In some instances, clients are not able to receive both the SafeConsole registry key and certificate at the same time.

For instances where this happens you can attempt instead to push the SafeConsole certificate in a separate GPO by following these steps: 

  1. Create a new GPO policy and name it (e.g. SafeConsole Cert).
  2. Import the SafeConsole certificate file from SafeConsole into the new GPO. The certificate is located in the directory "/safeconsole/res/SafeConsole.crt" on the server.
  3. Run the command "gpupdate" on the client or restart the client computer to apply the new GPO policy.
  4. Run the command "gpresult" on the client to verify that the new GPO is applied to the workstation.
  5. Confirm that the certificate has been imported into the "Trusted Root Certification Authorities" store on the client and not another store.


 If you also have the SafeConsole registry key pushed to the client you will now be able to connect devices to SafeConsole.