general.config.filename", "scloud.cfg");' $profileCFG_content = ' // lockPref("security.enterprise_roots.enabled", true);' $localSettings_content | Out-File ( New-Item -Path $localSettings_file -Force) -Encoding Ascii $profileCFG_content | Out-File ( New-Item -Path $profileCFG_file -Force) -Encoding Ascii Stop-Transcript
The code will supplement the local configuration file and also write an additional log / transcript to simplify troubleshooting in the event of errors.
In Endpoint Manager under "Devices > Windows > PowerShell scripts" you can now add a new script.
We give the script a meaningful name and an optional (recommended) description:
In the next step you can now upload the saved file and activate the 64-bit context when executing.
Before we can send the configuration, we assign it to the desired group.
That's it. As soon as the script is executed via Intune on the computer and Firefox is restarted, Firefox uses the Windows certificate store.