Where to get root CA certificates for Windows Server now that Microsoft no longer updates them?

Microsoft removed root CA updates from WSUS in January 2013. I now have some fresh installs of Windows Server 2012 that have an insufficient set of root CAs (basically just Microsoft's own CAs). This means that whenever our application calls an https web service it will fail unless I specifically install the root CA.

Since our application uses SSL termination at a load balancer I don't need to worry about the 16KB SChannel limitation that prompted Microsoft to remove these updates. I'd like to find a resource to install and update standard root CAs. Does anyone know of such a resource?

Here is an image of the default root CAs in WS2012. default WS2012 root CAs


It seems that this is due to the oddball GPO that my company uses.

As outlined here the GPO setting Computer Configuration\Administrative Templates\System\Internet Communication Management\Turn off Automatic Root Certificates Update was Enabled, meaning that the OS wouldn't pull root CAs from Microsoft. Setting this to Disabled fixed the issue.


We found that the root CAs were out of date on some of our Windows 2012 R2 servers.

Having investigated this is appears Microsoft released a patch to provide the ability for "Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet" (KB article).

This patch introduces new registry keys for stopping Windows Update from updating the root CAs along with other functionality.

Setting the following registry Key to 0 fixes the problem. The certificates begin installing immediately after the change.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate

Whilst I can see that Admins may want to control their machines from updating without their consent, I think not allowing root CAs to update is an edge case which is likely to cause more problems that it fixes and I do not yet know why the registry key has been set on our servers.

There is discussion of these registry keys and other things you can do on Windows 2012 R2 servers here