How do I change public key policies programmatically?

Question

In order to automate the deployment of a certain service's installation, I'm trying to change the Certificate Path Validation Settings in PowerShell (any other programmatic method will do just as well). Specifically, I need to change the Network Retrieval settings (automatic update, override timeout settings, disallowing issuer certificate retrieval, etc.).

I know how to do this manually, using secpol.msc, but I need to automate this.

I tried to export the security configuration with secedit.exe, but either it doesn't contain the information that I need to modify, or I don't know how to identify it.

Does someone know how to get/modify these specific settings?

Answer 1

Finally found my solution - there is this tool called LGPO.EXE, that can help import, export, and edit the Certificate Path Validation Settings programmatically. Use of this will still require a restart to get the changes to apply, but at least it is now possible.

Answer 2

I'm having this exact issue right now. This page could be a valuable resource for you. If you can download modules at work, that should do the trick for you (depending on what you need). Unfortunately I can't, so I'm still looking for an answer to your question.

I've been hacking at this all day and have made a bit of progress. These policies are found in the HKEY_USERS registry. The below code successfully changed my AIA retrieval setting. I'm still looking for where the other settings are in the registry.

set-location registry::\"HKEY_USERS\S-1-5-21-1334943887-574888862-474100395-22132\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D2FEBD75-F5EE-4C41-81A3-F95E12FFA66D}Machine\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config"
$path= (get-location).path

set-itemproperty -path $path -name options -value 2