- Windows 10 Update Root Certificates Feature Isn't Enabled
- Windows 10 Automatic Root Certificate Update
This article provides a workaround for an issue where valid root CA certificates that are distributed by using GPO appear as untrusted.
We found that the root CAs were out of date on some of our Windows 2012 R2 servers. Having investigated this is appears Microsoft released a patch to provide the ability for 'Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet'.This patch introduces new registry keys for stopping Windows Update from updating the root CAs along with. First, you need to download the complete root certificate list using the certutil command line tool (Windows 10 requires administrator rights while using cmd.exe). Certutil.exe -generateSSTFromWU roots.sst. Windows 10 allows us to stop trusting roots or EKU's using the 'NotBefore' or 'Disable' properties, both of which allow. The NotBefore and Disable dates are set for the first day of the release month. The update package will be available for download and testing at: https://aka.ms/CTLDownload.
Original product version: Windows 10 - all editions, Windows Server 2012 R2
Original KB number: 4560600
Symptoms
Important
Untrusted root Certificate Authority (CA) certificate problems can be caused by numerous PKI configuration issues. This article illustrates only one of the possible causes of untrusted root CA certificate.
Various applications using certificates and Public Key Infrastructure (PKI) might experience intermittent problems such as connectivity errors, one or two times per day/week, because of failed verification of end entity certificate. Affected applications might return different connectivity errors, but they will all have untrusted root certificate errors in common. The following is an example of such an error:
Hex | Decimal | Symbolic | Text version |
---|---|---|---|
0x800b0109 | -2146762487 | (CERT_E_UNTRUSTEDROOT) | A certificate chain processed, but terminated in a root certificate |
Any PKI-enabled application that uses CryptoAPI System Architecture can be affected with an intermittent loss of connectivity, or a failure in PKI/Certificate dependent functionality. As of April 2020, the list of applications known to be affected by this issue includes, but are not likely limited to:
- Citrix
- Remote Desktop Service (RDS)
- Skype
- web browsers
Administrators should be able to identify and troubleshoot untrusted root CA certificate problems by inspecting the CAPI2 Log.
Focus your troubleshooting efforts on Build Chain/Verify Chain Policy errors within the CAPI2 log containing the following signatures. For example:
Error <DateTime> CAPI2 11 Build Chain
Error <DateTime> CAPI2 30 Verify Chain Policy
Result A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
[value] 800b0109
Cause
Untrusted root CA certificate problems might occur if the root CA certificate is distributed using the following Group Policy (GP):
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
Root cause details
When distributing the root CA certificate using GPO, the contents of HKLMSOFTWAREPoliciesMicrosoftSystemCertificatesRootCertificates
will be deleted and written again. This deletion is by design, as this is how the GP applies registry changes.
Changes in the area of the Windows registry reserved for root CA certificates will notify the Crypto API component of the client application, and the application will start synchronizing with the registry changes. This synchronization is how the applications are kept up-to-date and made aware of the most current list of valid root CA certificates.
In some cases, such as scenarios when large number of root CA certificates are distributed via GPO (similar with many Firewall or Applocker policies), Group Policy processing will take longer, and the application might not receive the complete list of trusted root CA certificates.
Because of this, end entity certificates that chain to those missing root CA certificates will be rendered as untrusted, and various certificate-related problems will start to occur. This problem is intermittent and can be temporarily resolved by reenforcing GPO processing or reboot.
If the root CA certificate is published using alternative methods, the problems might not occur, due to the afore-mentioned situation.
Workaround
Microsoft is aware of this issue and is working to improve the certificate and Crypto API experience in a future version of Windows.
To address this issue, avoid distributing the root CA certificate using GPO. This might include targeting the registry location (such as HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftSystemCertificatesRootCertificates
) to deliver the root CA certificate to the client.
When storing root CA certificate in a different, physical, root CA certificate store, the problem should be resolved.
Examples of alternative methods for publishing root CA certificates
Method 1: Use the command line tool certutil and root the CA certificate stored in the file rootca.cer:
Note
This command can be executed only by local admins and it will affect only single machine
Method 2: Start certlm.msc (the certificates management console for local machine) and import the root CA certificate in the Registry physical store.
Note
The certlm.msc console can be started only by local administrators. Also, the import will affect only single machine.
