Remember to maintain security and privacy. Do not share sensitive information. Procedimento.com.br may make mistakes. Verify important information. Termo de Responsabilidade

How to Configure DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection in Windows

The "DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection" setting is relevant in environments where strict TLS certificate pinning is enforced for security reasons. Certificate pinning is a technique used to prevent man-in-the-middle attacks by associating a host with its expected certificate or public key. However, in some enterprise environments, this strict enforcement can interfere with the detection of updates, particularly when using Windows Update services.

In Windows, there are scenarios where administrators might need to disable TLS certificate pinning for update detection to ensure that updates are successfully downloaded and applied. This is particularly important in environments with custom or internal Certificate Authorities (CAs) that might not be recognised by the default Windows Update service.

To adjust this setting in a Windows environment, you can use Group Policy or the Windows Registry Editor. Below, we provide practical examples of how to configure this setting using both methods.

Examples:

Method 1: Using Group Policy

  1. Open the Group Policy Management Console (GPMC). You can do this by pressing Win + R, typing gpmc.msc, and pressing Enter.
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
  3. Look for the policy setting named "Do not enforce enterprise TLS certificate pinning for update detection".
  4. Double-click on the setting, select "Enabled", and then click "OK".

Method 2: Using the Windows Registry Editor

  1. Open the Registry Editor. You can do this by pressing Win + R, typing regedit, and pressing Enter.
  2. Navigate to the following registry key: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  3. If the WindowsUpdate key does not exist, you will need to create it. Right-click on Microsoft, select New > Key, and name it WindowsUpdate.
  4. Within the WindowsUpdate key, create a new DWORD (32-bit) value named DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection.
  5. Set the value of DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection to 1 to disable certificate pinning for update detection.

Example Registry Script:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection"=dword:00000001

Save the above script as a .reg file and double-click it to apply the setting.

To share Download PDF

Windows Group Policy Registry Editor Windows Update TLS Certificate Pinning GPMC REGEDIT

Gostou do artigo? Deixe sua avaliação!
Sua opinião é muito importante para nós. Clique em um dos botões abaixo para nos dizer o que achou deste conteúdo.