We have a Microsoft enterprise certificate authority, and I would like to start issuing a few code signing certificates.
But what I'm unsure of is this: since all our domain/forest machines trust the internal CA, when I issue code signing certificates: will all the client systems automagically trust the code signing certs for executing any code, or do I need to add the individual users' code signing certs to the clients' "Trusted People" store (like you might do with their self-signed or third-party certs)?
If you issue the certificates using a trusted CA, then all these certificates will be trusted by your machines. You can have a look at this page.
It depends... I used to think that way, but then we started using System Center Update Manager. For the cert to be trusted in this case, it needs to be added to the "Trusted Publishers" store even when it's from your CA.
http://mikeshellenberger.wordpress.com/2010/09/02/system-center-updates-publisher-microsoft-pki/
You want to add this to "TrustedPublishers" as well as the "TrustedRoot"
https://www.spreadsheet1.com/how-to-add-certificate-to-trusted-publishers-in-excel.html