Method 3: Use GPO preferences to publish the root CA certificate as described in Group Policy Preferences
To publish the root CA certificate, follow these steps:
Manually import the root certificate on a machine using the
certutil -addstore root c:tmprootca.cer
command (see Method 1).Open GPMC.msc on that machine where you have imported the root certificate.
Edit the GPO that you would like to use to deploy the registry settings in the following way:
- Edit the Computer Configuration > Group Policy Preferences > Windows Settings > Registry > path to the root certificate.
- Add the root certificate to the GPO as presented in the following screenshot.
Deploy the new GPO to the machines where the root certificate needs to be published.
Any other method, tool, or client management solution that distributes root CA certificates by writing them into the location HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesROOTCertificates
will work.
References
Utilizing your CAC on Windows 10 'can' be as easy as...
Installing the DoD Root certificates and making sure the Internet Options are set correctly.
However, computers don't always cooperate with us. So....
Here are my findings and solutions:
Information: Edge is the default web browser in Windows 10. Internet Explorer is on the computer and provides backwards compatibility for web pages that do not work with Edge.
My recommendation is to type: Internet Explorer into the Search the web and Windows/ I'm Cortana / Ask me anything (box) in the lower left corner of your screen. Once Internet Explorer appears, right click Internet Explorer and select Pin to taskbar.
Finding 1:You upgraded from Windows 8.1 and were using your CAC with little to no problems, and now you can't access CAC enabled sites. Keep reading for ideas to try:
Solution1 (built-In Smart Card Ability): Uninstall ActivClient 6.2.0.x or 7.0.1.x by 'Right Clicking' the Windows logo '4 squares' [in the lower left corner of your desktop], select Programs and Features (now called Apps and Features), find ActivClient in your list of programs and select Uninstall, restart your computer and try the sites again. It may work, if it doesn't, try next Solution. Dual persona (PIV) users might be able to access their email using the built in Smart Card Ability, your results may vary, if it doesn't read your PIV, you will need to follow Finding 1, Solutions 2 or 3 below.
Finding 1, Solution2 (ActivID): ActivID ActivClient 7.1.0.153 works great on Windows 10 computers and is available for Army users from links on the Army page. All other people will have to get it from you respective branch or purchase it to try it on your computer.
Finding 2. I can't access encrypted emails when using theEdge web browser
Solution 2: The Edge web browser does not support S/MIME. See my recommendation above to see how to use Internet Explorer to read and send your encrypted emails when using OWA / webmail.
Information (from Microsoft): To understand the problem with OWA, Edge, and S/MIME you need to know the OWA S/MIME is an Active-X control. By design Edge does not support Active-X (or Browser Helper Objects); this is good from a security perspective, but bad if you want to use OWA with Edge. Windows 10/Edge is a work in progress, Microsoft is planning to use other technologies to replace Active-X sometime in the future. In the meantime use Internet Explorer 11.
Finding 3.I can't sign PDFs (Portable Document Format) like I did in Windows 8.1
Solution 3:To digitally sign PDFs, you need to use Internet Explorer, NOT the Edge web browser, and have Adobe Reader set as the default PDF viewer. NO other PDF readers will allow digitally signing of forms. This should happen automatically when installing Adobe Reader. However, if it doesn't, here is how to change the default viewer:
Type: 'default' into the Search the web and Windows/ I'm Cortana / Ask me anything (box) near the Windows logo at the bottom left of your screen.
Windows 10 Update Root Certificates Feature Isn't Enabled
Click: Default Programs at the top of the list.
Click: Associate a file type or protocol with a program.
Scroll down to .pdf, if it shows Adobe Acrobat Reader, it is set correctly, if it shows some other program, select .pdf and click the Change program.. (button) in the upper right corner of the screen.
Windows 10 Automatic Root Certificate Update
'Adobe Acrobat Reader' should be in the list of choices, select it and then OK
Finding 4.How do I get to Internet Options in Edge? I can't find it.
Solution 4: Follow slide 5 of https://milcac.us/tweaks
Finding 5.Cannot see / select the Authentication / PIV certificate in Windows 10
Solution 5: Windows 10 users will see the certificate selection differently than older versions of Windows. Click More choices to see additional certificates. Select the correct certificate and then click OK.