Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Updating List of Trusted Root Certificates in Windows

January 12, 2022 Group PoliciesWindows 10Windows 11Windows 7Windows Server 2019

Updating List of Trusted Root Certificates in Windows

All Windows versions have a built-in feature for automatically updating root certificates from the Microsoft websites. MSFT, as part of the Microsoft Trusted Root Certificate Program, maintains and publishes a list of trusted certificates for clients and Windows devices in its online repository. If the verified certificate in its certification chain refers to the root CA that participates in this program, the system will automatically download this root certificate from the Windows Update servers and add it to the trusted ones.

Windows updates a trusted root certificate list (CTL) once a week. If Windows doesn’t have direct access to the Windows Update, the system won’t be able to update the root certificates. So a user may have some troubles when browsing websites (which SSL certificates are signed by an untrusted CA – see the article about the “Chrome SSL error: This site can’t provide a secure connection”), or with installing/running signed scripts and apps.

In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA in disconnected (isolated) networks or computers/servers without direct Internet access.

Contents:
  • Managing Trusted Root Certificates in Windows 10 and 11
  • How to Disable/Enable Automatic Root Certificates Update in Windows?
  • Certutil: Download Trusted Root Certificates from Windows Update
  • Certificate Trust List (STL) in Windows
  • Updating Trusted Root Certificates via GPO in an Isolated Environment
  • How to Update Trusted Root Certificates in Windows 7?
  • Updating Root Certificates on Windows XP Using the Rootsupd.exe Tool

Note. If your computers access the Internet through a proxy server, Microsoft recommends that you open direct access (bypass) to Microsoft Web sites to automatically renew root certificates. However, it isn’t always possible or applicable due to corporate restrictions.

Managing Trusted Root Certificates in Windows 10 and 11

How to see the list of trusted root certificates on a Windows computer?

  1. To open the root certificate store of a computer running Windows 11/10/8.1/7 or Windows Server 2022/2019/2016, run the mmc.exe console;
  2. Select File -> Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins -> Add;
  3. Select that you want to manage certificates of local Computer account;run certificate management snap-in in windows 10
  4. Next -> OK -> OK;
  5. Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains the list of trusted root certificates on your computer.

In the mmc console, you can view information about any certificate or remove it from trusted ones.

You can also get a list of trusted root certificates with their expiration dates using PowerShell:

Get-Childitem cert:\LocalMachine\root |format-list

You can list the expired certificates, or which expire in the next 60 days:

Get-ChildItem cert:\LocalMachine\root|Where {$_.NotAfter -lt  (Get-Date).AddDays(60)}|select NotAfter, Subject

list expired trusted root certificates in WIndows with powershell

For security reasons, it’s recommended that you periodically check the certificate trust store on your computer for suspicious and revoked certificates using the Sigcheck tool. This tool allows you to compare the list of certificates installed on the computer with the list of root certificates on the Microsoft website (you can download an offline file with up-to-date certificates authrootstl.cab).

You can manually transfer the root certificate file between Windows computers using the Export/Import options.

  1. You can export any certificate to a .CER file by clicking on it and selecting All Tasks -> Export;windows 10: exporting root certificate to a cer file
  2. You can import this certificate on another computer using the option All Tasks -> Import.import root certificate from a CER file in windows 10

How to Disable/Enable Automatic Root Certificates Update in Windows?

As we mentioned, Windows automatically updates root certificates. You can enable or disable certificate renewal in Windows through a GPO or the registry.

Open the Local Group Policy Editor (gpedit.msc) and go to Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication.

The Turn off Automatic Root Certificates Update option in this section allows you to disable automatic updating of root certificates through the Windows Update sites. By default, this policy is not configured and Windows always tries to automatically renew root certificates.

Group Policy: turn off automatic root certificates update in Windows

If this GPO option is not configured and the root certificates are not automatically renewed, check if this setting is manually enabled in the registry. Check the value of the registry parameter using PowerShell:

Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\SystemCertificates\AuthRoot' -Name DisableRootAutoUpdate

DisableRootAutoUpdate registry parameter

If the command returns that the value of the DisableRootAutoUpdate registry parameter is 1, then the updating of root certificates is disabled on your computer. To enable it, change the parameter value to 0.

