Configure trusted roots and disallowed certificates in Windows (2024)

Applies To: Windows Server (All supported versions), Windows clients, Azure Stack HCI.

Redirect the Microsoft Automatic Update URL to a file or web server hosting Certificate Trust Lists(CTLs), untrusted CTLs, or a subset of the trusted CTL files in a disconnected environment.

To learn more about how the Microsoft Root Certificate Program works to distribute trusted rootcertificates automatically across Windows operating systems, seeCertificates and trust.

Prerequisites

Before you can configure your disconnected environment to use CTL files hosted on a file or webserver, you need to complete the following prerequisites.

Client prerequisites

• At least one computer that is able to connect to the Internet to download CTLs from Microsoft. Thecomputer requires HTTP (TCP port 80) access and name resolution (TCP and UDP port 53) ability tocontact ctldl.windowsupdate.com. This computer can be a domain member or a member of aworkgroup. Currently all the downloaded files require approximately 1.5 MB of space.
• Client machines must be connected to an Active Directory Domain Service domain.
• You must be a member of the local Administrators group.

Server prerequisites

• A file server or web server for hosting the CTL files.
• AD Group policy or MDM solution to deploy configuration settings to your client.
• An account that is a member of the Domain Admins group or that has been delegated the necessarypermissions

Configuration methods

An administrator can configure a file or web server to download the following files by using theautomatic update mechanism:

• authrootstl.cab contains a non-Microsoft CTL.

• disallowedcertstl.cab contains a CTL with untrusted certificates.

• disallowedcert.sst contains a serialized certificate store, including untrusted certificates.

• <thumbprint>.crt contains non-Microsoft root certificates.

The steps to perform this configuration are described in theConfigure a file or web server to download the CTL filessection of this document.

There are several methods to configure your environment to use local CTL files or a subset oftrusted CTLs. The following methods are available.

• Configure Active Directory Domain Services (AD DS) domain member computers to use the automaticupdate mechanism for trusted and untrusted CTLs, without having access to the Windows Update site.This configuration is described in the Redirect the Microsoft Automatic Update URL section of this document.

• Configure AD DS domain member computers to independently opt-in for untrusted and trusted CTLautomatic updates. The independent opt-in configuration is described in theRedirect the Microsoft Automatic Update URL for untrusted CTLs onlysection of this document.

• Examine the set of root certificates in the Windows Root Certificate Program. Examining the rootcertificate set enables administrators to select a subset of certificates to distribute by using aGroup Policy Object (GPO). This configuration is described in theUse a subset of the trusted CTLs section of this document.

Configure a file or web server to download the CTL files

To facilitate the distribution of trusted or untrusted certificates for a disconnected environment,you must first configure a file or web server to download the CTL files from the automatic updatemechanism.

Retrieve the CTL files from Windows Update

1. Create a shared folder on a file or web server that is able to synchronize by using the automaticupdate mechanism and that you want to use to store the CTL files.

   Tip

   Before you begin, you may have to adjust the shared folder permissions and NTFS folderpermissions to allow the appropriate account access, especially if you're using a scheduledtask with a service account. For more information on adjusting permissions, seeManaging Permissions for Shared Folders.

2. From an elevated PowerShell prompt, run the following command:

   Certutil -syncWithWU \\<server>\<share>

   Substitute the actual server name for <server> and shared folder name for <share> Forexample, for a server named Server1 with a shared folder named CTL, you'd run the command:

   See Also

   What should I do if my CA's root certificate has expired? An Expert's adviceThe Impact of a Root Certificate ExpirationRelease notes - Microsoft Trusted Root Certificate ProgramUsing Multiple Root Certificates | Couchbase Docs

   Certutil -syncWithWU \\Server1\CTL

3. Download the CTL files on a server that computers on a disconnected environment can access overthe network by using a FILE path (for example, FILE://\\Server1\CTL) or an HTTP path (forexample, http://Server1/CTL).

Redirect the Microsoft Automatic Update URL

The computers in your network might be configured in a disconnected environment and therefore unableto use the automatic update mechanism or download CTLs. You can implement a GPO in AD DS toconfigure these computers to obtain the CTL updates from an alternate location.

The configuration in this section requires that you already completed the steps inConfigure a file or web server to download the CTL files.

To configure a custom administrative template for a GPO

1. On a domain controller, create a new administrative template. Open a text file in Notepad andthen change the file name extension to .adm. The contents of the file should be as follows:

   CLASS MACHINECATEGORY !!SystemCertificates KEYNAME "Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate" POLICY !!RootDirURL EXPLAIN !!RootDirURL_help PART !!RootDirURL EDITTEXT VALUENAME "RootDirURL" END PART END POLICYEND CATEGORY[strings]RootDirURL="URL address to be used instead of default ctldl.windowsupdate.com"RootDirURL_help="Enter a FILE or HTTP URL to use as the download location of the CTL files."SystemCertificates="Windows AutoUpdate Settings"

2. Use a descriptive name to save the file, such as RootDirURL.adm.

   • Ensure that the file name extension is .adm and not .txt.

