- Article
Applies To: Windows Server (All supported versions), Windows clients, Azure Stack HCI.
Redirect the Microsoft Automatic Update URL to a file or web server hosting Certificate Trust Lists(CTLs), untrusted CTLs, or a subset of the trusted CTL files in a disconnected environment.
To learn more about how the Microsoft Root Certificate Program works to distribute trusted rootcertificates automatically across Windows operating systems, seeCertificates and trust.
Tip
You don't need to redirect the Microsoft Automatic Update URL for environments where computers areable to connect to the Windows Update site directly. Computers that can connect to the WindowsUpdate site are able to receive updated CTLs on a daily basis.
Prerequisites
Before you can configure your disconnected environment to use CTL files hosted on a file or webserver, you need to complete the following prerequisites.
Client prerequisites
- At least one computer that is able to connect to the Internet to download CTLs from Microsoft. Thecomputer requires HTTP (TCP port 80) access and name resolution (TCP and UDP port 53) ability tocontact
ctldl.windowsupdate.com
. This computer can be a domain member or a member of aworkgroup. Currently all the downloaded files require approximately 1.5 MB of space. - Client machines must be connected to an Active Directory Domain Service domain.
- You must be a member of the local Administrators group.
Server prerequisites
- A file server or web server for hosting the CTL files.
- AD Group policy or MDM solution to deploy configuration settings to your client.
- An account that is a member of the Domain Admins group or that has been delegated the necessarypermissions
Configuration methods
An administrator can configure a file or web server to download the following files by using theautomatic update mechanism:
authrootstl.cab
contains a non-Microsoft CTL.disallowedcertstl.cab
contains a CTL with untrusted certificates.disallowedcert.sst
contains a serialized certificate store, including untrusted certificates.<thumbprint>
.crt contains non-Microsoft root certificates.
The steps to perform this configuration are described in theConfigure a file or web server to download the CTL filessection of this document.
There are several methods to configure your environment to use local CTL files or a subset oftrusted CTLs. The following methods are available.
Configure Active Directory Domain Services (AD DS) domain member computers to use the automaticupdate mechanism for trusted and untrusted CTLs, without having access to the Windows Update site.This configuration is described in the Redirect the Microsoft Automatic Update URL section of this document.
Configure AD DS domain member computers to independently opt-in for untrusted and trusted CTLautomatic updates. The independent opt-in configuration is described in theRedirect the Microsoft Automatic Update URL for untrusted CTLs onlysection of this document.
Examine the set of root certificates in the Windows Root Certificate Program. Examining the rootcertificate set enables administrators to select a subset of certificates to distribute by using aGroup Policy Object (GPO). This configuration is described in theUse a subset of the trusted CTLs section of this document.
Important
The settings described in this document are implemented by using GPOs. These settings are notautomatically removed if the GPO is unlinked or removed from the AD DS domain. When implemented,these settings can be changed only by using a GPO or by modifying the registry of the affectedcomputers.
The concepts discussed in this document are independent of Windows Server Update Services (WSUS).
Configure a file or web server to download the CTL files
To facilitate the distribution of trusted or untrusted certificates for a disconnected environment,you must first configure a file or web server to download the CTL files from the automatic updatemechanism.
Retrieve the CTL files from Windows Update
Create a shared folder on a file or web server that is able to synchronize by using the automaticupdate mechanism and that you want to use to store the CTL files.
Tip
Before you begin, you may have to adjust the shared folder permissions and NTFS folderpermissions to allow the appropriate account access, especially if you're using a scheduledtask with a service account. For more information on adjusting permissions, seeManaging Permissions for Shared Folders.
From an elevated PowerShell prompt, run the following command:
Certutil -syncWithWU \\<server>\<share>
Substitute the actual server name for
<server>
and shared folder name for<share>
Forexample, for a server namedServer1
with a shared folder named CTL, you'd run the command:See AlsoWhat should I do if my CA's root certificate has expired? An Expert's adviceThe Impact of a Root Certificate ExpirationRelease notes - Microsoft Trusted Root Certificate ProgramUsing Multiple Root Certificates | Couchbase DocsCertutil -syncWithWU \\Server1\CTL
Download the CTL files on a server that computers on a disconnected environment can access overthe network by using a FILE path (for example,
FILE://\\Server1\CTL
) or an HTTP path (forexample,http://Server1/CTL
).
