These notes used this article as a starting point.
Log on to your Group Policy server and at the start menu, run Group Policy Management. R-click the target domain in the left-hand pane and select Create a GPO in this domain, and link it here…and create a new GPO (Group Policy Object) named Kutana is a Trusted Software Publisher. A new node will be created in the tree, as the snap shows:
R-click the new GPO node in the left-hand pane and select Edit… to bring up the Group Policy Management Editor.
Go to the Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies | Trusted Publishers node, r-click in the right-hand pane and import the existing Kutana code-signing certificate into the Trusted Publisher certificate store on the server.
Close the editor and then the Group Policy Management console should display the details of the new GPO like this:
It's possible to further edit the new GPO so it targets specific machines rather than every machine on the domain. You can do this by adding machine names to the Security Filtering panel on the Scope tab. For instance:
Having configured the server, log on to one of the target machines and check that the certificate has been pushed out to its Trusted Publisher store. You may have to use the gpupdate command to force the new GPO to run.
Another useful document is Group Policy for Beginners