Automatically deploy SSL Certificates to Users profile

1. Deployment ScriptsUpdate the variables between <……>

Script 1 – ImportPFX.vbs

Set objShell = CreateObject(“”)“powershell -executionpolicy bypass -windowstyle hidden -file \\<domain>\netlogon\Certificates\ImportPFX.ps1”)


Script 2 – ImportPFX.ps1

function Import-PfxCertificate {

param([String]$certPath,[String]$certRootStore = “CurrentUser”,[String]$certStore = “My”,$pfxPass = $null)

$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2

if ($pfxPass -eq $null) {$pfxPass = read-host “Enter the pfx password” -assecurestring}


$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)








# Call the “Import-PfxCertificate” function.

Import-PfxCertificate “<path to certificate>\<Certificate.pfx>” “CurrentUser” “My” “<password>

Import-PfxCertificate Command Syntax


<path to certificate>\<Certificate.pfx>” = Location of the Certificate File

“CurrentUser”                                                        = Personal User Store

“My”                                                                           = Personal Cert Store

<Password>”                                                       = Password of the PFX Certificate

2. Deploy Script via GPO

I created an additional GPO and modified the Logon Script path to run the vbs file above.

User Configuration > Policies > Windows Settings > Scripts > Logon

– Script Name: \\<domain>\NETLOGON\Certificates\ImportPFX.vbs

2a. Apply Security to GPO

In our case we wanted to deploy the certificates to users in a certain AD Group.

Follow this procedure exactly otherwise the GPO won’t apply

  1. Under Security Filtering leave Authenticated Users, do not remove!!
  2. Click Delegation tab
  3. Click Advanced button
  4. Select Authenticated Users, untick ‘Apply Group Policy’ under Allow only
  5. Add in AD Group, tick ‘Apply Group Policy’ under Allow
  6. If you go back to Security Filtering you’ll notice Authenticated Users has now gone and your AD Group is listed, don’t worry about this..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: