certificate warning group policy

Install a Self-signed certificate by using Group Policy


Let’s review the details on how to install a certificate to your PC for domain users and how to add them to the trusted list with Group Policy. In this case, we will install a self-signed certificate for Exchange on client computers.

 

In the case, if your Exchange server is using the self-signed certificate, users will receive a security alert upon from Outlook. This will happen when users are setting up Outlook for the first time.

group policy alert

To remove this warning, the user needs to add the Exchange certificate to the list of trusted certificates. This can be done manually (or by integrating the certificate into the corporate OS build), but it’s much easier and more efficient to automatically install the certificate using Group Policy (GPO). With this procedure the certificate will be automatically installed on all the existing and new PC users in the domain.

First of all, we need to export the self signed certificate from your Exchange server. In order to do that, open mmc.exe console on the server. After this, add the Certificates snap-in (for your local computer account).

snap-ins

Go to Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates

Find your Exchange certificate in the middle section, right click on it and then choose All Tasks -> Export.

console root

In the Certificate Export Wizard select the DER encoded binary X.509 (. CER) format and choose the destination folder.

READ ALSO  Configuring Internet Explorer 11 Proxy Settings using GPO

certificate export wizard

After we have exported the Exchange certificate, we need to store it in the network folder, that all users have read access to (the access can be restricted via NFTS Permissions, if needed; i.e. the folder can be hidden with ABE). For example, let’s say that the path to the certificate file will be: \\msk-fs01\GroupPolicy$\Certificates

certificates group policy

Now we are ready to create the certificate deployment policy. We should open the Group Policy Management console (gpmc.msc). Create a new policy by selecting the OU it should apply to (in this example this OU includes computers of regular users, because we do not want to install the certificate on servers and technological systems), and then click Create a GPI in this domain and Link it here

Enter a suitable name for the policy (Install-Exchange-Cert) and switch to its edit mode.

group policy edit mode

In the Group Policy editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities (Computer Configuration -> Configure Windows -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities)

Right click in the right pane and select Import.

group policy editor

Choose the path to the imported file that we stored in the network folder.

READ ALSO  Event ID 7000 - Service Control Manager

group policy name

Make sure to specify that the certificate has to be stored in Trusted Root Certification Authorities.

certificate import wizard

We did it! Certificate deployment policy has been created. It is also possible to set up a more strict user policy using Security Filtering or WMI filters.

Let’s test the policy by running policy update command (gpudpate/force) on the user PC. You need to make sure that certificate had appeared in the trusted certification store. This can be done in certificate management (Trusted Root Certification Authorities-> Certificates), or in the Internet Explorer settings (Internet Options -> Content -> Certificates-> Trusted Root Certification Authorities and Internet Options -> Content -> Certificates -> Trusted Root CAs).

sertificates group policy

You need to restart your computer and after this you should not receive the warning about untrusted certificate.

And thus we set up the certificate deployment group policy on the domain computers. The certificate will be automatically installed on all new computers without requiring any tech support involvement.


You may also like:

Deploy Local GPO with MDT 2013 Local Group Policy of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That's why ...
Configuring Internet Explorer 11 Proxy Settings us... The article shows how to configure proxy settings for Internet Explorer 11 browser using Active Directory Group Policies (GPO). In earlier versions of...
How to remove the Welcome to your new Office scree... Hey guys! Today we are going to show you a little bit about MS Office 2013 and Group Policies. We have been deploying MS Office 2013 to some clients a...
Setting Default File Associations using Group Poli... You can change the file associations in Windows operating system in several ways. You can configure the application with which you can open certain ty...
Configure Legal Notices on Domain Computers using ... In this article, we are going to show how to configure Legal Notices on domain computer by using Group Policy. So let’s get started. We have our...