question

ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 asked ExchangeAdmin-1818 answered

How to enable the "automatic root certificates update" on Windows Server 2016

Hello,

I want enable the automatic root certificates update on Windows Server 2016 to address an error message given by testconnectivity.microsoft.com

I have only found descriptions for older Windows versions like the following advice by Microsoft for Windows Server 2008. Not surprisingly, there is no "Turn off Automatic Root Certificates Update" entry in the 2016 edition.

Click Start, and then click Run.
2. Type gpedit.msc, and then click OK.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
5. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
6. Close the Local Group Policy Editor.

Source: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc734054(v=ws.10)



I have also tried to directly modify the registry value for the respective entry as suggested on several websites. However, also this entry does not exist in Windows Server 2016. I guess it doesn't make sense to create a new entry. It might be even counterproductive and cause further errors.

HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRootD
WORD DisableRootAutoUpdate = ...

I would be thankful for any hint to solve the problem!



windows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

FanFan-MSFT avatar image
1 Vote"
FanFan-MSFT answered FanFan-MSFT commented

Hi,

I checked the "automatic root certificates update" from the Local Group Policy on the 2016 server and the 2019 server, both have the entry.
49230-12181.jpg

I would recommend you download the administrative admx files and update the one on your server.
https://www.microsoft.com/en-us/download/details.aspx?id=102157

Rename the folder "PolicyDefinitions : in C:\Windows to PolicyDefinitions old ,and create a new folder named PolicyDefinitions then put the files you download into it.
Then check the entries again.

Best Regards,



12181.jpg (153.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image FanFan-MSFT ·

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·
ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 answered

Thanks a lot, now it works!

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.