none
Deploying computer certificate to the Personal Computer Store using Group Policy

    Question

  • Hi, can someone please confirm if the only way to deploy a computer cert to the Personal store under the Computer branch (Not User branch) is to use an auto-enrollment template & corresponding GPO?

    I can see that in group policy you can deploy other types of certs such as intermediate & Root certs etc without using Auto-enrolment, but no option under the Public Key Policies section to deploy a cert to the personal store within the Computer branch. 

    Thanks

    Wednesday, April 29, 2015 4:29 PM

Answers

All replies

  • > Hi, can someone please confirm if the only way to deploy a computer cert
    > to the Personal store under the Computer branch (Not User branch) is to
    > use an auto-enrollment template & corresponding GPO?
     
    No, you can request a computer cert manually, too. But you cannot deploy
    personal certs through GPO because in GPO, the private key cannot be
    stored... This is true for both computer and user certs, because from a
    CA's perspective, both are simply an entity :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, April 30, 2015 9:22 AM
  • Thanks for the reply Martin

    I don't want to deploy the certificates manually to hundreds of computers. What is the best way to deploy the certificates to multiple computers (hundreds of machines) if it's not possible to be done via group policy?

    Many thanks.

    Friday, May 01, 2015 3:45 PM
  • > I don't want to deploy the certificates manually to hundreds of
    > computers. What is the best way to deploy the certificates to multiple
    > computers (hundreds of machines) if it's not possible to be done via
    > group policy?
     
    Implement a windows CA and use auto enrollment.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, May 04, 2015 9:22 AM
  • Since Group Policy and Group Policy Preferences didn’t offer a way to import a certificate into a user’s Personal certificate store, I turned to scripting the solution.

    I first placed the vendorcertificate.pfx on a network share (e.g. %LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx).

    Next I created a .BAT script named import-certificate.bat which runs this command:

    certutil -f -user -p "CertificatePassword" -importpfx "%LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx"

    I then created a .VBS script named import-certificate-silently.vbs that will run the import-certificate.bat script silently (so the user does not see a flash of the CMD window when this runs):

    Set oShell = CreateObject ("Wscript.Shell")
    Dim strArgs
    strArgs = "cmd /c %LOGONSERVER%\netlogon\certificates\import-certificate.bat"
    oShell.Run strArgs, 0, false

    Group Policy Preference Schedule Tasks

    Since I want my script to run only for subset of my VMware View users, I created an Active Directory Security Group that contains the users who need access to this SAS web-based application (e.g. APP-InstallVendorCertificate).

    I then returned to Group Policy Management and navigated to User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks. I created a Scheduled Task that runs 30 seconds after the user logs in if they are a member of the APP-InstallVendorCertificate security group. The schedule task runs %LOGONSERVER%\netlogon\certificates\import-certificate-silently.bat.

    The result is that when a VMware View user who belongs to the APP-InstallVendorCertificate security group in Active Directory logs into their virtual desktop, the required SSL Certificate is automatically installed in their User -> Personal certificate store.

    Friday, May 15, 2015 12:55 PM
  • Hello IanBird2306,

    I am trying to use your solution for deployment of one specific certificate on 50+ computers, which must be installed in user certificate space. I have a wierd problem:

    The task gets created properly, is triggered properly by user logon, however - action does not get executed EVER. There is no error, no log of any attempt to start the action. Task Engine does not ever receive the message to start the action.

    If I run the task manually, it works. If I export the task to XML on user's workstation, and import it back, it works (triggered by logon event). I have exhausted all ideas of my own - would you have a clue what might be the problem?

    Workstations are all Windows 7, DC is Windows 1008R2.

    Tuesday, February 27, 2018 11:19 AM