Certutil: Download Trusted Root Certificates from Windows Update

Certutil.exe CLI tool can be used to manage certificates (introduced in Windows 10, for Windows 7 is available as a separate update). It can be used to download an up-to-date list of root certificates from Windows Update and save it to an SST file.

To generate an SST file on a computer running Windows 10 or 11 and having direct access to the Internet, open the elevated command prompt and run the command:

certutil.exe -generateSSTFromWU C:\PS\roots.sst

Updated SST file.
CertUtil: -generateSSTFromWU command completed successfully.

certutil.exe -generateSSTFromWU roots.sst

As a result, an SST file containing an up-to-date list of root certificates will appear in the target directory. Double-click to open it. This file is a container containing trusted root certificates.

roots.sst list of trusted MSFT root certificates

As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.

Tip. The certutil -syncWithWU command can be used to generate individual certificate files. The certificates obtained in this way can be deployed to Windows devices using GPO.

You can use PowerShell script to install all certificates from the SST file and add them to the list of trusted root certificates on a computer:

$sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority. In my example on Windows 11, the number of root certificates increased from 34 to 438.

install microsoft trusted root certificates in Windows using powershell

A clean copy of Windows after installation contains only a small number of certificates in the root store. If the computer is connected to the Internet, the rest of the root certificates will be installed automatically (on demand) if your device access an HTTPS site or SSL certificate that has a fingerprint from Microsoft CTL in its trust chain. Therefore, as a rule, there is no need to immediately add all certificates that Microsoft trusts to the local certification store.  

Certificate Trust List (STL) in Windows

A Certificate Trust List (CTL) is simply a list of data (such as certificate hashes) that is signed by a trusted party (by Microsoft in this case). The Windows client periodically downloads from Windows Update this CTL, which stores the hashes of all trusted root CAs.  It should be understood that this CTL doesn’t contain the certificates themselves, only their hashes and attributes (for example, Friendly Name). Windows devices can download a trusted certificate from Certificate Trust List on demand.

You can manually download and install the CTL file. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any archiver (or even Windows Explorer), unpack the contents of the authrootstl.cab archive. It contains a single authroot.stl file.

authroot.stl.

The Authroot.stl file is a container with a list of trusted certificate thumbprints in Certificate Trust List format.

Microsoft Certificate Trust List

You can install this CTL file to a Trusted Root Certificate Authority using the certutil command:

certutil -enterprise -f -v -AddStore "Root" "C:\PS\authroot.stl"

certutil install cert trusted list

root "Trusted Root Certification Authorities"
CTL 0 added to store.
CertUtil: -addstore command completed successfully.

You can also import certificates using the certificate management console (Trust Root Certification Authorities -> Certificates -> All Tasks -> Import). Specify the path to your STL file with certificate thumbprints.

import trusted root certificates using certmgr snapin

After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authorities container of the Certificate Manager console (certmgr.msc).

certmgr Microsoft Certificate Trust List Publisher

In the same way, you can download and install the list of the revoked (disallowed) certificates that have been removed from the Root Certificate Program. To do it, download the disallowedcertstl.cab file (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab), extract it, and add it to the Untrusted Certificates store with the command:

certutil -enterprise -f -v -AddStore disallowed "C:\PS\disallowedcert.stl"

Updating Trusted Root Certificates via GPO in an Isolated Environment

If you have the task of regularly updating root certificates in an Internet-isolated Active Directory domain, there is a slightly more complicated scheme for updating local certificate stores on domain-joined computers using Group Policies. You can configure root certificate updates on user computers in the disconnected Windows networks in several ways.

The first way assumes that you regularly manually download and copy a file with root certificates to your isolated network. You can download the file with current Microsoft root certificates as follows:

certutil.exe –generateSSTFromWU roots.sst

Then the root certificates from this file can be deployed via SCCM or PowerShell Startup script in GPO:

$sstStore = (Get-ChildItem -Path \\fr-dc01\SYSVOL\woshub.com\rootcert\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

The second way is to download the actual Microsoft root certificates using the command:

Certutil -syncWithWU -f \\fr-dc01\SYSVOL\woshub.com\rootcert\

A number of root certificate files (CRT file format) will appear in the specified shared network folder (including files authrootstl.cab, disallowedcertstl.cab, disallowedcert.sst, thumbprint.crt).

