Pushing a code signing certificate to clients as Trusted Publisher in Active Directory

This instruction is to be seen as a short guide and should always be verified with Microsoft Windows documentation. Depending on which version of Windows is used, these instructions may be outdated.

Perform these steps to push out a certificate as a Trusted Publisher in Active Directory:

  1. Open the Active Directory Users and Computers.
  2. On the OU (Organization Unit) where the client (computers) are located (or on a OU above the clients) right-click and select Properties.
  3. On the Properties page, create a new Group Policy Object (or reuse an existing). Select it and click Edit.
  4. In the Group Policy Object Editor expand Computer Configuration > Windows Settings > Security Settings. On the Software Restriction Policies folder, right-click and select New Software Restriction Policies or use an existing Software Restriction Policy.
  5. On the Additional Rules folder, right-click and select New Certificate Rule....
  6. In the New Certificate Rule Wizard, browse to the certificate and set the Security level to Unrestricted. Click OK.
  7. The certificate will now be pushed to every client as a Trusted Publisher and restarting any client is not necessary.