none
Public Key Policie settings issue

    Question

  • I have a gpo I am trying to clean up configurations on, it has the following set (below). When I go into the GPEditor to edit it (both win 7 templates and Windows 2012 R2 templates) these areas are blank/ empty. My MMC on Windows 7 shows these settings but my windows 2012 R2 does not... And I can not set them. 

    I went into the public key policies path and looked at the 3 certificate settings and none of them are configured in Windows 2012 R2 (and Windows 7 MMC)... Do I need to reconfigure the "certificate path validation settings"? 


    Thursday, November 17, 2016 3:44 PM

Answers

  • Hi,

    This is a GPO that was used by the GPMC tools on a Windows 2003/XP machine. After discussing with my colleague, I think the ability to enable these settings were "Deprecated" in Windows 2012 R2, so the console can't see that these settings are even there. Since this setting is deprecated, I don't think it is applied on the Windows 7 machine. If you want to remove it, you might need to find a Windows 2003 machine. XP machine with the GPMC installed might work as well.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 25, 2016 7:12 AM
    Moderator

All replies

  • Using a test GPO I set the certificate path validation settings again, this created the trusted root certification authorities settings again and it created new settings as well, the picture below is from my windows 7 MMC.

    From my Windows 2012 R2 DC I see the following though:

    Thursday, November 17, 2016 4:21 PM
  • When I remove the settings I see the following from my Win 7 MMC:

    From My Windows 2012 R2 DC I see this though:

    Thursday, November 17, 2016 4:24 PM
  • I applied the hotfix listed below and it fixed the display issue (now matches what the Windows 2012 R2 displays). The question still is, Do I need to reconfigure the "certificate path validation settings"?  I set them a few months ago but we still had old OS/ DC in our environment, now those are gone... Is this new settings?

    https://support.microsoft.com/en-us/kb/2842986

    Thursday, November 17, 2016 6:28 PM
  • Hi,

    In my opinion, you should not reconfigure these settings since you have already set them before and it should be applied properly to the computers.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 18, 2016 7:57 AM
    Moderator
  • The hotfix (KB2842986) fixed the Windows 7 viewing issue, these settings are no longer set, I did set them when I had a 2003 R2 domain controller in the environment but that machine has been decommissioned. I am under the thought that these setting are not set because Windows 2012 R2 has a different way of applying them in the policy templates than how 2008 R2 and below did.... Similar to how IE Maintenance section went away. Would this be correct?

    Instead of making those changes in the trusted area like before it makes it in the stores area, is this the newer perfered method?

    https://technet.microsoft.com/en-us/library/cc731638(v=ws.11).aspx

    Friday, November 18, 2016 2:04 PM
  • Hi

    I am trying to involve someone familiar with this topic to further look at this question. There might be some time delay. Appreciate your patience.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 21, 2016 8:42 AM
    Moderator
  • After some review the settings stated were set when I had 2003/ 2008 R2 domain controllers in the environment. When I went to solely 2012 R2 domain controllers the settings disappeared/ went to not configured. I am assuming this is like the IEM changes Microsoft did a few years back, I just want to clarify if this is the case.
    Wednesday, November 23, 2016 7:55 PM
  • Hi,

    This is a GPO that was used by the GPMC tools on a Windows 2003/XP machine. After discussing with my colleague, I think the ability to enable these settings were "Deprecated" in Windows 2012 R2, so the console can't see that these settings are even there. Since this setting is deprecated, I don't think it is applied on the Windows 7 machine. If you want to remove it, you might need to find a Windows 2003 machine. XP machine with the GPMC installed might work as well.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 25, 2016 7:12 AM
    Moderator
  • Thanks, can you provide me with Microsoft documentation that states its deprecated?
    Friday, November 25, 2016 2:03 PM
  • Hi,

    I have not found such an official article which records this. I made this conslusion based on the discussion with some senior guys.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 28, 2016 4:09 PM
    Moderator