I'm running a standalone executable that launches with system rights via task scheduler for all users, who are non-admin. The EXE functions in the background and doesn't install anything; it acts like a service. I used the command `dotnet publish -p:PublishSingleFile=true` to compile the EXE, but it keeps getting flagged by Windows Defender when it runs. Is there a free method to deploy an internal certificate? We have Intune and might leverage PowerShell for the initial setup, but it needs to be non-interactive since we're dealing with thousands of computers and can't rely on users to configure it themselves.
3 Answers
It looks like you might be running into an ASR rule that's blocking your executable from running due to security measures. The ideal route here is to sign your executable with a code signing certificate, especially if you have an internal certificate authority. If your clients have the right root and intermediate certs installed, it should go smoothly. If you're generating a self-signed cert instead, use Intune to push that public cert out to clients. When signing the EXE, be aware that the signtool triggers the block. So either sign it on a machine without this ASR rule or exclude the signing path temporarily. You can do the latter via PowerShell or Intune.
One way to handle this issue is to create a self-signed certificate to digitally sign your executable. After signing it, add the certificate to the trusted publishers on the PCs. However, this might not prevent Defender from flagging it. You should also consider locking down the folder where the EXE resides so users can't modify it—otherwise, they could replace it and gain unauthorized access. By the way, if your application functions like a service, why not package it as a service instead?
If you're using Intune, keep in mind that getting a certificate requires a separate subscription. It might be cheaper to purchase a public code signing certificate instead, which typically costs around $200 per year. This could save you from a lot of headaches with internal setups.
Are code signing certificates still exempt from the new lifetime rules?