Note
If the server that synchronizes the CTLs is not accessible from the computers in thedisconnected environment, you must provide another method to transfer the information. Forexample, you can allow one of the domain members to connect to the server, then scheduleanother task on the domain member computer to pull the information into a shared folder on aninternal web server. If there is absolutely no network connection, you may have to use a manualprocess to transfer the files, such as a removable storage device.
If you plan to use a web server, you should create a new virtual directory for the CTL files.The steps to create a virtual directory by using Internet Information Services (IIS) are nearlythe same for all the supported operating systems discussed in this document. For more information,see Create a Virtual Directory (IIS7).
Certain system and application folders in Windows have special protection applied to them. Forexample, the inetpub folder requires special access permissions, which make it difficult tocreate a shared folder for use with a scheduled task to transfer files. An administrator cancreate a folder location at the root of a logical drive system to use for file transfers.
Redirect the Microsoft Automatic Update URL
The computers in your network might be configured in a disconnected environment and therefore unableto use the automatic update mechanism or download CTLs. You can implement a GPO in AD DS toconfigure these computers to obtain the CTL updates from an alternate location.
The configuration in this section requires that you already completed the steps inConfigure a file or web server to download the CTL files.
To configure a custom administrative template for a GPO
On a domain controller, create a new administrative template. Open a text file in Notepad andthen change the file name extension to
.adm
. The contents of the file should be as follows:CLASS MACHINECATEGORY !!SystemCertificates KEYNAME "Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate" POLICY !!RootDirURL EXPLAIN !!RootDirURL_help PART !!RootDirURL EDITTEXT VALUENAME "RootDirURL" END PART END POLICYEND CATEGORY[strings]RootDirURL="URL address to be used instead of default ctldl.windowsupdate.com"RootDirURL_help="Enter a FILE or HTTP URL to use as the download location of the CTL files."SystemCertificates="Windows AutoUpdate Settings"
Use a descriptive name to save the file, such as
RootDirURL.adm
.Ensure that the file name extension is
.adm
and not.txt
.If you haven't already enabled file name extension viewing, seeHow To: View File Name Extensions.
If you save the file to the
%windir%\inf
folder, it's easier to locate in the followingsteps.
Open the Group Policy Management Editor. Select Start > Run, type GPMC.msc, then press ENTER.
Warning
You can link a new GPO to the domain or to any organizational unit (OU). The GPO modificationsimplemented in this document alter the registry settings of the affected computers. You can'tundo these settings by deleting or unlinking the GPO. The settings can only be undone byreversing them in the GPO settings or by modifying the registry using another technique.
Expand the Forest object, expand the Domains object, and then expand the specific domainthat contains the computer accounts that you want to change. If you have a specific OU that youwant to modify, then navigate to that location.
Right-select and then select Create a GPO in this domain, and Link it here to create a newGPO.
In the navigation pane, under Computer Configuration, expand Policies.
Right-select Administrative Templates, then select Add/Remove Templates.
In Add/Remove Templates, select Add.
In the Policy Templates dialog box, select the
.adm
template that you previously saved.Select Open, then select Close.In the navigation pane, expand Administrative Templates, and then expand ClassicAdministrative Templates (ADM).
Select Windows AutoUpdate Settings, and in the details pane, double-select URL address tobe used instead of default ctldl.windowsupdate.com.
Select Enabled. In the Options section, enter the URL to the file server or web server thatcontains the CTL files. For example,
http://server1/CTL
orfile://\\server1\CTL
.Select OK.
Close the Group Policy Management Editor.
The policy is effective immediately, but the client computers must be restarted to receive the newsettings, or you can type gpupdate /force
from an elevated command prompt or from WindowsPowerShell.
Important
The trusted and untrusted CTLs can be updated on a daily basis, so ensure that you keep the filessynchronized by using a scheduled task or another method (such as a script that handles errorconditions) to update the shared folder or web virtual directory. For more information aboutcreating a scheduled task using PowerShell, seeNew-ScheduledTask. If you plan to write ascript to make daily updates, see thecertutil Windows command reference.
