Windows arbitrarily trusts many Certification Authorities (CAs) by default. But we don't want Microsoft deciding for us which CAs' security standards and procedures are trustworthy. Is there a way to take control of which CAs Windows trusts? I know I can configure computers individually through the Microsoft Management Console (MMC) Certificates snap-in, but what if I need to change hundreds of workstations?
If your computers are running Windows 2000 or later and belong to an Active Directory (AD) domain, you can use Group Policy to mandate which CAs Windows can trust. First, open an appropriate Group Policy Object (GPO) that applies to your desired set of computers and users, then navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies. Right-click the Trusted Root Certification Authorities subfolder and select Properties. Under Client computers can trust the following certificate stores, note that by default the radio button next to Third-Party Root Certification Authorities and Enterprise Root Certification Authorities is selected. Change the selection by clicking the radio button next to Enterprise Root Certification Authorities.
When next applied, Group Policy will exclude third-party root certification authorities from its trusted CAs. Although you might still see these CAs in the Trusted Root Certification Authorities store on local computers, you can prove that the computer doesn't trust a third-party CA by browsing to a site that has a certificate issued by that CA. You should receive a message to the effect that either Windows can't verify the certificate as being from a trusted CA or it can't check the certificate's revocation status. (It's a good idea to remove certificates that are unfamiliar or that you don't trust.)