If you are running an Exchange server using the self-signed certificate then your domain users will receive a security alert from Outlook when setting up Outlook for the first time.

Outlook Security Alert

Rather than manually installing the certificate on the PCs individually, the best method is to install the certificate via group policy. This way the certificate will be automatically installed on all of your current computers and new computers that are added to the domain.

First of all we need to export the self-signed certificate from your Exchange server. Open mmc.exe on the server.


Click File and select Add/Remove Snap-in. Add the Certificates snap-in and choose to manage it using the local computer account.

certificates snap in

Screen Shot 08 01 14 at 1016 AM


Expand Certificates (Local Computer) and select Trusted Root Certification Authorities from the menu on the left hand side.

Right click on your Exchange certificate and choose All Tasks followed by Export…

cert export

Go through the export wizard and select the default format DER encoded binary X.509 (.CER).

Screen Shot 08 01 14 at 1029 AM Screen Shot 08 01 14 at 1030 AM

Now that you have exported the Exchange certificate we need to store it in a file share that all users have read access to. Hidden shares work fine for this too.

E.g \\SERVERNAME\Group Policy$\Certificates

file share

We are now ready to create our Group Policy Object! Open Group Policy Management on your server.

group policy management

The group policy object that we will be creating will change the computer configuration, you can either link the group policy object to the root of the domain or to just a single OU for your computers.

create gpo

Enter a suitable name for the group policy object. Select it from the menu on the left hand side, right click and select Edit…

edit gpo

In the Group Policy editor, use the menu on the left hand side to browse to:

Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies – Trusted Root Certification Authorities.

Right click in the right pane and select Import…


Go though the import wizard and select the certificate that you exported into a share earlier.

E.g \\SERVERNAME\Group Policy$\Certificates\Exchange.cer




Make sure that the wizard states that the certificate will be stored in the Trusted Root Certification Authorities store.



trusted root

All done! You can now close the Group Policy Editor and add computers to the group policy using the Security Filtering. Alternatively you can leave the Authenticated Users security group in there instead to apply the group policy to all the computers on the domain.


add computers


All you need to do now is run a gpupdate /force command on a computer to test the group policy. You should then be prompted to restart the computer and if you log in as a fresh user, you should not receive the security alerts when you setup Outlook.