In a Windows environment, ensuring secure communication between systems and update servers is crucial. One method to enhance security is through TLS certificate pinning, which helps prevent man-in-the-middle attacks by ensuring that the server's certificate matches a known good copy. However, there are scenarios where strict enforcement of TLS certificate pinning can cause issues, particularly in enterprise environments with complex update infrastructures.

The DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection setting allows administrators to disable the enforcement of TLS certificate pinning for update detection. This can be particularly useful in situations where updates are managed through a proxy or other intermediary that may alter the certificate chain.

In this article, we will explore how to configure this setting using Group Policy and the Windows Registry, providing practical examples to help you implement this adjustment in your environment.

Examples:

Configuring via Group Policy

1. Open the Group Policy Management Console:

   • Press Win + R, type gpmc.msc, and press Enter.

2. Navigate to the appropriate Group Policy Object (GPO):

   • Locate the GPO you want to edit or create a new one.

3. Edit the GPO:

   • Right-click on the GPO and select Edit.

4. Navigate to the policy setting:

   • Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update.

5. Configure the setting:

   • Find the policy named Do not enforce Enterprise TLS certificate pinning for update detection.
   • Double-click on it and set it to Enabled.

6. Apply and close:

   • Click Apply and then OK.
   • Close the Group Policy Management Editor.

Configuring via Windows Registry

1. Open the Registry Editor:

   • Press Win + R, type regedit, and press Enter.

2. Navigate to the relevant key:

   • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

3. Create or modify the DWORD value:

   • If the WindowsUpdate key does not exist, create it by right-clicking on Microsoft, selecting New -> Key, and naming it WindowsUpdate.
   • Within the WindowsUpdate key, create a new DWORD value named DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection.
   • Set its value to 1 to disable enforcement.

4. Close the Registry Editor:

   • Exit the Registry Editor and restart your computer for the changes to take effect.

Verifying the Configuration

To verify that the setting has been applied correctly, you can use the following methods:

Using Command Prompt

1. Open Command Prompt:

   • Press Win + R, type cmd, and press Enter.

2. Check the registry value:

   • Run the command:

     reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection

   • Verify that the output shows the value as 0x1.

Using PowerShell

1. Open PowerShell:

   • Press Win + X and select Windows PowerShell (Admin).

2. Check the registry value:

   • Run the command:

     Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection"

   • Verify that the output shows the value as 1.

By following these steps, you can configure the DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection setting in your Windows environment, ensuring that update detection processes are not disrupted by strict TLS certificate pinning enforcement.