If you want to use Microsoft Intune to deploy a MSI file it needs to be signed by a Code Signing Certificate. Most MSI’s from software vendors are signed already, but if you created a custom MSI (e.g. Office 365) by wrapping an EXE then you need to sign that MSI.
Using a MSI will enable Intune to push that software using the MDM channel. All MDM joined PC’s will be able to recieve this software.
Scenario this covers: I want to use Microsoft Intune to deploy apps and exe files to PC’s e.g. Office 2016/Custom Software
Step 1 – Buy or get a code certificate. If you do not have it, buy it here: https://www.digicert.com/code-signing/
Step 2 – Download and Install Windows 7 SDK to get the signtool.exe get the SDK from here: https://www.microsoft.com/en-us/download/confirmation.aspx?id=8279
->Accept all defaults and do not change anything. It will prompt errors
->Check that you have the signtool.exe in this folder: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin
Step 3 – Get your certificate exported in a PXF file. and put it in the same folder as your MSI file.
Step 4 – Run CMD as administrator and input this command:
“C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe” sign /v /f “c:\exemsi\HaukebergCert.pfx” /p “PASSWORD” /t http://timestamp.digicert.com /v “C:\exemsi\OfficeProPlus.msi
Now you are ready to deploy this MSI file through the MDM channel
Follow this guide to deploy the MSI file in Microsoft Intune MDM channel
Adapted from these posts:
http://www.identityfinder.com/kb/Enterprise-Documentation/823571
https://www.digicert.com/code-signing/signcode-signtool-command-line.htm
Håvard Siegel Haukeberg 
Leave a comment