Hello there,
i am a collegue of peter and also on this topic.
To be a little bit more specific:
we did the following part "Configure a file or web server to download the CTL files" from the article below. (we use the webserver variant)
Link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN
the files are being downloaded successfuly from the web to the local server. that works like a charm.
now we want that the isolated (or disconnected) servers receive there CTLs from the webserver mentioned above.
we changed the local policy of a testserver (which is disconnected to the internet but connected to the webserver mentioned above) like peter already mentioned:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate -> 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate -> 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl -> http://webserver/certstore
if we use an IE from the isolated server and browse to http://webserver/certstore we can see the certificates.
but the server does not receive the certificates. neighter with the regkeys above nor with certutil -syncWithWU http://webserver/certstore.
with certutil -syncWithWU http://webserver/certstore we receive the following error:
The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT) -- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
CertUtil: -syncWithWU command FAILED: 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
CertUtil: The operation timed out
thats were we stand right now.
help or hints are welcome.
thanks in advance
Christian