How to deploy signing certificates to client computers using GPO?

Description

This document will explain the steps to deploy the signing certificate to all client computers using GPO method. The signing certificate has to be imported to Trusted Publishers and Trusted Root Certification Authorities stores to trust the third party updates. Allow signed content from intranet Microsoft update service location option in Group Policy Management must be enabled. This is mandatory for installation of third party patches.

Step by step video guide for deploying signing certificates using GPO

You can also follow the steps given below on the Domain controller system to deploy the signing certificate to all client machines using GPO method

  1. To open group policy management console run the command gpmc.msc
    update view
  2. Select the required domain, right click and select "Create a GPO in this domain and link it here".
    update deployment
  3. Specify the name for the GPO. Click OK.
    choose deployment
  4. Right click the GPO policy and select Edit.
    deployment settings
  5. Navigate to Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update. Select "Allow signed content from intranet Microsoft update service location" and click Edit policy settings. 
    success
  6. Select Enabled and click OK.
    success
  7. Navigate to Computer Configuration>Windows Settings>Security Settings>Public Key Policies.
    update deployment
  8. Right click "Trusted Root Certification Authorities" and select Import.
    user experience
  9. Certificate import wizard will be opened. Click Next.
    alerts
  10. Specify the location where the certificate has been saved. 
    download client settings
  11. The certificate file will be saved at <PatchConnectPlus dir>\webapps\ROOT\server-data\certificate\signedCertificate.cer.
    deployment package
  12. After selecting the file click Next.
    distribution points
  13. Review the import store location and Click Next.
    download location
  14. Review the summary and click Next.
    language selection
  15. Certficate has been successfully imported. Click OK.
    summary

    Note: Similarly ensure that you import the signing certificate to Trusted Publishers certificate store by following the steps given above.

  16. Navigate to Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update. Select "Allow signed content from intranet Microsoft update service location" and click Edit policy settings. 
    success
  17. Select Enabled and click OK.
    success
  18. Close the Group Policy Editor.
  19. Group policy will be updated based on the refresh interval time. To update it immediately in client computers, open command prompt and run the command gpupdate /force

You have now successfully deployed the signing certificate to all client machines using SCCM.

Keywords:  Deploying Signing Certificate, Trusted Publishers and Root Certification Authorities store.

Knowledge Base