certificate warning group policy

Install a Self-signed certificate by using Group Policy


Let’s review the details on how to install a certificate to your PC for domain users and how to add them to the trusted list with Group Policy. In this case, we will install a self-signed certificate for Exchange on client computers.

 

In the case, if your Exchange server is using the self-signed certificate, users will receive a security alert upon from Outlook. This will happen when users are setting up Outlook for the first time.

group policy alert

To remove this warning, the user needs to add the Exchange certificate to the list of trusted certificates. This can be done manually (or by integrating the certificate into the corporate OS build), but it’s much easier and more efficient to automatically install the certificate using Group Policy (GPO). With this procedure the certificate will be automatically installed on all the existing and new PC users in the domain.

First of all, we need to export the self signed certificate from your Exchange server. In order to do that, open mmc.exe console on the server. After this, add the Certificates snap-in (for your local computer account).

snap-ins

Go to Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates

Find your Exchange certificate in the middle section, right click on it and then choose All Tasks -> Export.

console root

In the Certificate Export Wizard select the DER encoded binary X.509 (. CER) format and choose the destination folder.

READ ALSO  Lenovo Yoga 13 Wifi Keeps Disconnecting

certificate export wizard

After we have exported the Exchange certificate, we need to store it in the network folder, that all users have read access to (the access can be restricted via NFTS Permissions, if needed; i.e. the folder can be hidden with ABE). For example, let’s say that the path to the certificate file will be: \\msk-fs01\GroupPolicy$\Certificates

certificates group policy

Now we are ready to create the certificate deployment policy. We should open the Group Policy Management console (gpmc.msc). Create a new policy by selecting the OU it should apply to (in this example this OU includes computers of regular users, because we do not want to install the certificate on servers and technological systems), and then click Create a GPI in this domain and Link it here

Enter a suitable name for the policy (Install-Exchange-Cert) and switch to its edit mode.

group policy edit mode

In the Group Policy editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities (Computer Configuration -> Configure Windows -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities)

Right click in the right pane and select Import.

group policy editor

Choose the path to the imported file that we stored in the network folder.

READ ALSO  Event ID 7000 - Service Control Manager

group policy name

Make sure to specify that the certificate has to be stored in Trusted Root Certification Authorities.

certificate import wizard

We did it! Certificate deployment policy has been created. It is also possible to set up a more strict user policy using Security Filtering or WMI filters.

Let’s test the policy by running policy update command (gpudpate/force) on the user PC. You need to make sure that certificate had appeared in the trusted certification store. This can be done in certificate management (Trusted Root Certification Authorities-> Certificates), or in the Internet Explorer settings (Internet Options -> Content -> Certificates-> Trusted Root Certification Authorities and Internet Options -> Content -> Certificates -> Trusted Root CAs).

sertificates group policy

You need to restart your computer and after this you should not receive the warning about untrusted certificate.

And thus we set up the certificate deployment group policy on the domain computers. The certificate will be automatically installed on all new computers without requiring any tech support involvement.


You may also like:

How to Backup and Restore Group Policy Objects Group policies have an important role in the Active Directory domain management, their damage or accidental deletion can lead to unpredictable results...
Deploy Printers in Domain using Group Policy One of the most important features of Group Policies usage in Active Directory Domain environment is the possibility to connect a shared network print...
Deploy Local GPO with MDT 2013 Local Group Policy of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That's why ...
Allow non-admins to install printer drivers via GP... By default domain users do not have permissions to install the printer drivers on the domain computers and their installation requires the user to hav...
Event ID 7000 – Service Control Manager If you landed here you are probably receiving the following error: The Diagnostic Service Host service failed to start due to the following error: ...