Import PFX Certificate via Group Policy Preferences

I have a vendor with a web-based SAS service that requires a password encrypted .PFX certificate to be imported into the user’s Personal certificate store.

For physical desktops, this is a one-time import procedure. But for VMware View VDI desktops that are non-persistent, users receive a new desktop every day and would thus have to import this certificate over and over again. I needed a way to automatically import the certificate into the vendor-required store automatically.

Group Policy

When I opened up Group Policy Management and navigated to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies, I found several certificate stores that I could import the .PFX file into. The Trusted Root Certification Authorities or Trusted Publishers stores would seem like good places to import this vendor certificate, but neither are the correct store that the vendor requires.

User Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies also had a few stores I could target, but none contain the User’s Personal store. The correct store can be found via Internet Explorer -> Internet Options -> Content -> Certificates -> Personal. Unfortunately, Group Policy isn’t able to target this certificate store.

Scripts

Since Group Policy and Group Policy Preferences didn’t offer a way to import a .PFX certificate into a user’s Personal certificate store, I turned to scripting the solution.

I first placed the vendorcertificate.pfx on a network share (e.g. %LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx).

Next I created a .BAT script named import-certificate.bat which runs this command:

certutil -f -user -p "CertificatePassword" -importpfx "%LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx"

I then created a .VBS script named import-certificate-silently.vbs that will run the import-certificate.bat script silently (so the user does not see a flash of the CMD window when this runs):

Set oShell = CreateObject ("Wscript.Shell")
Dim strArgs
strArgs = "cmd /c %LOGONSERVER%\netlogon\certificates\import-certificate.bat"
oShell.Run strArgs, 0, false

Group Policy Preference Schedule Tasks

Since I want my script to run only for subset of my VMware View users, I created an Active Directory Security Group that contains the users who need access to this SAS web-based application (e.g. APP-InstallVendorCertificate).

I then returned to Group Policy Management and navigated to User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks. I created a Scheduled Task that runs 30 seconds after the user logs in if they are a member of the APP-InstallVendorCertificate security group. The schedule task runs %LOGONSERVER%\netlogon\certificates\import-certificate-silently.bat.

The result is that when a VMware View user who belongs to the APP-InstallVendorCertificate security group in Active Directory logs into their virtual desktop, the required SSL Certificate is automatically installed in their User -> Personal certificate store.

2 Comments


  1. I have multiple users that use multiple computers and each user has a user specific .pfx certificate. The only way I have found so far is to create a new OU for each user, what do you think and do you have any suggestions, thanks.


  2. Hello Jason,

    Thanks for great article. Could you give me details how you actually configured your scheduled task from GPP / User Config?

    I’m getting Access Deniede errors to my Application Log during logon from my GPO.

Comments are closed.