   • If you haven't already enabled file name extension viewing, seeHow To: View File Name Extensions.

   • If you save the file to the %windir%\inf folder, it's easier to locate in the followingsteps.

3. Open the Group Policy Management Editor. Select Start > Run, type GPMC.msc, then press ENTER.

   Warning

   You can link a new GPO to the domain or to any organizational unit (OU). The GPO modificationsimplemented in this document alter the registry settings of the affected computers. You can'tundo these settings by deleting or unlinking the GPO. The settings can only be undone byreversing them in the GPO settings or by modifying the registry using another technique.

4. Expand the Forest object, expand the Domains object, and then expand the specific domainthat contains the computer accounts that you want to change. If you have a specific OU that youwant to modify, then navigate to that location.

5. Right-select and then select Create a GPO in this domain, and Link it here to create a newGPO.

6. In the navigation pane, under Computer Configuration, expand Policies.

7. Right-select Administrative Templates, then select Add/Remove Templates.

8. In Add/Remove Templates, select Add.

9. In the Policy Templates dialog box, select the .adm template that you previously saved.Select Open, then select Close.

10. In the navigation pane, expand Administrative Templates, and then expand ClassicAdministrative Templates (ADM).

11. Select Windows AutoUpdate Settings, and in the details pane, double-select URL address tobe used instead of default ctldl.windowsupdate.com.

12. Select Enabled. In the Options section, enter the URL to the file server or web server thatcontains the CTL files. For example, http://server1/CTL or file://\\server1\CTL.

13. Select OK.

14. Close the Group Policy Management Editor.

The policy is effective immediately, but the client computers must be restarted to receive the newsettings, or you can type gpupdate /force from an elevated command prompt or from WindowsPowerShell.

Redirect the Microsoft Automatic Update URL for untrusted CTLs only

Some organizations might want only the untrusted CTLs (not the trusted CTLs) to be automaticallyupdated. To automatically update only the untrusted CTLs, create two .adm templates to add toGroup Policy.

In a disconnected environment, you can use the following procedure with the previous procedure(redirect the Microsoft Automatic Update URL for trusted CTLs and untrusted CTLs). This procedureexplains how to selectively disable the automatic update of trusted CTLs.

You also can use this procedure in a connected environment in isolation to selectively disable theautomatic update of trusted CTLs.

To selectively redirect only untrusted CTLs

1. On a domain controller, create the first new administrative template by starting with a text fileand then changing the file name extension to .adm. The contents of the file should be asfollows:

   CLASS MACHINECATEGORY !!SystemCertificates KEYNAME "Software\Policies\Microsoft\SystemCertificates\AuthRoot" POLICY !!DisableRootAutoUpdate EXPLAIN !!Certificates_config VALUENAME "DisableRootAutoUpdate" VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICYEND CATEGORY[strings]DisableRootAutoUpdate="Auto Root Update"Certificates_config="By default automatic updating of the trusted CTL is enabled. To disable the automatic updating trusted CTLe, select Disabled."SystemCertificates="Windows AutoUpdate Settings"

2. Use a descriptive name to save the file, such as DisableAllowedCTLUpdate.adm.

3. Create a second new administrative template. The contents of the file should be as follows:

   CLASS MACHINECATEGORY !!SystemCertificates KEYNAME "Software\Policies\Microsoft\SystemCertificates\AuthRoot" POLICY !!EnableDisallowedCertAutoUpdate EXPLAIN !!Certificates_config VALUENAME "EnableDisallowedCertAutoUpdate" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICYEND CATEGORY[strings]EnableDisallowedCertAutoUpdate="Untrusted CTL Automatic Update"Certificates_config="By default untrusted CTL automatic update is enabled. To disable trusted CTL update, select Disabled."SystemCertificates="Windows AutoUpdate Settings"

4. Use a descriptive file name to save the file, such as EnableUntrustedCTLUpdate.adm.

   • Ensure that the file name extensions of these files are .adm and not .txt.

   • If you save the file to the %windir%\inf folder, it's easier to locate in the followingsteps.

5. Open the Group Policy Management Editor.

6. Expand the Forest object, expand the Domains object, and then expand the specific domainthat contains the computer accounts that you want to change. If you have a specific OU that youwant to modify, then navigate to that location.

7. In the navigation pane, under Computer Configuration, expand Policies.

8. Right-select Administrative Templates, then select Add/Remove Templates.

9. In Add/Remove Templates, select Add.

10. In the Policy Templates dialog box, select the .adm template that you previously saved.Select Open, then select Close.

11. In the navigation pane, expand Administrative Templates, then expand Classic AdministrativeTemplates (ADM).

12. Select Windows AutoUpdate Settings, then in the details pane, double-click Auto RootUpdate.

13. Select Disabled, then select OK.

14. In the details pane, double-click Untrusted CTL Automatic Update, then select Enabled andOK.

The policy is effective immediately, but the client computers must be restarted to receive the newsettings, or you can type gpupdate /force from an elevated command prompt or from WindowsPowerShell.

