How to automatically compare current windows root certificate store against latest root certificates?
By default, root certificates are automatically updated through Windows Update.
You may have this feature disabled in your environment through GPO? You can check if the key below has been set, but it does not exist by default:
Get-ItemProperty HKLM:\Software\Policies\Microsoft\SystemCertificates\AuthRoot -Name DisableRootAutoUpdate
It also requires certain updates for 2008/2012 like KB3004394, so make sure you're up to date in general.
I don't recommend managing root certs manually, but you can easily view the existing certs using the Certificate provider like:
Get-ChildItem -Path Cert:\LocalMachine\CA\
And maybe you want to compare your local certificates to a remote machine:
# Get the list of local root/CA certificates
$localCerts = (Get-ChildItem -Path Cert:\LocalMachine\CA\)+(Get-ChildItem -Path Cert:\LocalMachine\Root\)
# Compare to the same certificates on a remote server
$result = Invoke-Command -ComputerName 'Server01' -ScriptBlock {
$remoteCerts = (Get-ChildItem -Path Cert:\LocalMachine\CA\)+(Get-ChildItem -Path Cert:\LocalMachine\Root\)
Compare-Object $using:localCerts $remoteCerts -Property thumbprint -PassThru
}
# Display certificates that don't match
$result | select SideIndicator,Thumbprint,FriendlyName,Subject
Here's an example comparing between win10 and Server 2016. You can see one of the differences is my local machine has a TPM module it trusts:
SideIndicator Thumbprint Subject
------------- ---------- -------
=> DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
<= D4FFDB19BA590FFFAA34DB5F4B568706A2978436 CN=Microsoft TPM Root Certificate Authority 2014, O=Microsoft Corporation, L=Redmond, S=Washin...