These certificates are trusted by the operating system and can be used by applications as a reference for which public key infrastructure (PKI) hierarchies and digital certificates that are trustworthy.When you want to distribute trusted root certificates, the list of trusted root certificates is stored in a CTL.This section describes how you can produce, review, and filter the trusted CTLs that you want computers in your organization to use.

wsus not updating computer list-56wsus not updating computer list-70

Computers that can connect to the Windows Update site are able to receive updated CTLs on a daily basis (if they are running Windows Server 2012, Windows 8, or the previously mentioned software updates are installed on supported operating systems).

For more information, see document 2677070 in the Microsoft Knowledge Base.

The settings described in this document configure the following registry keys on the client computers.

These settings are not automatically removed if the GPO is unlinked or removed from the domain.

For additional details about creating a scheduled task, see Schedule a Task.

If you plan to write a script to make daily updates, see the New Certutil Options and Potential errors with Certutil -Sync With WU sections of this document.

For more information about the list of members in Windows Root Certificate Program, see Windows Root Certificate Program - Members List (All CAs).

Trusted root certificates are meant to be placed in the Trusted Root Certification Authorities certificate of the Windows operating systems.

By using Windows Server 2012 R2 and Windows 8.1 (or by installing the previously mentioned software updates on supported operating systems), an administrator can: To facilitate the distribution of trusted or untrusted certificates for a disconnected environment, you must first configure a file or web server to download the CTL files from the automatic update mechanism.