Setup Group Policy

1. Open “Group Policy Management”

2. Expand “Group Policy Management” -> “Forest: <domain>” -> “Domains” and Rightclick your domain. Select “Create a GPO in this domain, and link it here…” 

3. Enter a name for the policy for example “Root CA Distribution policy” and press “OK”

4. Select the created policy and press “Edit”

5. Go to: “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Public Key Policies” and Rightclick “Trusted Root Certification Authorities” and select “Import”

6. Press “Next” to continue

7. Press “Browse”

8. Browse to <subordinate-ca>\c$\inetpub\wwwroot\CertEnroll and select the RootCA certificate. Press “Open” to continue

9. Press “Next” to continue

10. Use the default settings and press “Next”

11. Press “Finish” to import the Root CA Certificate.

12. After some time when the import has finished a popup will appear. Press “OK” to continue

The Root CA Certificate is now distributed to all domain devices.