PKI Gurus,
I'm working with a client who has pushed out a Trusted Root certificate via theDefault Domain Policy.
Computer configuration\Windows settings\Security Settings\Public key policies\Trusted Root certification Authorities
This configuration is somewhat redundant due to the fact that their CA is an Enterprise CA, and domain joined computers are automatically receiving the Root certificate by virtue of AD.
For this reason, they're wanting to remove/delete the certificate from the Default Domain Policy; however, some are concerned that when they do this it willremove the certificate from the local client trusted root store on domain joined machines.
It is my believe that it will notremove the certificate from the trusted root store on client machines. GPO only pushes the certificate out to local client stores; it doesn't remove, even when certificate is deleted from the GPO.
Can some please confirm if I am correct, or incorrect?
Regards,
"T"