certificate warning group policy

Install a Self-signed certificate by using Group Policy

Let’s review the details on how to install a certificate to your PC for domain users and how to add them to the trusted list with Group Policy. In this case, we will install a self-signed certificate for Exchange on client computers.


In the case, if your Exchange server is using the self-signed certificate, users will receive a security alert upon from Outlook. This will happen when users are setting up Outlook for the first time.

group policy alert

To remove this warning, the user needs to add the Exchange certificate to the list of trusted certificates. This can be done manually (or by integrating the certificate into the corporate OS build), but it’s much easier and more efficient to automatically install the certificate using Group Policy (GPO). With this procedure the certificate will be automatically installed on all the existing and new PC users in the domain.

First of all, we need to export the self signed certificate from your Exchange server. In order to do that, open mmc.exe console on the server. After this, add the Certificates snap-in (for your local computer account).


Go to Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates

Find your Exchange certificate in the middle section, right click on it and then choose All Tasks -> Export.

console root

In the Certificate Export Wizard select the DER encoded binary X.509 (. CER) format and choose the destination folder.

READ ALSO  How to Setup a VPS to Host Your Website

certificate export wizard

After we have exported the Exchange certificate, we need to store it in the network folder, that all users have read access to (the access can be restricted via NFTS Permissions, if needed; i.e. the folder can be hidden with ABE). For example, let’s say that the path to the certificate file will be: \\msk-fs01\GroupPolicy$\Certificates

certificates group policy

Now we are ready to create the certificate deployment policy. We should open the Group Policy Management console (gpmc.msc). Create a new policy by selecting the OU it should apply to (in this example this OU includes computers of regular users, because we do not want to install the certificate on servers and technological systems), and then click Create a GPI in this domain and Link it here

Enter a suitable name for the policy (Install-Exchange-Cert) and switch to its edit mode.

group policy edit mode

In the Group Policy editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities (Computer Configuration -> Configure Windows -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities)

Right click in the right pane and select Import.

group policy editor

Choose the path to the imported file that we stored in the network folder.

READ ALSO  Disable Autodiscover on Exchange 2007 Server

group policy name

Make sure to specify that the certificate has to be stored in Trusted Root Certification Authorities.

certificate import wizard

We did it! Certificate deployment policy has been created. It is also possible to set up a more strict user policy using Security Filtering or WMI filters.

Let’s test the policy by running policy update command (gpudpate/force) on the user PC. You need to make sure that certificate had appeared in the trusted certification store. This can be done in certificate management (Trusted Root Certification Authorities-> Certificates), or in the Internet Explorer settings (Internet Options -> Content -> Certificates-> Trusted Root Certification Authorities and Internet Options -> Content -> Certificates -> Trusted Root CAs).

sertificates group policy

You need to restart your computer and after this you should not receive the warning about untrusted certificate.

And thus we set up the certificate deployment group policy on the domain computers. The certificate will be automatically installed on all new computers without requiring any tech support involvement.

You may also like:

Deploy Local GPO with MDT 2013 Local Group Policy of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That's why ...
Event ID 7000 – Service Control Manager If you landed here you are probably receiving the following error: The Diagnostic Service Host service failed to start due to the following error: ...
Manage Start Screen with Group Policy in Windows 1... Hello guys! In this tutorial we will show you how to export an existing start screen for Windows 10 and then use the Group Policy to ensure those sett...
How to remove the Welcome to your new Office scree... Hey guys! Today we are going to show you a little bit about MS Office 2013 and Group Policies. We have been deploying MS Office 2013 to some clients a...
Configure Legal Notices on Domain Computers using ... In this article, we are going to show how to configure Legal Notices on domain computer by using Group Policy. So let’s get started. We have our...