How to enable the "automatic root certificates update" on Windows Server 2016

Exchange-Admin 21 Reputation points


I want enable the automatic root certificates update on Windows Server 2016 to address an error message given by

I have only found descriptions for older Windows versions like the following advice by Microsoft for Windows Server 2008. Not surprisingly, there is no "Turn off Automatic Root Certificates Update" entry in the 2016 edition.

  1. Click Start, and then click Run.
  2. Type gpedit.msc, and then click OK.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
  5. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
  6. Close the Local Group Policy Editor.


I have also tried to directly modify the registry value for the respective entry as suggested on several websites. However, also this entry does not exist in Windows Server 2016. I guess it doesn't make sense to create a new entry. It might be even counterproductive and cause further errors.

WORD DisableRootAutoUpdate = ...

I would be thankful for any hint to solve the problem!

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,777 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,321 Reputation points Microsoft Vendor


    I checked the "automatic root certificates update" from the Local Group Policy on the 2016 server and the 2019 server, both have the entry.

    I would recommend you download the administrative admx files and update the one on your server.

    Rename the folder "PolicyDefinitions : in C:\Windows to PolicyDefinitions old ,and create a new folder named PolicyDefinitions then put the files you download into it.
    Then check the entries again.

    Best Regards,

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Exchange-Admin 21 Reputation points

    Thanks a lot, now it works!

    0 comments No comments