One of our hosting providers has been setting the "Turn off Automatic Root Certificates Update" underlying registry key as part of their default Windows installation. After the servers join our domain, we'd like to allow the servers to run Automatic Root Certificate Update. However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate setting?
We're running 2012R2 and 2016, if that matters. Domain functional level is 2012, though (for obscure compatibility reasons, sigh).
Best Answer
Q: However, simply creating a GPO and setting "Turn off Automatic Root Certificates Update" to Disabled does not actually flip this back. Is there some GPO way to do this? Or do I have to push a script which actually flips the HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate setting?
A: Group Policy isn't going to modify that Registry key/value directly as that's not how Group Policy works (for the most part). Group Policy doesn't directly modify (tattoo) Registry settings.
What you should be looking for is not the state of that Registry key/value but whether or not the behavior has changed to your desired behavior.
Have a read at the link for more info on Group Policy and the Registry:
https://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/