Use a subset of the trusted CTLs

This section describes how you can produce, review, and filter the trusted CTLs that you wantcomputers in your organization to use. You must implement the GPOs described in the previousprocedures to make use of this resolution. This resolution is available for disconnected andconnected environments.

There are two procedures to customize the list of trusted CTLs.

1. Create a subset of trusted certificates

2. Distribute the trusted certificates by using Group Policy

To create a subset of trusted certificates

Here's how to generate SST files by using the automatic Windows update mechanism from Windows. Formore information about generating SST files, see theCertutil Windowscommands reference.

1. From a computer that is connected to the Internet, open Windows PowerShell as an Administrator oropen an elevated command prompt, and type the following command:

   Certutil -generateSSTFromWU WURoots.sst

2. Run the following command in Windows Explorer to open WURoots.sst:

   start explorer.exe wuroots.sst

   Tip

   You also can use Internet Explorer to navigate to the file and double-click it to open it.Depending on where you stored the file, you may also be able to open it by typingwuroots.sst.

3. Open Certificate Manager.

4. Expand the file path under Certificates - Current User until you see Certificates, thenselect Certificates.

5. In the details pane, you can see the trusted certificates. Hold down the CTRL key andselect each of the certificates that you want to allow. When you've finished selecting thecertificates you want to allow, right-click one of the selected certificates, select AllTasks, then select Export.

   • You must select a minimum of two certificates to export the .sst file type. If you selectonly one certificate, the .sst file type isn't available, and the .cer file type isselected instead.

6. In the Certificate Export Wizard, select Next.

7. On the Export File Format page, select Microsoft Serialized Certificate Store (.SST), andthen select Next.

8. On the File to Export page, enter a file path and an appropriate name for the file, such asC:\AllowedCerts.sst, then select Next.

9. Select Finish. When you're notified that the export was successful, select OK.

10. Copy the .sst file that you created to a domain controller.

To distribute the list of trusted certificates by using Group Policy

1. On the domain controller that has the customized .sst file, open the Group Policy ManagementEditor.

2. Expand the Forest, Domains, and specific domain object that you want to modify.Right-click Default Domain Policy GPO, then select Edit.

3. In the navigation pane, under Computer Configuration, expand Policies, expand WindowsSettings, expand Security Settings, then expand Public Key Policies.

4. Right-click Trusted Root Certification Authorities, then select Import.

5. In the Certificate Import Wizard, select Next.

6. Enter the path and file name of the file that you copied to the domain controller, or use theBrowse button to locate the file. Select Next.

7. Confirm that you want to place these certificates in the Trusted Root CertificationAuthorities certificate store by selecting Next. select Finish. When you're notifiedthat the certificates imported successfully, select OK.

8. Close the Group Policy Management Editor.

The policy is effective immediately, but the client computers must be restarted to receive the newsettings, or you can type gpupdate /force from an elevated command prompt or from WindowsPowerShell.

Registry settings modified

The settings described in this document configure the following registry keys on the clientcomputers. These settings aren't automatically removed if the GPO is unlinked or removed from thedomain. These settings must be reconfigured, if you want to change them.

• Enable or disable the Windows AutoUpdate of the trusted CTL:

  • Key: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
  • Type: REG_DWORD
  • Name: DisableRootAutoUpdate
  • Data: 0 to enabled or 1 to disable.
  • Default: There is no key present by default. Without a key present, the default is enabled.

• Enable or disable the Windows AutoUpdate of the untrusted CTL:

  • Key: SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
  • Type: REG_DWORD
  • Name: EnableDisallowedCertAutoUpdate
  • Data: 1 to enabled or 0 to disable.
  • Default: There is no key present by default. Without a key present, the default is enabled.

• Set the shared CTL file location (HTTP or the FILE path):

  • Key: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl
  • Type: REG_SZ
  • Name: RootDirUrl
  • Data: Enter a valid HTTP or file URI.
  • Default: There is no key present by default. Without a key present, the default behaviorused Windows Update.

Verify Trusted and Untrusted CTLs

It may be necessary for various reasons to verify all Trusted and Untrusted CTLs from a clientmachine. The following Certutil options can be used to verify all Trusted and Untrusted CTLs from aclient machine.

certutil -verifyCTL AuthRootcertutil -verifyCTL Disallowed

Checking Last Sync Time

To check the most recent sync time on the local machine for either Trusted or Untrusted CTLs, runthe following Certutil command:

certutil -verifyctl AuthRoot | findstr /i "lastsynctime"certutil -verifyctl Disallowed | findstr /i "lastsynctime"

• Certificates and trust

• List of Participants - Microsoft Trusted Root Program

• certutil Windows command reference

• Controlling the Update Root certificate Certificates Feature to Prevent the Flow of Information to and from the Internet