The registry value you are looking for is Domain policies override local settings.That's how they're supposed to work (they'd be rather useless otherwise).
I might as well have used any of these examples, that you might not have known that you actually already trust: China Internet Network Information Center EV Certificates Root Cisco Root CA 2048 Japan Local Government PKI Application CA Root CA (this is from South Korea) Swedish Government Root Authority v1 Staat der Nederlanden Root CA U. When a check is performed to see if a certificate is valid and it encounters a cert that is not in the local trusted CA list it connects to Windows Update to check if it is listed there. If Windows Update is not reachable, a copy of the trusted Root CA certificates are stored in in the file crypt32.dll, but that list is not updated as often/quick as Windows Update.
It does however enable you to restore the list of trusted CAs if you deleted them all by mistake and you at that point can’t reach Windows Update.
This was causing a delay of a full minute when the initial request was made It ran in Win PE where hand clicking through the local group policy editor was not an option.
There also is no way I am aware of to register a root authority in this environment and it is running in an incredibly restricted environment so it can not access windows update (not that it would find our corporate CA there anyway).
Install Root is written and produced by DISA, if you have any problems with this file, please contact them.
If you would rather install the certificates manually, follow these instructions.
If I start Internet Explorer on that computer and go to the SSL-enabled website https://www2I end up at a job site run by the Hong Kong government: Everything look OK and I see no warnings or errors regarding certificates or trust.
Lets look at the certificate for that page: I apparently trust this end certificate.
If you want the policy disabled, disable or remove the policy in Group Policy Management or remove the computer from the domain. Group Policy Management is best done via the respective management console, and it's quite simple to create and link a GPO for turning off root cert updates.