SharePoint Online Management Shell – Root Certificate is Not Trusted by the Trust Provider

Author by Craig Jahnke

Today I had a co-worker reach out with an error he was getting when trying to run a PowerShell script in the SharePoint Online Management Shell:  Certificate is Not Trusted by the Trust Provider…

SPO_Managment_Shell

Researching the issue led him to some suggestions about installing trusting certificates and that was something  he wanted to do if he could avoid it.

This seemed similar to an error I have been running into lately when trying to run scripted OneDrive migrations.  My error was also about not trusted or digitally signed scrips.  The digitally signed part lead me to the Microsoft documentation on the PowerShell command-let Set-ExecutionPolicy:

The Set-ExecutionPolicy cmdlet changes the user preference for the PowerShell execution policy.

The execution policy is part of the security strategy of PowerShell. It determines whether you can load configuration files (including your PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run.

I only wanted to run my script once without changing machine setting, and I didn’t want it to be blocked so I ran the below line of code first:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

-ExecutionPolicy (required parameter)

Specifies the new execution policy. The acceptable values for this parameter are:

  • Restricted. Does not load configuration files or run scripts. Restricted is the default execution policy.
  • AllSigned. Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
  • RemoteSigned. Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
  • Unrestricted. Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
  • Bypass. Nothing is blocked and there are no warnings or prompts.
  • Undefined. Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.
-Scope (optional parameter)

Specifies the scope of the execution policy. The default is LocalMachine. The acceptable values for this parameter are:

  • Process: The execution policy affects only the current PowerShell process.
  • CurrentUser: The execution policy affects only the current user.
  • LocalMachine: The execution policy affects all users of the computer.

You can change -Scope Process to -Scope LocalMachine in an administrator session and it should hold for future sessions.

Both my co-worker and I were able to run our scripts after that.

Hope this helps!

Craig