GPO to revert “Turn off Automatic Root Certificates Update”?Group policy settings not applied802.1x PEAP GPO that trusts self-signed CA certificateSetup.exe called from a batch file crashes with error 0x0000006Revert GPO Settings to UndefinedTurn system icons off with GPO or RegistryWhy are many admins using 'Turn off Automatic Root Certificates Update' Policy?Windows - turn off high contrast mode via GPO or script?GPO Turn OFF Netowrk PlacesRDP-related GPOs are not applyingGPO - Power Button Action - Turn off the display
Cycling to work - 30 mile return
Latin words remembered from high school 50 years ago
In Dutch history two people are referred to as "William III"; are there any more cases where this happens?
Why would Thor need to strike a building with lightning to attack enemies?
How do we explain the use of a software on a math paper?
Can a problematic AL DM/organizer prevent me from running a separate AL-legal game at the same store?
Why were early aviators' trousers flared at the thigh?
Should I twist DC power and ground wires from a power supply?
Working hours and productivity expectations for game artists and programmers
Will this series of events work to drown the Tarrasque?
How to convince boss to spend notice period on documentation instead of new projects
How does the "reverse syntax" in Middle English work?
Who is frowning in the sentence "Daisy looked at Tom frowning"?
Managing heat dissipation in a magic wand
How was the blinking terminal cursor invented?
Would it be possible to set up a franchise in the ancient world?
Why didn't Daenerys' advisers suggest assassinating Cersei?
Is it a good idea to teach algorithm courses using pseudocode instead of a real programming language?
Better than Rembrandt
On a piano, are the effects of holding notes and the sustain pedal the same for a single chord?
Bash - Execute two commands and get exit status 1 if first fails
Windows reverting changes made by Linux to FAT32 partition
Would a "ring language" be possible?
Easier way to draw a filled ellipse with top edge dashed and bottom edge solid?
GPO to revert “Turn off Automatic Root Certificates Update”?
Group policy settings not applied802.1x PEAP GPO that trusts self-signed CA certificateSetup.exe called from a batch file crashes with error 0x0000006Revert GPO Settings to UndefinedTurn system icons off with GPO or RegistryWhy are many admins using 'Turn off Automatic Root Certificates Update' Policy?Windows - turn off high contrast mode via GPO or script?GPO Turn OFF Netowrk PlacesRDP-related GPOs are not applyingGPO - Power Button Action - Turn off the display
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
One of our hosting providers has been setting the "Turn off Automatic Root Certificates Update" underlying registry key as part of their default Windows installation. After the servers join our domain, we'd like to allow the servers to run Automatic Root Certificate Update. However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
We're running 2012R2 and 2016, if that matters. Domain functional level is 2012, though (for obscure compatibility reasons, sigh).
windows group-policy
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
add a comment |
One of our hosting providers has been setting the "Turn off Automatic Root Certificates Update" underlying registry key as part of their default Windows installation. After the servers join our domain, we'd like to allow the servers to run Automatic Root Certificate Update. However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
We're running 2012R2 and 2016, if that matters. Domain functional level is 2012, though (for obscure compatibility reasons, sigh).
windows group-policy
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
add a comment |
One of our hosting providers has been setting the "Turn off Automatic Root Certificates Update" underlying registry key as part of their default Windows installation. After the servers join our domain, we'd like to allow the servers to run Automatic Root Certificate Update. However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
We're running 2012R2 and 2016, if that matters. Domain functional level is 2012, though (for obscure compatibility reasons, sigh).
windows group-policy
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
One of our hosting providers has been setting the "Turn off Automatic Root Certificates Update" underlying registry key as part of their default Windows installation. After the servers join our domain, we'd like to allow the servers to run Automatic Root Certificate Update. However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
We're running 2012R2 and 2016, if that matters. Domain functional level is 2012, though (for obscure compatibility reasons, sigh).
windows group-policy
windows group-policy
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
asked Apr 6 '17 at 13:04
carlpettcarlpett
52661227
52661227
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Q: However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
A: Group Policy isn't going to modify that Registry key/value directly as that's not how Group Policy works (for the most part). Group Policy doesn't directly modify (tattoo) Registry settings.
What you should be looking for is not the state of that Registry key/value but whether or not the behavior has changed to your desired behavior.
Have a read at the link for more info on Group Policy and the Registry:
https://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
Thanks @joeqwerty. I am aware of the lack of tattoing. My question, perhaps not very clear, was if there was some other policy that directly influenced this value? Since this is something that our provider sets before it even joins our domain, we can't really influence the initial state.
