How to import UCS Root CA into Windows 10 (GPO)

How to import UCS root CA on Windows clients (UCS 5)

Original article here:

Creating a group policy on Windows 10 Client (Language: German)


Open “Gruppenrichtlinienverwaltung”

  1. Win + R (or press the windows key and type run)
  2. Type gpmc.msc and hit Enter
    1. Alternatively go to “Windows-Verwaltungsprogramme” —> “Gruppenrichtlinienverwaltung”
  3. Browse to:
    - Gesamtstruktur: [Domain]
    - Domänen
    - [Domain]
    - Click on Gruppenrichtlinienobjekte
  4. Then click “Aktion” —> “Neu” and give the new GPO a name of your liking (i.e. “TestGPO”)


Open a Browser window and browse to the address of your Domain Controller (i.e.

  1. Click on the burger menu (1), on “Zertifikate” (2) and then on “Wurzelzertifikate” (3) and download it to your computer


Go back to the Gruppenrichtlinienverwaltung, right-click on your newly created GPO (1) from step 1.4 and click “Bearbeiten” (2) (this opens the Gruppenrichtlinienverwaltungs-Editor)

In the Gruppenrichtlinienverwaltungs-Editor:

  1. Browse to:
    • Computerkonfiguration
      • Richtlinien
        • Windows-Einstellungen
          • Sicherheitseinstellungen
            • Richtlinien für öffentliche Schlüssel
              • Vertrauenswürdige Stammzertifizierungsstellen —> Right-click “Importieren…”


Click through the wizard that opens (for importing the certificate you downloaded in Step 5) and when asked choose “Alle Zertifikate in folgendem Speicher speichern”:

  1. “Zertifikatspeicher: Vertrauenswürdige Stammzertifizierungsstellen”

5. Back in Gruppenrichtlinienverwaltung

  1. Browse to:
    • Gesamtstruktur: [Domain]
      • Domänen
        • [Domain] —> Right-click “Vorhandenes Gruppenrichtlinienobjekt verknüpfen…”

6. Apply the changed GPO

You can apply the GPO immediately on the Windows client by running gpupdate /force

Firefox, Google Chrome, IE

To make Firefox use the Windows root CA store, we need to change it’s configuration.
Open about:config in Firefox. You will be presented with a list of settings parameters and a search mask.

Search for security.enterprise_roots.enabled and double-click it to change it’s value to true.

Update: You can now also achieve this with a Group Policy via the ADMX templates for Firefox provided by Mozilla:

This topic was automatically closed after 60 minutes. New replies are no longer allowed.