Redirect the Microsoft Automatic Update URL for untrusted CTLs only
Some organizations might want only the untrusted CTLs (not the trusted CTLs) to be automaticallyupdated. To automatically update only the untrusted CTLs, create two .adm
templates to add toGroup Policy.
In a disconnected environment, you can use the following procedure with the previous procedure(redirect the Microsoft Automatic Update URL for trusted CTLs and untrusted CTLs). This procedureexplains how to selectively disable the automatic update of trusted CTLs.
You also can use this procedure in a connected environment in isolation to selectively disable theautomatic update of trusted CTLs.
To selectively redirect only untrusted CTLs
On a domain controller, create the first new administrative template by starting with a text fileand then changing the file name extension to
.adm
. The contents of the file should be asfollows:CLASS MACHINECATEGORY !!SystemCertificates KEYNAME "Software\Policies\Microsoft\SystemCertificates\AuthRoot" POLICY !!DisableRootAutoUpdate EXPLAIN !!Certificates_config VALUENAME "DisableRootAutoUpdate" VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICYEND CATEGORY[strings]DisableRootAutoUpdate="Auto Root Update"Certificates_config="By default automatic updating of the trusted CTL is enabled. To disable the automatic updating trusted CTLe, select Disabled."SystemCertificates="Windows AutoUpdate Settings"
Use a descriptive name to save the file, such as
DisableAllowedCTLUpdate.adm
.Create a second new administrative template. The contents of the file should be as follows:
CLASS MACHINECATEGORY !!SystemCertificates KEYNAME "Software\Policies\Microsoft\SystemCertificates\AuthRoot" POLICY !!EnableDisallowedCertAutoUpdate EXPLAIN !!Certificates_config VALUENAME "EnableDisallowedCertAutoUpdate" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICYEND CATEGORY[strings]EnableDisallowedCertAutoUpdate="Untrusted CTL Automatic Update"Certificates_config="By default untrusted CTL automatic update is enabled. To disable trusted CTL update, select Disabled."SystemCertificates="Windows AutoUpdate Settings"
Use a descriptive file name to save the file, such as EnableUntrustedCTLUpdate.adm.
Ensure that the file name extensions of these files are
.adm
and not.txt
.If you save the file to the
%windir%\inf
folder, it's easier to locate in the followingsteps.
Open the Group Policy Management Editor.
Expand the Forest object, expand the Domains object, and then expand the specific domainthat contains the computer accounts that you want to change. If you have a specific OU that youwant to modify, then navigate to that location.
In the navigation pane, under Computer Configuration, expand Policies.
Right-select Administrative Templates, then select Add/Remove Templates.
In Add/Remove Templates, select Add.
In the Policy Templates dialog box, select the
.adm
template that you previously saved.Select Open, then select Close.In the navigation pane, expand Administrative Templates, then expand Classic AdministrativeTemplates (ADM).
Select Windows AutoUpdate Settings, then in the details pane, double-click Auto RootUpdate.
Select Disabled, then select OK.
In the details pane, double-click Untrusted CTL Automatic Update, then select Enabled andOK.
The policy is effective immediately, but the client computers must be restarted to receive the newsettings, or you can type gpupdate /force
from an elevated command prompt or from WindowsPowerShell.
Important
The trusted and untrusted CTLs can be updated on a daily basis, so ensure that you keep the filessynchronized by using a scheduled task or another method to update the shared folder or virtualdirectory.
Use a subset of the trusted CTLs
This section describes how you can produce, review, and filter the trusted CTLs that you wantcomputers in your organization to use. You must implement the GPOs described in the previousprocedures to make use of this resolution. This resolution is available for disconnected andconnected environments.
There are two procedures to customize the list of trusted CTLs.
Create a subset of trusted certificates
Distribute the trusted certificates by using Group Policy
To create a subset of trusted certificates
Here's how to generate SST files by using the automatic Windows update mechanism from Windows. Formore information about generating SST files, see theCertutil Windowscommands reference.