– carlpett
Apr 6 '17 at 16:02
They could have it already modified in their build image or build script (or whatever they use to deploy new instances).
– joeqwerty
Apr 6 '17 at 16:14
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f843014%2fgpo-to-revert-turn-off-automatic-root-certificates-update%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Q: However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
A: Group Policy isn't going to modify that Registry key/value directly as that's not how Group Policy works (for the most part). Group Policy doesn't directly modify (tattoo) Registry settings.
What you should be looking for is not the state of that Registry key/value but whether or not the behavior has changed to your desired behavior.
Have a read at the link for more info on Group Policy and the Registry:
https://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
Thanks @joeqwerty. I am aware of the lack of tattoing. My question, perhaps not very clear, was if there was some other policy that directly influenced this value? Since this is something that our provider sets before it even joins our domain, we can't really influence the initial state.
– carlpett
Apr 6 '17 at 16:02
They could have it already modified in their build image or build script (or whatever they use to deploy new instances).
– joeqwerty
Apr 6 '17 at 16:14
add a comment |
Q: However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
A: Group Policy isn't going to modify that Registry key/value directly as that's not how Group Policy works (for the most part). Group Policy doesn't directly modify (tattoo) Registry settings.
What you should be looking for is not the state of that Registry key/value but whether or not the behavior has changed to your desired behavior.
Have a read at the link for more info on Group Policy and the Registry:
https://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
Thanks @joeqwerty. I am aware of the lack of tattoing. My question, perhaps not very clear, was if there was some other policy that directly influenced this value? Since this is something that our provider sets before it even joins our domain, we can't really influence the initial state.
– carlpett
Apr 6 '17 at 16:02
They could have it already modified in their build image or build script (or whatever they use to deploy new instances).
– joeqwerty
Apr 6 '17 at 16:14
add a comment |
Q: However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
A: Group Policy isn't going to modify that Registry key/value directly as that's not how Group Policy works (for the most part). Group Policy doesn't directly modify (tattoo) Registry settings.
What you should be looking for is not the state of that Registry key/value but whether or not the behavior has changed to your desired behavior.
Have a read at the link for more info on Group Policy and the Registry:
https://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
Q: However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesAuthRootDisableRootAutoUpdate setting?
A: Group Policy isn't going to modify that Registry key/value directly as that's not how Group Policy works (for the most part). Group Policy doesn't directly modify (tattoo) Registry settings.
What you should be looking for is not the state of that Registry key/value but whether or not the behavior has changed to your desired behavior.
Have a read at the link for more info on Group Policy and the Registry:
https://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
edited Apr 6 '17 at 14:01
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
answered Apr 6 '17 at 13:44
joeqwertyjoeqwerty
97.3k465149
97.3k465149
Thanks @joeqwerty. I am aware of the lack of tattoing. My question, perhaps not very clear, was if there was some other policy that directly influenced this value? Since this is something that our provider sets before it even joins our domain, we can't really influence the initial state.
– carlpett
Apr 6 '17 at 16:02
They could have it already modified in their build image or build script (or whatever they use to deploy new instances).
– joeqwerty
Apr 6 '17 at 16:14
add a comment |
Thanks @joeqwerty. I am aware of the lack of tattoing. My question, perhaps not very clear, was if there was some other policy that directly influenced this value? Since this is something that our provider sets before it even joins our domain, we can't really influence the initial state.
– carlpett
Apr 6 '17 at 16:02
They could have it already modified in their build image or build script (or whatever they use to deploy new instances).
– joeqwerty
Apr 6 '17 at 16:14
Thanks @joeqwerty. I am aware of the lack of tattoing. My question, perhaps not very clear, was if there was some other policy that directly influenced this value? Since this is something that our provider sets before it even joins our domain, we can't really influence the initial state.
– carlpett
Apr 6 '17 at 16:02
Thanks @joeqwerty. I am aware of the lack of tattoing. My question, perhaps not very clear, was if there was some other policy that directly influenced this value? Since this is something that our provider sets before it even joins our domain, we can't really influence the initial state.
– carlpett
Apr 6 '17 at 16:02
They could have it already modified in their build image or build script (or whatever they use to deploy new instances).
– joeqwerty
Apr 6 '17 at 16:14
They could have it already modified in their build image or build script (or whatever they use to deploy new instances).
– joeqwerty
Apr 6 '17 at 16:14
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f843014%2fgpo-to-revert-turn-off-automatic-root-certificates-update%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
