GPO to add a purpose to root certificate

The root certificate of the DFN-PKI "T-TeleSec GlobalRoot Class 2" is not activated in the Windows certificate store for the certificate purpose "code signing".

I can activate it with certmgr.msc in [Trusted Root Certificates Authorities] > [Certificates] > RMB on "T-TeleSec GlobalRoot Class 2" > [Select role code-signing].

I have some 50+ PCs where this setting is required. In Group Policy Managemnt Editor the tree [Computer Configuration] > [Policies] > [Security Settings] > [Public Key Policies] > [Trusted Root Certification Authorities] is empty. The only possible task is [Import of a certificate].

Can any one suggest me how to add a role to Certificate using GPO?

Are you currently deploying the certificate using Group Policy? If not, that's what you need to do. Create a GPO, add the certificate to Computer\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

Then enable the attribute. Link the GPO to the OU where your computers are located.

When this is pulled by the target computers, this will add the certificate in the registry:

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\Thumbprint!Blob

You can import your own certificate and select the role you want for it inside the Windows of [Computer Configuration] > [Policies] > [Security Settings] > [Public Key Policies]

Your problem there is it a public certificate. You would need to download the .cer if possible and redistribute it to your computers with the correct roles, or just click to add all roles.