From a computer that is connected to the Internet, open Windows PowerShell as an Administrator oropen an elevated command prompt, and type the following command:
Certutil -generateSSTFromWU WURoots.sst
Run the following command in Windows Explorer to open
WURoots.sst
:start explorer.exe wuroots.sst
Tip
You also can use Internet Explorer to navigate to the file and double-click it to open it.Depending on where you stored the file, you may also be able to open it by typing
wuroots.sst
.Open Certificate Manager.
Expand the file path under Certificates - Current User until you see Certificates, thenselect Certificates.
In the details pane, you can see the trusted certificates. Hold down the CTRL key andselect each of the certificates that you want to allow. When you've finished selecting thecertificates you want to allow, right-click one of the selected certificates, select AllTasks, then select Export.
- You must select a minimum of two certificates to export the
.sst
file type. If you selectonly one certificate, the.sst
file type isn't available, and the.cer
file type isselected instead.
- You must select a minimum of two certificates to export the
In the Certificate Export Wizard, select Next.
On the Export File Format page, select Microsoft Serialized Certificate Store (.SST), andthen select Next.
On the File to Export page, enter a file path and an appropriate name for the file, such as
C:\AllowedCerts.sst
, then select Next.Select Finish. When you're notified that the export was successful, select OK.
Copy the
.sst
file that you created to a domain controller.
To distribute the list of trusted certificates by using Group Policy
On the domain controller that has the customized
.sst
file, open the Group Policy ManagementEditor.Expand the Forest, Domains, and specific domain object that you want to modify.Right-click Default Domain Policy GPO, then select Edit.
In the navigation pane, under Computer Configuration, expand Policies, expand WindowsSettings, expand Security Settings, then expand Public Key Policies.
Right-click Trusted Root Certification Authorities, then select Import.
In the Certificate Import Wizard, select Next.
Enter the path and file name of the file that you copied to the domain controller, or use theBrowse button to locate the file. Select Next.
Confirm that you want to place these certificates in the Trusted Root CertificationAuthorities certificate store by selecting Next. select Finish. When you're notifiedthat the certificates imported successfully, select OK.
Close the Group Policy Management Editor.
The policy is effective immediately, but the client computers must be restarted to receive the newsettings, or you can type gpupdate /force
from an elevated command prompt or from WindowsPowerShell.
Registry settings modified
The settings described in this document configure the following registry keys on the clientcomputers. These settings aren't automatically removed if the GPO is unlinked or removed from thedomain. These settings must be reconfigured, if you want to change them.
Enable or disable the Windows AutoUpdate of the trusted CTL:
- Key:
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
- Type:
REG_DWORD
- Name:
DisableRootAutoUpdate
- Data:
0
to enabled or1
to disable. - Default: There is no key present by default. Without a key present, the default is enabled.
- Key:
Enable or disable the Windows AutoUpdate of the untrusted CTL:
- Key:
SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
- Type:
REG_DWORD
- Name:
EnableDisallowedCertAutoUpdate
- Data:
1
to enabled or0
to disable. - Default: There is no key present by default. Without a key present, the default is enabled.
- Key:
Set the shared CTL file location (HTTP or the FILE path):
- Key:
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl
- Type:
REG_SZ
- Name:
RootDirUrl
- Data: Enter a valid HTTP or file URI.
- Default: There is no key present by default. Without a key present, the default behaviorused Windows Update.
- Key:
Verify Trusted and Untrusted CTLs
It may be necessary for various reasons to verify all Trusted and Untrusted CTLs from a clientmachine. The following Certutil options can be used to verify all Trusted and Untrusted CTLs from aclient machine.
certutil -verifyCTL AuthRootcertutil -verifyCTL Disallowed
Checking Last Sync Time
To check the most recent sync time on the local machine for either Trusted or Untrusted CTLs, runthe following Certutil command:
certutil -verifyctl AuthRoot | findstr /i "lastsynctime"certutil -verifyctl Disallowed | findstr /i "lastsynctime"
Certificates and trust
List of Participants - Microsoft Trusted Root Program
certutil Windows command reference
Controlling the Update Root certificate Certificates Feature to Prevent the Flow of Information to and from the Internet