We have a website that requires a certificate be put in place, that we were trying to see if UEM could accomplish. We are using linked clone/floating pools today, refresh on logoff, no mandatory profiles. Typically we would startup the parent VM, load the certificate manager MMC, and add the cert to the personal store for the machine account, but, we wanted to have the flexibility to change it out on the fly, without having to do a recompose. Is this something UEM can accomplish, or would we be better off pursuing it via group policy?
Hi epa80,
I understand your thought, and probably, in theory it's possible using UEM. However, since you are talking about adding a certificate in the certificate store for the local machine (if I understand correctly), a user normally isn't allowed to add a certificate in the store for the local machine, unless the user has those (admin) permissions. UEM runs in the context of the logged on user, therefore it depends on the permissions if the user can add the certificate to the store for the local machine.
I would go for the Computer GPO approach and let that GPO distribute the certificate and place it in the certificate store for the local machine(s).
Does this answer your question?
Thank for the reply. If I wanted to put it in for "My user account" instead, is that possible then? Basically change from the computer account to the user. If it's still a bit too complex, we can go GPO.
Sure, you can use the certutil command. Here's an example.
certutil -addstore -user "My" certificatename.cer
You can run the command from UEM, using Logon Tasks.
Not sure, but maybe you need to specify the full path to certutil.exe. So, C:\Windows\System32\certutil.exe
Additionally, you may choose to run the command only once and let UEM export/import the certificates.
Hi epa80,
Did you manage to test using certutil.exe?