Hello, at some point my computer (Windows 7 Enterprise, joined to domain) lost the OIDs of EV certificates. The problem got fixed with custom import of certificates in the local Trusted Root Certification Authorities store. After digging into the problem, it turned out that upon unknown certificate met on the Web Windows does not activate the Root certificate update functionality - no certificate call is made (no events from CAPI2 in the Event viewer) and as a result Microsoft trusted certificates are not added automatically to the system. My question is - which Group Policy setting to tweak, so that the Root certificate auto-update works? I have checked the Resultant set of policy snap-in and I see no custom setting for Internet communications settings -> Turn off Automatic Root Certificates Update. In GPEdit it is set to Not configured. But the local user has active Computer configuration -> Windows Settings -> Public Key Policies domain emposed settings applied. Which of these might be the porblem? Is it something in Certificate Path Validation Setting? I have read http://technet.microsoft.com/en-us/library/cc731638.aspx but it is still not very clear. In the Certificate path validation I have the following: Stores tab - all recommended are checked, except for Root certificate stores whereOnly Enterprise Root CAs. Network Retrieval - all options are on It is worth noting that once added in the Local machine, anu trusted root certificate works just fine. http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx was not of much use, too :(

Currently we cannot be assure whether the issue is caused by policies. I suggest you open Event Viewer, check the CAPI2 related logs in Application log. Please confirm if your system had tried to update the root certificates when the issue occurred. You may refer the following article when analyzing the logs. Automatic Root Certificates Update Configuration If you can find that the system never tried to update the certificates when the issue occurred, I suggest you check the following policy. Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings/ Turn off Automatic Root Certificates Update. Please ensure that “Turn off Automatic Root Certificates Update” is disabled or not configured. Also your system may effected by group policy settings from Domain Controller. I suggest you also run the following command and check if this policy is enabled by any GPO. gpresult /z > %userprofile%\Desktop\gpresult.txt Then you can open the file gpresult.txt on Desktop, please check if the policy is enabled by GPO. However if the system had tried to update the root certificates, I suspect that some programs such as security programs blocks the update from downloading or enrolling. You may disable antivirus and firewall and then check if the issue still occurs. If the issue persists, you may reset IE settings. 1. Click Start, please type “inetcpl.cpl” (without quotation marks) in the Start Search bar and press Enter to open the Internet options window. 2. Switch to the Advanced tab. 3. Click the "Reset Internet Explorer Settings" button. 4. Click Reset to confirm the operation. 5. Click Close when the resetting process has finished. 6. Uncheck the "Enable third-party browser extensions" option in the Settings box. 7. Click Apply, click OK. If the issue still occurs, please troubleshoot in IE No Add-ons Mode. Click the Start Button, All Programs, Accessories, System Tools, and then click Internet Explorer (No Add-ons). If the issue does not reoccur, it may be caused by an IE Add-on. In that case, let’s continue to perform the following steps to narrow down the cause. Check Internet Explorer Add-Ons ========================= 1. Click Tools, and then click Internet Options. 2. Click the "Programs" tab, and then click Manage Add-ons. 3. Select an add-on in the Name list, and then click Disable. 4. Restart IE with Add-ons and check the issue again. If the issue is resolved, the disabled Add-on was the cause of the issue. If the issue reoccurs, continue to disable the next Add-on using the same method. By doing so, we could determine which Add-on contributed to the issue.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

gpresult showed the answer: GPO: Cert KeyName: Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate Value: 0, 0, 0, 0 State: Enabled Thanks for the help :)