I have recently set up mandatory profiles for a PC image I am creating and I have been able to set up everything I need in the profiles via group policy with the exception of one major item. Apparently mandatory profiles do not allow the installation of certificates in the personal store (pfx/p12 certs.) This is a deal breaker because one of our vendors requires a personal certificate installed. I would like to avoid moving away from mandatory profiles over this one caveat so I'm trying anything I can to workaround this. I feel like I am very close but I have hit a wall at the last step..here is what I have devised so far:

  • I have discovered that by manually editing the State value of the registry subkey under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%userSID% from 21001 (Which is what designates it as a mandatory profile) to 0 (which designates it as a local profile) I can trick the computer into thinking it is a local profile and it will allow the certificate to install.
  • I have had a powershell script written that queries the current logged in users SID and then edits the State value for me.
  • This script requires admin privileges to run, but it needs to run under a non-admin account at login. I am currently trying to get this to work by deploying a scheduled task via group policy that runs the script at logon with administrator credentials.
  • in order for this to work I need to set "Run whether user is logged in or not" in the scheduled task but doing so causes the script to run- but not work. (The registry key does not update.)

It looks to me like the problem is that the task scheduler cannot run an interactive script with the run whether the user is logged in or not checkbox is ticked. Does anybody have any ideas of what I can do get this working? I'm not familiar enough with scripting to know if its possible to update my script so that it is a non-interactive script that can update this registry key.

I'm also not attached to the script by no means- if there is another way to get this certificate installed automatically Thanks for any and all support everyone. I have a couple more ideas to look into that I think may or may not work but my lack of experience leaves me unsure, such as-

  • Perhaps it is possible to create the mandatory profile in a way so that while it acts like a mandatory profile (Deletes the profile and loads a default one in its place at user login) the state will be created as "0" when the profile is created (rather than a 21001)

  • Perhaps it is possible to write something (in a language other than Powershell) that will change the registry key for me at login that can be set to "Run whether user is logged in or not" as an admin.

  • Perhaps there is a way to manually install the certificate into my system rather than using the certificate installer or certutil. It looks to me that when installing the certificate on the mandatory profile the certificate will install in the personal store but the website will not authenticate. Maybe it is incorrectly storing the certificates password?

Any guidance or ideas are greatly appreciated, I feel like I'm so close but so far away.. Thanks all!

  • 22,793
  • 4
  • 50
  • 84
  • Does everyone that uses the app in question share the same personal certificate? Perhaps you could use a reverse proxy for accessing that site, moving the certificate to the edge of the network. – longneck Nov 17 '16 at 20:36
  • 2
    In a deleted comment, you said "Everyone does not share a certificate". This is exactly why mandatory profiles don't allow user certificates. If they did, then the certificate would be shared. – longneck Nov 17 '16 at 22:07

1 Answers1


OP here- I'm attempting to recover the account I posted this question on but until then I will respond via this answer.

In my originally deleted answer I stated that everyone does not share a certificate- there are over 300 sites with 4-5 PC's each that all have a site specific certificate. I intend to manage the certificate installation via group policy.

As far as the certificate being shared- here is how I've found the process to be working in practice.

The PC has a "template profile" that my domain users are told to use as the default user profile. When a user logs in, a profile is created for that specific user mirroring the settings of the template profile. Group policy should then begin implementing all of my user GPOs including creation and execution of the script that updates the registry for that new user specific profile. at the next log on for that user the profile is completely wiped and the process re-occurs. So, each user is writing to its own unique profile once the certificate is installed and thus I could have 3 different users installing 3 different certificates on the same pc without conflict. The certificate does not install in the template but in the unique profile that is created at log in (I have confirmed this with my registry workaround.)

An additional note, each PC only uses a single certificate for any user that uses it. So, supposing one certificate was shared for all profiles on the PC that would be fine. I just can't convince our vendor to issue PC certificates.