This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 44%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
The problem: How to auto distribute a certificate enabling decryption of Always Encrypted SQL Server columns to a specific AD group of users within a domain.
From previous assistance here, it seems:
1- GPO can't push a certificate to a users Personal Folder in the Certificate Store.
2 - Install Enterprise CA? This seems to only create and distribute new certificates on request, not distribute existing certificates.
3 - Using GPO to loading certificates to Local Computer? This would require a formidable manual process of running MMC and adding read permission for each user account in the MMC Security dialog box on each computer ewww.
4 - Workaround? Run a script to copy and load certificates from a shared folder on login. That will require additional testing, debugging etc and adds at least one other potential point of failure.
5 - Push Certificates to Trusted Users via GPO? As far as I can tell, this doesn't mean that only Trusted Users receive them - everybody receives them. So it even if you could repoint the SQL Server MK path to 'Trusted Users', it wouldn't restrict the decryption certificate to the AD group.
People must surely be pushing these certificates out to users in the real world - how on earth is it done?
Thanks!
Jack
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 26%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Hi Jack, I'm facing the same issue, did you find a solution? What's the best approach for that? Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Auntiejack ,
Thank you for posting here.
Based on the description, I understand you have existing certificates, and we want to auto distribute a certificate to user group.
Based on my knowledge, we can add or publish certificate to user Properties manually as below.
Based on my resear and search, it seems there is no way to publish certificates to user group manually or automatically.
We can not see which attribute to store certifcaite for user group.
Thank you for your understanding.
Best Regards,
Daisy Zhou