Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / How to Deploy Certificates to Computers Using Group Policy

February 27, 2024

How to Deploy Certificates to Computers Using Group Policy

You can use Windows Group Policy (GPO) to centrally install a specific certificate on all computers in a domain by adding it to each computer’s Trusted Root Certificate store. This may be necessary if you are deploying your own Certification Authority (CA) and need to add the root certificate as a trusted one on all user computers; add a specific site’s SSL/TLS certificate to the trusted list; install an HTTPS certificate to inspect user traffic at the Internet gateway; distribute a self-signed driver or application certificate.

Contents:
  • How to Export an SSL/TLS Certificate to a File on Windows
  • Install Certificates on Windows Devices by Using Group Policy
  • Removing Trusted Certificates using GPO

How to Export an SSL/TLS Certificate to a File on Windows

In this example, we are going to deploy a self-signed SSL certificate to domain computers that is bound to the HTTPS site running on the IIS web server. By default, the browser and other applications will warn you that the site’s certificate is untrusted and it is not safe to use the service. To remove this warning, you must add the site certificate to the trusted root certificate store on the user’s computer.

Untrusted certificate causes insecure HTTPS connection in browser

First, export the certificate public key to a CER, CRT, or PEM file. You can export the certificate directly from the browser. If you are using Microsoft Edge, click in the address bar: Not Secure -> Show Certificate -> Details -> Export. Save the certificate as a file in BASE64 format with a CRT or PEM extension.

export web site certificate public key to file

You can use the WebRequest PowerShell method to get the SSL certificate of the HTTPS site and export it in a CER file:

$webRequest = [Net.WebRequest]::Create("https://exchange_cas/owa")
try { $webRequest.GetResponse() } catch {}
$getcert = $webRequest.ServicePoint.Certificate
$bytes = $getcert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "c:\ps\your_exchange_cert.cer"

You can also manually export the installed certificate from the local cert store on the user’s computer. In this example, the certificate is a simple self-signed certificate created using PowerShell:

  1. Open the snap-in mmc.exe -> File -> Add/Remove Snap-in -> add the Certificates snap-in -> Computer account (if the certificate is installed in the user cert store, select My User Account) -> Local computer; Open local computer certificate store
  2. Expand the store where the certificate is installed (in this case, the Trusted Root Certification store) and locate it;
  3. Right-click the certificate -> All Tasks -> Export; Export certificate from Trusted root CA on Windows
  4. Select the DER encoded binary X.509 (.CER) format and specify the path to the certificate file (you should not export a private key for a certificate if it exists). Export certificate to CER file

Install Certificates on Windows Devices by Using Group Policy

The next step is to create a domain GPO that will install the certificate on the computers.

  1. Open the domain GPO management console (gpmc.msc), Select the OU that contains the computers on which you want to deploy the certificate, and select Create a GPO in this domain and Link it here; Create new domain GPO
  2. Specify the name of the policy and switch to Edit mode;
  3. In the GPO editor, go to the Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Public Key Policies –> Trusted Root Certification Authorities. Right-click and select Import; Import certificate to Group Policy
  4. Specify the path to the certificate file you exported earlier; Specific path to CER file
  5. Select to place the certificate in the Trusted Root Certification Authorities store; Place cert to the Trusted Root Certification Authorities
  6. A single GPO allows you to install multiple certificates at once. The following summary certificate fields are displayed in the GPMC console on the Settings tab: Issued To, Issued By, Expiration Date, and Intended Purposes; certificate summary info in GPO
    You can use GPO security filtering or WMI GPO filtering to deploy a certificate only to computers that are added to a specific AD group. [alert]
  7. Update Group Policy settings on the client computer (run the command gpupdate /force ), Open the computer Certificate Management console (certlm.msc). Check that the computer has automatically downloaded, installed, and added the certificate to the trusted root store. new certificate installed

Check that the client browser no longer displays an untrusted certificate warning when accessing an HTTPS site.

secure connection in browser with trusted cert

Removing Trusted Certificates using GPO

If a trusted certificate has expired, is compromised, or needs to be replaced, you can use the GPO to remove it from all computers automatically.

[alert] Use the Sigcheck tool to scan the Windows trusted certificate store for third-party, suspicious, and revoked certificates.
  1. Open the certificate deployment GPO settings, select the certificate, and delete it without linking the GPO from the target AD container; Delete certificate from Trusted root CA
  2. All devices affected by this policy will automatically delete the certificate.

If you want to remove a certificate that was previously manually installed on all computers, you can use a GPO logon script

First, obtain the thumbprint of the certificate you want to delete. List certificates with their thumbprints in the root cert store:

Get-ChildItem -Path Cert:\LocalMachine\Root

In the Netlogon directory on the AD domain controller, create the file delete_cert_iis.bat (\\woshub.loc\NETLOGON\).

certutil –delstore Root CB19F3F57A4EDB004059DEE436A1989D04275196

Configure this batch file to run automatically on Windows startup (read more about using logon scripts in GPO).

GPO logon script - remove certificate

Remind you to update trusted root certificates on Windows computers regularly. By default, Windows machines automatically download and install trusted Microsoft certificates. But this may not work in an isolated environment.
1 comment
5
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows 10Windows 11Windows Server 2019
previous post
How to Create and Use a RAM Drive on Windows
next post
Set Desktop Wallpaper and Logon Screen Background via Group Policy

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Updating List of Trusted Root Certificates in Windows

March 11, 2024

How to Hide or Show User Accounts from...

July 24, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

Troubleshooting: Group Policy (GPO) Not Being Applied to...

March 15, 2024

How to Disable NetBIOS, LLMNR, mDNS Protocols in...

March 20, 2025

Display System Info on Desktop with BGInfo

February 6, 2025

1 comment

Kuff February 1, 2022 - 1:34 pm

If you remove Authenticated Users from the scope to add a User AD group, you must delegate read to the computer part. This article is incorrect/misleading, it doesn’t talk about the 2016 change to security filtering https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14-2016

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Using WMI Filters to Target Group Policies in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Restoring Active Directory Domain Controller from a Backup
  • Implementing Dynamic Groups in Active Directory with PowerShell
  • Windows: Block Remote Network Access for Local User Accounts
  • Configuring Password Expiration Notifications for AD Users
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top