Hi!
Below I put how to block that a user cannot install certificates on a desktop.
Regards!
In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:
The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System.
There we add the following exe´s:
%SystemRoot%\system32\certutil.exe
%SystemRoot%\system32\CertEnrollCtrl.exe
%SystemRoot%\system32\certmgr.msc
%SystemRoot%\system32\certreq.exe
%SystemRoot%\system32\cryptext.dll
And add a new user group denying permissions.
When user will do double click will appear the following message.
Regards