Windows Registry Editor Version 5.00

; Created by Sectigo - 2025
; RESTORE TO DIRECT CHAIN
; Registry file to workaround IIS/Windows inability to specify certificate chains for the TLS handshake
; This file moves the Sectigo R46 and Sectigo E46 self-signed roots to the 'Disallowed' store
; This will force Windows to download the cross-certificates from Windows Update CTL and use those
; KB Article: 

; Remove Sectigo R46 self-signed root from Disallowed. Windows Update CTL should restore in the trust store once binding is refreshed
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD98F9F3E47D753B65D482B3A45217BB6EF5E438]

; Remove Sectigo E46 self-signed root from Disallowed. Windows Update CTL should restore in the trust store once binding is refreshed
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\EC8A396C40F02EBC4275D49FAB1C1A5B67BED29A]