Certutil syncWithWU: getting latest root certs from windows update

Then use the Group Policy Preferences to change the value of the registry parameter RootDirURL under HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate. This parameter should point to the shared network folder from which your Windows computers will receive new root certificates. Run the domain GPMC.msc console, create a new GPO, switch to the edit policy mode, and expand the section Computer Configuration -> Preferences -> Windows Settings -> Registry. Create a new registry property with the following settings:

  • Action: Update
  • Hive: HKLM
  • Key path: Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
  • Value name: RootDirURL
  • Type: REG_SZ
  • Value data: file://\\fr-dc01\SYSVOL\woshub.com\rootcert\

GPP: set RootDirURL registry value to update trusted root certs in the isolated environment

It remains to link this policy on a computer`s OU and after updating GPO settings on the client, check for new root certificates in the certstore.

The GPO parameter Turn off Automatic Root Certificates Update under Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings should be disabled or not configured.  

How to Update Trusted Root Certificates in Windows 7?

Despite the fact that Windows 7 is now is at the End of Support phase, many users and companies still use it.

After installing a clean Windows 7 image, you may find that many modern programs and tools do not work on it as they are signed with new certificates. In particular, there have been complaints that .Net Framework 4.8 or Microsoft Visual Studio (vs_Community.exe) cannot be installed on Windows 7 SP1 x64 without updating root certificates.

The installer manifest failed signature validation.

Or

NET Framework has not been installed because a certificate chain could not be built to a trusted root authority.

visual studio windows 7 installer manifest failed signature validation

To update root certificates in Windows 7, you must first download and install MSU update KB2813430 (https://support.microsoft.com/en-us/topic/an-update-is-available-that-enables-administrators-to-update-trusted-and-disallowed-ctls-in-disconnected-environments-in-windows-0c51c702-fdcc-f6be-7089-4585fad729d6)

After that, you can use the certutil to generate an SST file with root certificates (on current or another computer):

certutil.exe -generateSSTFromWU c:\ps\roots.sst

Now you can import certificates into trusted ones:

Run MMC -> add snap-in -> certificates -> computer account > local computer. Right click Trusted root certification authority, All Tasks -> Import, find your SST file (in the file type select Microsoft Serialized Certificate Store — *.sst) -> Open -> Place all certificates in the following store -> Trusted Root Certification Authorities.

Updating Root Certificates on Windows XP Using the Rootsupd.exe Tool

In Windows XP, the rootsupd.exe utility was used to update the computer`s root certificates. The list of root and revoked certificates in it was regularly updated. The tool was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.

  1. Download the rootsupd.exe utility using the following link http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe. At the moment (January 2021) the link doesn’t work, Microsoft decided to remove it from the public. Today you can download the rootsupd.exe from the Kaspersky website — http://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip;
  2. To install the Windows root certificates, just run the rootsupd.exe file. But we will try to examine its contents more carefully. Extract the certificates from the executable file with the command: rootsupd.exe /c /t: C:\PS\rootsupdrootsupd.exe
  3. Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To remove or install certificates, you can use the following commands:
    updroots.exe authroots.sst
    updroots.exe -d delroots.sst

However, as you can see, these certificate files were created on April 4, 2013 (almost a year before the end of official support for Windows XP). Thus, since then the tool has not been updated and cannot be used to install up-to-date certificates.

But you can use cerutil tool in Windows 10/11 to download root.sst, copy that file in Windows XP and install the certificate using updroots.exe:

updroots.exe c:\temp\roots.sst

There is information that the updroots.exe tool is not recommended for use in modern builds of Windows 10 1803+ and Windows 11, as it can break the Microsoft root CA on a device.

In this article, we looked at several ways to update trusted root certificates on Windows network computers that are isolated from the Internet (disconnected environment).

39 comments
9
Facebook Twitter Google + Pinterest
previous post
How to Extend Office 2021/2019/2016 & Office 365 Trial Period?
next post
Forwarding Emails to an External Address in Microsoft 365 (Exchange Online)

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • How to Delete Old User Profiles in Windows?
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory?
  • How to Hide or Show User Accounts from Login Screen on Windows 10/11?
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Changing Default File Associations in Windows 10 and 11
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top