I'm trying to figure out how to audit local (and domain) group policy settings on Windows servers. Many of these things are set (seemingly) independently of the registry, or at least are not documented as to how or where they update the registry.
To disable automatic root certificate updates, you can set the following registry value to 0:
But you can also disable root certificate updates using group policy, and if you do, it doesn't create that registry value or set it, so I'm not sure where / what to check to audit that setting.
Of course, a great solution would be to have all the GPO settings parsed as extended objects. Anyone done that yet?
Have you had any replies since you posted this message, I'm looking for a pointer for monitoring the change of a GPO then to extract the settings into a Compliance Template so that I can then publish against rquired targets.