Since Windows 8.1, Microsoft changed the way Trusted Root Certificates List (TRCL) get’s updated.
Now, it uses the Windows Update services to do this, and this can be an issue for some enterprises with machines that don’t have Internet access or if you disabled Windows Update in your environment.
Also, if you want to look at this in a different way, it allows you as a SysAdmin to completely control which certificates are allowed or not in your environment.
So, here’s a quick procedure on how you can update that the TRCL without Windows Update enabled:
- Downloading Updated TRCL
- On a machine with Internet access run the following command:
certutil –generateSSTFromWU roots.sst - Then grab that file and create a package with your endpoint management software (ex.: SCCM)
- Installing the Updated TRCL
- Now that you have generated your SST file, you just need to import the certificates to your machines.
- For this one, the easiest way is to create a powershell script with the following line:
$sst_file = (Get-ChildItem –Path C:\roots.sst)
$sst_file | Import-Certificate –CertStoreLocation Cert:\LocalMachine\Root
And that’s it!