Disabling Windows 7 Automatic Root CA Update

Windows comes with a small list of trusted CAs installed but automatically imports CAs as necessary from the Microsoft Windows Update service (Windows 7 Home Premium SP1 64bit for a while, I figure I’d imported all of the CAs I really need I figured I could mitigate the risk of forged certificates (e.g. Iraq/Gmail, Diginotar) by ensuring I don’t import any additional CAs. Sure the CAs I already trust could be compromised, but this significantly reduces the attack surface.

For Windows 7 Processional and Ultimate, Microsoft provides instructions for disabling Automatic Root Certificates Update using the Group Policy Editor; however, the Group Policy Editor cannot be installed on Windows 7 Starter and Home editions. If you have Windows 7 Starter or Home, or don’t want to deal with the Group Policy Editor, a simple registry update will turn Automatic Root Certificates Update off or on.

Note: You must be an Administrator to make any of these changes, and if you have a Group Policy set for Automatic Root Certificates Update, it will overwrite your registry changes.

I’ve created three .reg files you can download, and open to automatically update the correct registry keys:

  • Disable.reg (view) – this disables Automatic Root Certificates Update.
  • Enable.reg (view) – this disables Automatic Root Certificates Update.
  • Remove.reg (view) – this removes the registry entry effectively enabling Automatic Root Certificates Update.

Note: You will most likely receive security warnings downloading and opening these files. If you want to be safe, open the files in a text editor and double check the contents.

If you would rather directly edit your registry, do the following:

  1. Start regedit by clicking the Start menu, entering “regedit” in the search field, and pressing <enter>.
  2. Expand HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/SystemCertificates/AuthRoot
  3. Right-click on AuthRoot and select New -> DWORD (32-bit) Value
  4. Enter name: DisableRootAutoUpdate
  5. Double-click on DisableRootAutoUpdate
  6. Set the Value data to 1, click OK, and close regedit.

Deleting DisableRootAutoUpdate or setting it to 0, re-enables downloading new CAs from Microsoft.

One thought on “Disabling Windows 7 Automatic Root CA Update

  1. Ed

    This requires careful thinking about what you are trying to do. The default value is “disabled” If you are looking this up, you probably want to change the default behavior and make it “enabled”. This is one of Microsoft’s famous double negatives. “Do you wish to enable disabling?”

    The tool tip says”Specifies whether to automatically update root certificates using the Windows Update Web site.

    Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.

    If you enable this setting, when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities.

    If you disable or do not configure this setting, your computer will contact the Windows Update Web site.”

Comments are closed.