Sep 3, 2008

Posted by in Tech Tips | 8 Comments

Adding “Trusted Publishers” certificate with Group Policy

Recently having installed SCUP and set it up to publish updates using an internal CA I needed to deploy the custom certificate to all the client machines so  that they will receive and install the updates correctly. It turns out that the place to install a “Trusted publisher” certificate is not where you would think.

  • Open “Group Policy Manager”
  • Under Computer Configuration – Windows Settings – Software Restriction Policies
  • Right click and create a new SR policy if you haven’t got one already

1

  • Under Additional rules right click and create new “Certificate rule”
  • Click browse and select the exported certificate that is being used to sign the updates (.cer file)
  • Change the “Security Level” to Unrestricted otherwise you will stop the computers running any programs!

2

  • Exit out of the windows and that should be all.

[tags]scup,group policy[/tags]

Share and Enjoy:
  • Print
  • Add to favorites
  • Digg
  • Google Bookmarks
  • del.icio.us
  • Facebook
  • email
  • FriendFeed
  • Twitter
  • Reddit
Tags: ,

8 Comments

  1. BA says:
    January 8, 2010 at 11:21 am

    Excellent, thanks.

  2. Bolus14 says:
    January 11, 2010 at 2:17 pm

    Thanks. I looked for 2 -3 days to find this information and your site is the only place I could find this information. Every other place basically states that you can’t add Trusted Publishers through GPO’s.

  3. Svante says:
    February 8, 2010 at 10:09 am

    I needed to deploy a Office Word 2007 add-in as a MSI. The security requirements are the same as for ClickOnce deployment, and this requires that the manifest is signed.

    Office Word 2007 has rather over-ambitious policy in that it will ask the user for confirmation even if the manifest is signed by a trusted certificate – the certificate must also be a trusted publisher.

    The available documentation from Microsoft is just plain wrong/applies to a different version (it appears this has changed in 2008), as is most recommendations on the Internet, where it’s said that a certificate trust list needs to be created. Won’t help in this scenario.

    But your description does the trick!

    I tried reading the Microsoft documentation again, knowing what I now know with your help, but I still can’t really see how I would be able to figure out the connection between software restriction policies and the Trusted Publishers certificate category on the target workstations.

    Thank You!

  4. Chris128 says:
    February 9, 2010 at 10:38 am

    Thank you! Why the hell Microsoft do not tell you this I have no idea…

  5. rpwcus says:
    February 25, 2010 at 4:49 pm

    Thanks! After reading all those wonderful microsoft articles I finally found someone who knew what they were talking about!

  6. Patrick Gotsch says:
    May 25, 2010 at 10:27 pm

    For Windows 2003 I agree that “Software Restriction Policy” was the only way to perform the certificate deployment.
    But since Windows 2008 there is a more simpler and less risky way.
    Just import your certificate into “Trusted Publishers” section of the GPO. MS documentation is here:
    http://technet.microsoft.com/en-us/library/cc770315(WS.10).aspx

    Cheers,
    Patrick

  7. David says:
    August 8, 2011 at 10:01 am

    Thank you…

    I’ve been reading through a shitload of Microsoft documentation for the past 3 days trying to find out how to fix this !

    #Fail

  8. Bruce says:
    May 17, 2012 at 6:22 pm

    Nice. Thanks for posting this. It helped me out, it was exactly what I was trying to do.

    Bruce

Leave a Reply