How to disable the Enterprise Roots preference

Revision Information
  • Revision id: 186885
  • Created:
  • Creator: Michele Rodaro
  • Comment: Scroll down to search is a long procedure + Wiki Syntax for preference name/value
  • Reviewed: Yes
  • Reviewed:
  • Reviewed by: AliceWyman
  • Is approved? Yes
  • Is current revision? No
  • Ready for localization: No
Revision Source
Revision Content

Warning: These instructions are for experienced Firefox users. Changing settings in the Configuration Editor (about:config) can have serious effects on your browser’s stability, security and performance.
Only proceed if you are comfortable with advanced settings and understand the potential impacts.

Firefox may display a TLS connection error when your antivirus software prevents data from being sent to your browser. This happens when your antivirus software fails to register itself with Firefox as a valid issuer of TLS certificates.

Mozilla has added the Enterprise Roots preference to Firefox as a solution to the problem. This preference can be used to import any root certificate authorities (CAs) that have been added to the operating system to resolve your TLS connection error. You can determine if a website is relying on an imported root by clicking the Information icon from the address bar.

With Firefox version 68, when a TLS connection error occurs, Firefox automatically enables the Enterprise Roots preference and attempts to connect again. If the issue is resolved, then the Enterprise Roots preference remains enabled. However, you may want to disable this behavior, so this article explains how to do just that without compromising security.

To modify this behavior and prevent Firefox from automatically enabling the import of CAs that have been added to the operating system when a TLS connection error occurs:

  1. Type about:config in the address bar and press EnterReturn.
    A warning page may appear. Click Accept the Risk and Continue to go to the about:config page. A list of preferences displays.
  2. Type security.certerrors.mitm.auto_enable_enterprise_roots in the Search box above the list of preferences.
  3. Double-click on the security.certerrors.mitm.auto_enable_enterprise_roots preference to change its value from true to false.


To prevent CAs that have been added to the operating system from being automatically imported each time Firefox restarts:

  1. Type about:config in the address bar and press EnterReturn.
    A warning page may appear. Click Accept the Risk and Continue to go to the about:config page. A list of preferences displays.
  2. Type security.enterprise_roots.enabled in the Search box above the list of preferences.
  3. Double-click on the security.enterprise_roots.enabled preference to change its value from true to false.