Disable install certificates on a desktop computer for users


Below I put how to block that a user cannot install certificates on a desktop.


In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:


The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System


There we add the following exe´s:







And add a new user group denying permissions.


When user will do double click will appear the following message.




How to know if a CA is Enterprise or Standalone

Hi there!

I´m going to migrate a CA from windows 2003 (x86) to 2008 R2 and to know if the CA is Standalone or Enterprise I need to do one of the following:

  • typing the command: certutil -getreg ca\catype
  • Open CertSrv.msc console and locate Certificate Templates node. This node exist on Enterprise CAs only.
  • In Site and Services, Select Show Service node in the view pane. Go to Services, Public Key Services, Enrollment Services. If you view there the CA name like an object your CA is an Enterprise CA, if not is a StandAlone.


Import pfx certificate with certutil through vbscript

After I have exported all certificates with private key I developed this script that import all pfx in the user´s personal store.

Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set shell = CreateObject(“WScript.Shell”)
Const ForAppending = 2
Dim objFSO:Set objFSO = CreateObject(“Scripting.FileSystemObject”)

objStartFolder = “C:\Temp”

Set objFolder = objFSO.GetFolder(objStartFolder)

Dim ext

ext = “”

Set colFiles = objFolder.Files
For Each objFile in colFiles
ext = Mid(objFile.Name, len(objFile.Name) – 3, len(objFile.Name))
if (ext=”.pfx”) then
shell.run “certutil.exe -user -p 12345678 -importpfx c:\temp\” & objFile.Name
end if


Export pfx certificate with certutil through vbscript

These days I´m in a desktop migration project from XP to W7 and I need to export the user certificates of all 9.000 desktops…

For that I create a vbs than do it but by the other hand it can´t do all, the export to file of the serial number of all certificates is done with a batch script.

Here I put the vbs and the batch file.

VB Script

Dim shell

Set shell = CreateObject(“WScript.Shell”)

shell.Run “\\server\share\VolcadoCert.bat”

WScript.Sleep 10000

Const ForReading = 1
Dim strTemp
Dim CertID
Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objFile = objFSO.OpenTextFile(“\\private user folder\certs.txt”, ForReading)

Do Until objFile.AtEndOfStream
strSearchString = objFile.ReadLine
strTemp = Mid(strSearchString, 1, 15)

if (strTemp = “Serial Number: “) then

CertID = Mid(strSearchString, 15, len(strSearchString)-14)

shell.Run “certutil.exe -user -p 12345678 -exportpfx ” & CertID & “\\private user folder\certificat” & cstr(replace(replace(replace(now(), “/”, “”),”:”, “”),” “, “”)) & “.pfx”, 1, false

end if



certutil -user -store “My” >> \\private user folder\certs.txt