Windows Tip Sheet
I'll Pick My Roots, Thanks
Decide for yourself which CAs to trust with this Group Policy feature and a registry check.
One thing about Windows that has always annoyed the snot out of me is the copious
list of "trusted" root certification authorities (CAs) that Windows
comes with, as well as Windows' predilection for automatically updating this
list. With all due respect to the eight zillion CAs Microsoft chose to list,
I have no idea
how their certificate-issuing process works, and since
I don't know, I can't trust them. After all, these folks hold the keys to the
kingdom in terms of accessing Windows, and if they're doing a bad job (not that
they are, I just don't know
), I don't want them on my list.
So I was delighted when "Turn off Automatic Root Certificates Update"
appeared in Group Policy. That's the policy setting for me! Unfortunately,
after applying it, a quick Resultant Set of Policy (RSoP) check didn't
show the policy setting in effect.
Seems this policy setting doesn't always work so well with RSoP, so you
may want to manually check that it's being applied. Look in the registry,
of course, under \SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
that's for Win2003 with SP1. Under WinXP SP2, it's SOFTWARE\Policies\Microsoft\SuystemCertificates\AuthRoot.
You can also run Gpresult.exe, which does correctly show the policy setting
being applied, if it is.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.