How to set Group Policy "Turn Off Automatic Root Certificates Update" vie Registry/Powershell?

Asked 4/7, 2013 at 6:16 Answered 18/3, 2016 at 6:34

powershell windows-7 registry group-policy

I need to disable the following group policy in Windows 7 programatically, for example by modifying a registry key using Powershell:

"Turn Off Automatic Root Certificates Update"

Does anybody know which registry key needs to be set or unset in order to make this work?

Kilmer answered 4/7, 2013 at 6:16 Comment(0)

I had a similar issue when i was creating an application that communicated with a server over HTTPS using two-way SSL.

This was causing a delay of a full minute when the initial request was made

It ran in WinPE where hand clicking through the local group policy editor was not an option. There also is no way I am aware of to register a root authority in this environment and it is running in an incredibly restricted environment so it can not access windows update (not that it would find our corporate CA there anyway).

The registry value you are looking for is

HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot

DWORD DisableRootAutoUpdate = 1

Source: http://www.group-policy.com/ref/policy/452/Turn_off_Automatic_Root_Certificates_Update

Pamphlet answered 19/2, 2014 at 22:51 Comment(1)

Yes! Works on Windows 7! – Taritariff 25/4, 2017 at 16:13

To turn off Automatic Root Certificates Update via Local Group Policy Editor:

Click Start, and then click Run.
Type gpedit.msc, and then click OK.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
Close the Local Group Policy Editor.

Sanjak answered 18/3, 2016 at 6:34 Comment(0)

Domain policies override local settings. That's how they're supposed to work (they'd be rather useless otherwise). If you want the policy disabled, disable or remove the policy in Group Policy Management or remove the computer from the domain.

Drawknife answered 4/7, 2013 at 8:58 Comment(6)

I know that, what I want to do is set the group policy entry programatically using powershell – Kilmer 10/7, 2013 at 6:1

Why? Group Policy Management is best done via the respective management console, and it's quite simple to create and link a GPO for turning off root cert updates. What problem are you trying to solve by doing this in PowerShell? – Drawknife 10/7, 2013 at 8:55

I want to set it automatically without any user interaction. – Kilmer 11/7, 2013 at 10:16

You don't want to set domain-wide policies without user interaction. That simply isn't a task suitable for automation. Trying to rephrase my question: why do you think you need this? What is the ultimate goal you want to achieve? – Drawknife 11/7, 2013 at 10:34

I can't speak to the original question, but we need to be able to disable this on a local machine automatically because it's part of internal automated image formation. Internal web services need a trusted root certificate that we've added and this setting would wipe those out at some later date if not disabled. Currently we have to have a manual step 'go disable this in local Group Policy because Microsoft haven't provided a suitable automated alternative'. From my perspective, the question has nothing to do with being on a domain. – Tomasz 4/8, 2013 at 14:34

@Tomasz You can deploy root certificates with a group policy. And you can switch automatic root certificate updates on or off with a group policy as well. Besides, I've never seen automatic root certificate updates remove custom root certificates from the certificate store. – Drawknife 4/8, 2013 at 18:22

Recommended topics

Hot tags