Hello @Chamby112 ,
You are welcome. Thank you so much for your kindly reply.
If the root CA is an offline root CA (standalone root CA), we should publish the root certificate into AD using the above command. This will then distribute the certificate to the trusted root store of all domain joined clients. If the root CA is joined to the domain, this will eventually happen automatically, but it can take up to 8 hours (default GPO application time).
No GPO is configured to distribute the root certificate. If we manually deleted the root CA certificate from the local computer store, it would not come back if we updated policies using gpupdate /force or ran certutil -pulse.
There is a registry key that caches downloaded root CA certificate requests using auto enrollment.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache
To manually force a new download, delete the following registry key and all subordinate keys. It will cause the client to redownload the CA objects from the DC during the next GPO refresh.
In my test, I deleted the subordinate key and then ran certutil -pulse or gpupdate /force, the deleted Root CA certificate came back.
For more information, we could refer to:
Hope the information is helpful. Thank you so much for your support.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.