The "Turn off Automatic Root Certificates Update" policy does not appear in the Rsop.msc tool on a computer that is running Windows XP Professional SP2 or Windows Server 2003 SP1 (909561)


The information in this article applies to:

  • Microsoft Windows XP Professional SP2
  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Enterprise Edition
    • Microsoft Windows Server 2003, Standard Edition
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Content Maintenance:46981Windows SE:163169

SYMPTOMS

You enable the Turn off Automatic Root Certificates Update policy in the Group Policy Object Editor tool on a computer that is running one of the following operating systems:
  • Microsoft Windows XP Professional Service Pack 2 (SP2)
  • Microsoft Windows Server 2003 family with Service Pack 1(SP1)
However, the Turn off Automatic Root Certificates Update policy does not appear in the Resultant Set of Policy tool (Rsop.msc) as expected.

WORKAROUND

To work around this behavior, use one of the following tools to view the Turn off Automatic Root Certificates Update policy.

Note You must have administrator permissions when you use these methods.

Method 1: Use the Operating System Group Policy Result tool (Gpresult.exe)

To do this, follow these steps:
  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. At the command prompt, type the following command: 
    Gpresult /z
    Additionally, you may append the following command at the end of the Gpresult /z command to export the result to a text file:
    > file_name
    Note file_name is a placeholder for the file name.
  3. At the command prompt or in the exported file, locate one of the following messages:
    • For Windows Server 2003 with SP1:
      GPO: Local Group Policy
                KeyName:     Software\policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
                Value:       1, 0, 0, 0
                State:       Enabled
    • For Windows XP Professional SP2:
      GPO: Local Group Policy 
                Setting:  Software\Policies\Microsoft\SystemCertificates\AuthRoot 
                State:    Enabled

Method 2: Use the Group Policy Management Console tool (Gpmc.msc)

To do this, follow these steps:
  1. Click Start, click Run, type Gpmc.msc in the Open box, and then click OK.
  2. In the Group Policy Management right-click Group Policy Result, and then click Group Policy Result Wizard. Follow the steps in the wizard to obtain a new file for the group policies that apply to the appointed user account.
  3. Click the new file that you created in step 2, click the Setting tab, expand Administrative Templates, expand System/Internet Communication Management/Internet Communication settings, and then view the following table:
    PolicySettingWinning GPO
    Turn off Automatic Root Certificates Update EnabledLocal Group Policy

STATUS

This behavior is by design.

MORE INFORMATION

To install the Gpmc.msc tool, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887

Modification Type:MajorLast Reviewed:2/7/2006
Keywords:kbprb kbWinXPsp2fix kbpending kbbug kbmsccsearch kbpubtypekc KB909561 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.