Windows Tip Sheet

I'll Pick My Roots, Thanks

Decide for yourself which CAs to trust with this Group Policy feature and a registry check.

• By Don Jones
• 06/07/2006

One thing about Windows that has always annoyed the snot out of me is the copious list of "trusted" root certification authorities (CAs) that Windows comes with, as well as Windows' predilection for automatically updating this list. With all due respect to the eight zillion CAs Microsoft chose to list, I have no idea how their certificate-issuing process works, and since I don't know, I can't trust them. After all, these folks hold the keys to the kingdom in terms of accessing Windows, and if they're doing a bad job (not that they are, I just don't know), I don't want them on my list.

So I was delighted when "Turn off Automatic Root Certificates Update" appeared in Group Policy. That's the policy setting for me! Unfortunately, after applying it, a quick Resultant Set of Policy (RSoP) check didn't show the policy setting in effect.

Seems this policy setting doesn't always work so well with RSoP, so you may want to manually check that it's being applied. Look in the registry, of course, under \SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
\DisableRootAutoUpdate; that's for Win2003 with SP1. Under WinXP SP2, it's SOFTWARE\Policies\Microsoft\SuystemCertificates\AuthRoot. You can also run Gpresult.exe, which does correctly show the policy setting being applied, if it is.