How to restore automatic update of root certificates in windows 7 and internet explorer 9


  • How do we restore automatic update of root certificates in windows 7 and internet explorer 9, when we constantly get certificate error messages for even trusted sites? 

    Friday, February 08, 2013 3:47 AM


  • Hi,

    To narrow down the issue, I suggest you open Event Viewer, check the related logs. Please confirm if your system had tried to update the root certificates when the issue occurred. You may refer the following article when analyzing the logs.

    Automatic Root Certificates Update Configuration

    If you can find that the system never tried to update the certificates when the issue occurred, I suggest you check the following policy.

    Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings/ Turn off Automatic Root Certificates Update.

    Please ensure that “Turn off Automatic Root Certificates Update” is disabled or not configured.

    Also your system may effected by group policy settings from Domain Controller. I suggest you also run the following command and check if this policy is enabled by any GPO.

    gpresult /z > %userprofile%\Desktop\gpresult.txt

    Then you can open the file gpresult.txt on Desktop, please check if the policy is enabled by GPO.

    However if the system had tried to update the root certificates, I suspect that some programs such as security programs blocks the update from downloading or enrolling. You may disable antivirus and firewall and then check if the issue still occurs. If the issue persists, you may reset IE settings.

    1. Click Start, please type “inetcpl.cpl” (without quotation marks) in the Start Search bar and press Enter to open the Internet options window.

    2. Switch to the Advanced tab.

    3. Click the "Reset Internet Explorer Settings" button.

    4. Click Reset to confirm the operation.

    5. Click Close when the resetting process has finished.

    6. Uncheck the "Enable third-party browser extensions" option in the Settings box.

    7. Click Apply, click OK.

    If the issue still occurs, please troubleshoot in IE No Add-ons Mode. Click the Start Button, All Programs, Accessories, System Tools, and then click Internet Explorer (No Add-ons).  If the issue does not reoccur, it may be caused by an IE Add-on. In that case, let’s continue to perform the following steps to narrow down the cause.

    Check Internet Explorer Add-Ons
    1. Click Tools, and then click Internet Options. 

    2. Click the "Programs" tab, and then click Manage Add-ons. 

    3. Select an add-on in the Name list, and then click Disable. 

    4. Restart IE with Add-ons and check the issue again.

    If the issue is resolved, the disabled Add-on was the cause of the issue. If the issue reoccurs, continue to disable the next Add-on using the same method.

    Hope this helps.

    Vincent Wang
    TechNet Community Support

    Tuesday, February 12, 2013 5:42 AM