Windows 10 Root Certificate Update



!! Important Warning before proceeding !!

First, you need to download the complete root certificate list using the certutil command line tool (Windows 10 requires administrator rights while using cmd.exe). Certutil.exe -generateSSTFromWU roots.sst. In Windows Update under Optional software updates, there is an update for 'Root Certificates Update'. The description of this update is as follows: This item updates the list root certificates on your computer to the latest list that is accepted by Microsoft as part the Microsoft Root Certification Program.

The instructions below describe how to manually update the root certificate store from Microsoft using tools documented by Microsoft. Importing other certificates than the one's provided via Windows Update can pose a serious security risk to your Windows installation. Always take extra care when working with certificates. Corporate computers that are domain joined may also apply policies that may restrict the following procedures. Please consult with your IT department.

We found that the root CAs were out of date on some of our Windows 2012 R2 servers. Having investigated this is appears Microsoft released a patch to provide the ability for 'Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet'. Windows 10's new optional updates explained. Microsoft is under no obligation to notify you or ask your permission before placing a new trusted root certificate on your Windows PC.


In order for FDI Package signatures to be validate, the workstation that is running the reference run time environment (RRTE) needs the proper root certificates installed. Without these roots install, the RRTE could return a failure when validating the signatures and certificates. Even though a failure is reported, the RRTE will still permit you to import the package for testing.


There are several Certification Authorities (CAs) that participate in Microsoft's Trusted Root Certificate Program. For example, companies like Digicert, GlobalSign and Comodo are just a few that participate as of this article. Most Package developers obtain code signing certificates from CAs like these. You can read more about it here: https://technet.microsoft.com/en-us/library/cc751157.aspx

Windows 10 root certificate updateRoot


Issue


Not all root certificates are installed by default. For many applications, Windows installs these on demand using Windows Update. However, Microsoft does not publish an API for this 'just in time' installation, and the current RRTE will not trigger Microsoft to download a potential missing certificate. Without this certificate, a signature cannot be validated. This may result in a false failure.


Note: There are typically one or more Intermediate Certificates between the root certificate and the certificate used to sign the FDI Package. The FDI Package sign tool allows the package producer to supply all intermediate certificates necessary build the trust relationship. Therefore, there is no need to pre-install intermediate certificates since they are supplied with the FDI package. While technically the FDI Package could also include the root certificate, this would not help because ultimately, this root certificate must explicitly trusted by the verifying application. See https://en.wikipedia.org/wiki/Root_certificate


Workaround


There is a manual way to install the current root certificates using tools already provided by Windows.


First, you need to download the complete root certificate list using the certutil command line tool (Windows 10 requires administrator rights while using cmd.exe).



You can find a reference to this at:


After running certutil above, this will generate a file called roots.sst This is a container for all current trusted root certificates.


Next, you will need to install these by launching Microsoft Management Console with the Certificate Snap-in. From a command link, enter:



This will open a window that should look like this:



From there, Select Certificates under 'Trusted Root Certification Authority', right click and select 'Import' as shown below.



This will start the Wizard. Click Next to begin



Use the browse button to find root.sst you generated above in the C:Windowssystem32 folder. You will need to change the file type to Microsoft Serialized Certificate Store or the file will not show up.


Windows 10 Root Certificate Update


With the file select, click Next



Now, this part is important otherwise you may get unexpected errors. Make sure to change the radio dialog to 'Automatically select ...' as shown below. Then click Next.




Certificate

The reason? We have seen at least one instance where an intermediate is also provided in the root.sst file. This will show a warning if you request all certificates into the Trusted Root Store. By selecting Automatic, the certificates will be properly imported.


The next screen will show the final step. Click Finish.




You should get a confirmation message.



You can close all windows. The root certificate store is now up to date.


You may see Security Warning messages for each new certificate being imported. If you are unsure if they should be installed, consult with your IT department.

-->

Symptoms

You experience connectivity issues on a Microsoft Endpoint Configuration Manager service connection point role. When these issues occur, you experience either of the following symptoms:

  • During uploads or syncs to Configuration Manager cloud services, you receive the following status message IDs that indicate a communications failure:

    • 9605: DMP_UPLOADER_UPLOAD_FAILED
    • 9607: DMP_UPLOADER_UPLOAD_EXCEPTION

  • The following error entry is logged in the Configuration Manager logs:

    • Failed to check and load service signing certificate. System.ArgumentException: Fail to build chain

Windows 10 Automatic Root Certificate Update

Cause

This issue can occur if any of the following conditions are true:

  • The automatic root certificate mechanism is disabled.
  • The DigiCert Global Root G2 root certificate isn’t installed.
  • The intermediate certificates aren’t installed in the Intermediate Certification Authorities store.
  • Your environment allows outbound calls to only specific Certificate Revocation List (CRL) downloads or Online Certificate Status Protocol (OCSP) verification locations.

Resolution

Install the latest root certificates. The root certificates may not automatically install if you’re running a disconnected environment, or if the necessary internet endpoints are blocked.

Disconnected environments

Windows 10 Update Root Certificates Feature Isn't Enabled

Update trusted root certificates and disallowed Certificate Trust Lists (CTLs) within disconnected environments.

Within disconnected environments, administrators must set up either a file share or a web server to host the files internally. Group Policy settings are also updated so that the clients and servers use the internal file share or web server instead of the internet location.

Systems that are running within disconnected environments have to have the new roots added to the Trusted Root Certification Authorities store, and have the intermediates added to the Intermediate Certification Authorities store.

You can consider your environment to be disconnected if either of the following conditions is true:

  • Direct access to Windows Update is blocked.
  • The auto update mechanism for both trusted and untrusted CTLs is disabled.

For information about how to facilitate the distribution of trusted or untrusted certificates for disconnected environments, see Configure Trusted Roots and Disallowed Certificates.

Update Certificates On Windows 10

Internet endpoints

If you have an environment in which rules are set to allow outbound calls to only specific Certificate Revocation List (CRL) downloads, or Online Certificate Status Protocol (OCSP) verification locations, you must allow the following CRL and OCSP URLs:

  • http://crl3.digicert.com
  • http://crl4.digicert.com
  • http://ocsp.digicert.com
  • http://www.d-trust.net
  • http://root-c3-ca2-2009.ocsp.d-trust.net
  • http://ctldl.windowsupdate.com
  • https://mscrl.microsoft.com
  • https://crl.microsoft.com
  • https://oneocsp.microsoft.com
  • http://ocsp.msocsp.com

More Information

Microsoft maintains the list of root certificates that are distributed by the Windows Root Certificate Program, on the program website.

For more information about the Windows Root Certificate Program and the list of certification authorities (CAs) who are members, see Release notes - Microsoft Trusted Root Certificate Program.

Root certificate update mechanisms are available in different versions of Windows. This includes the automatic root update mechanisms.

For more information about how to update the root certificate list in different versions of Windows, see Configure Trusted Roots and Disallowed Certificates.

By default, the automatic root update mechanism is enabled in different versions of Windows. However, if this mechanism is disabled, and the service connection point server doesn’t have the DigiCert Global Root G2 root certificate installed, connectivity issues with Configuration Manager cloud services may occur. The Configuration Manager on premises hierarchy may no longer be able to access the Microsoft Configuration Manager cloud services and other such resources.

Windows 10 Root Certificate Update Offline

For more information, see Azure TLS certificate changes and Azure IoT TLS: Changes are coming.

Windows 10 Root Certificates Not Updating

Next steps

Enable Update Root Certificates Feature

For additional information about connectivity requirements and troubleshooting for Configuration Manager, see the following items: