Let’s review the details on how to install a certificate to your PC for domain users and how to add them to the trusted list with Group Policy. In this case, we will install a self-signed certificate for Exchange on client computers.
In the case, if your Exchange server is using the self-signed certificate, users will receive a security alert upon from Outlook. This will happen when users are setting up Outlook for the first time.
To remove this warning, the user needs to add the Exchange certificate to the list of trusted certificates. This can be done manually (or by integrating the certificate into the corporate OS build), but it’s much easier and more efficient to automatically install the certificate using Group Policy (GPO). With this procedure the certificate will be automatically installed on all the existing and new PC users in the domain.
First of all, we need to export the self signed certificate from your Exchange server. In order to do that, open mmc.exe console on the server. After this, add the Certificates snap-in (for your local computer account).
Go to Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates
Find your Exchange certificate in the middle section, right click on it and then choose All Tasks -> Export.
In the Certificate Export Wizard select the DER encoded binary X.509 (. CER) format and choose the destination folder.
After we have exported the Exchange certificate, we need to store it in the network folder, that all users have read access to (the access can be restricted via NFTS Permissions, if needed; i.e. the folder can be hidden with ABE). For example, let’s say that the path to the certificate file will be: \\msk-fs01\GroupPolicy$\Certificates
Now we are ready to create the certificate deployment policy. We should open the Group Policy Management console (gpmc.msc). Create a new policy by selecting the OU it should apply to (in this example this OU includes computers of regular users, because we do not want to install the certificate on servers and technological systems), and then click Create a GPI in this domain and Link it here …
Enter a suitable name for the policy (Install-Exchange-Cert) and switch to its edit mode.
In the Group Policy editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities (Computer Configuration -> Configure Windows -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities)
Right click in the right pane and select Import.
Choose the path to the imported file that we stored in the network folder.
Make sure to specify that the certificate has to be stored in Trusted Root Certification Authorities.
We did it! Certificate deployment policy has been created. It is also possible to set up a more strict user policy using Security Filtering or WMI filters.
Let’s test the policy by running policy update command (gpudpate/force) on the user PC. You need to make sure that certificate had appeared in the trusted certification store. This can be done in certificate management (Trusted Root Certification Authorities-> Certificates), or in the Internet Explorer settings (Internet Options -> Content -> Certificates-> Trusted Root Certification Authorities and Internet Options -> Content -> Certificates -> Trusted Root CAs).
You need to restart your computer and after this you should not receive the warning about untrusted certificate.
And thus we set up the certificate deployment group policy on the domain computers. The certificate will be automatically installed on all new computers without requiring any tech support involvement.
- Using Process Monitor (ProcMon) to Track File and Registry Changes - October 23, 2020
- Fix: Unable to Find a Default Server with Active Directory Web Services Running - October 23, 2020
- How to Fix Windows 10 Flashing Screen? - October 20, 2020