question

WalshLiam-3007 avatar image
7 Votes"
WalshLiam-3007 asked yannara answered

Windows 10 ,Feature Update to 1909, Certificates missing after

Any one seen this issue ,only occurring in about the last week. It maybe a wider issues globally. Not sure what triggered it.
Basically in the last few days some updates from 1809 to 1909, after completed, the local laptop certs are missing. Which is a problem for all our home users on VPN! (i.e. with covid still around)

windows-10-generalwindows-10-setup
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoyQiao-MSFT avatar image
0 Votes"
JoyQiao-MSFT answered WalshLiam-3007 commented

Hi,

Thank you for coming Microsoft Q&A forum!

Does the issue only occur on Windows home system or your environment only have Windows 10 home system?

What the existing system build? Please run "winver" to check on several devices.

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Windows 10 Enterprise Edition x64. Updating from 1809 to 1909. The issue happens after the 1909 update completes. We have been updating computers since May 2020, and have only seen this issue in the last week.
It looks like some other people have seen it: https://www.reddit.com/r/SCCM/comments/jfyqs2/certificate_issues_after_os_upgrade/

0 Votes 0 ·

Our Help Desk just started reporting this same issue which started on Tuesday (10/20/2020). We are upgrading our Windows 10 Enterprise 1809 systems to 1909. Prior to Tuesday we stopped the upgrade for 3 weeks because of our finance quarter-end. We upgraded over 8,000 systems without this issue back then. Since Tuesday, we have done ~2,000 systems for this week and have thousands more the following week. The only major change I can think of is Patch Tuesday happened.

0 Votes 0 ·

Yes, we think its related to the October windows patches. Would be great to get an acknowledgement, and fix from MS.

0 Votes 0 ·
GarethEdwards-0838 avatar image
2 Votes"
GarethEdwards-0838 answered yannara edited

Yes same issue for us too. Not limited to 1909 feature update, also the same for 20h2 pre-release.

We have updated several previously to bother is versions but this week updates result in devices missing certificates.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rolled back and removed the October cu. Then went forward again. Certificates all in place. I've repeated this to prove. So looks like the October cu changes the is before update in some way that causes the certificates to be removed during the feature upgrade.

0 Votes 0 ·

You’ve clearly been busy :)

From what I’ve read, it happens if the Operating System patch level is greater than the Servicing WIM.

0 Votes 0 ·

I see IPU 1909->20H2 looses machine certs.

0 Votes 0 ·
kamalakannanchandrasekaran-9123 avatar image
0 Votes"
kamalakannanchandrasekaran-9123 answered

we also face the same issue and there is a workaround of deleting the vpn connection from the NCPA.CPL and rerun the package fix or else connect to corporate network to get the new certs downloaded.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoyQiao-MSFT avatar image
0 Votes"
JoyQiao-MSFT answered $$ANON_USER$$ Deactivated commented

Hi All,

I understand you are stuck in a trouble caused by this issue which is caused as target system version (without 2020 9B / 10B package) is lower than existing system version (with 2020 9B / 10B package) . Here is a workaround which could help us get out of it. Please try on your side.

First, we need to rollback to previous OS. Then re-launch the in-place upgrade to a target OS with dynamic updates enabled OR in-place upgrade to an OS image that contains 2020 9B / 10B package or later.

Admins may be successful initiating an OS rollback remotely within the 10 days. The default value is 10 days, we also could configure it through DISM command line (run as admin) as below.

DISM /Online /Set-OSUninstallWindow /Value:<days>

Tip: If value passes anything <2 or >60, the default value of 10 will be set.

Then roll back with the command line DISM /Online /Initiate-OSUninstall [/NoRestart|/Quiet]

For more information about this command tool, please refer to DOCS: DISM operating system uninstall command-line options

Important: OEMs shouldn't use this setting in imaging or manufacturing scenarios. This setting is for IT administrators.
Windows gives a user the ability to uninstall and roll back to a previous version of Windows.

For adding update package into ISO image, we could use DISM tool with add-package parameter.
More details about it, please refer to: To add packages to an offline image by using DISM

Or we could configure image through SCCM.

At last, Thanks for all your patience and continued use for Microsoft products.

Bests,

Joy

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The registry method works great, here is a quick Powershell script that accomplishes those steps:

 $hivefile = "C:\Windows.old\WINDOWS\System32\config\SOFTWARE"
 $regfile = "C:\Temp\RegTests\RegFileTest.reg"
    
 REG LOAD "HKLM\SOFTWARE_TEMP" $hivefile
 REG EXPORT "HKLM\SOFTWARE_TEMP\Microsoft\SystemCertificates\MY\Certificates" $regfile
 REG UNLOAD "HKLM\SOFTWARE_TEMP"
    
 ((Get-Content -path $regfile -Raw) -replace "SOFTWARE_TEMP", "SOFTWARE") | Set-Content -Path $regfile
    
 REG IMPORT $regfile
4 Votes 4 ·

Yes, the registry method works great post-mortem and can save user's life which might otherwise be unable to connect via VPN.

The issue can be avoided by uninstalling the October 2020 cumupatch before starting the Windows 10 upgrade. A poor workaround, but at least it works.

Really curious if there is already a bug ID at Microsoft. Premier support is still investigating our logs although this seems to be a known issue.

2 Votes 2 ·

Hi,


Thank you for all your feedback about your action result and experience.

Please mark useful reply as answer, or vote useful reply which to help other customers to search for result more quickly.

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

Hi JoyQiao
Thanks for this explanation, I appreciate to have this piece of info, but still need further support to fix it in the following szenario:
We're luckily just in the test phase to upgrade 1809 to 1909 using SCCM and we experience the same Certificate-issue (since patch Tuesday) when we deploy the 'Feature Update to Windows 19 (business editions), version 1909, en-us x64' package (Article ID 3012973) from the 'Software Servicing' feature, in order to get our 1809 clients up to 1909. If I understand your answer right, means that the above servicing package is also outdated and should be patched to 2020 9B / 10B at least. Will there be an updated version of this package released by Microsoft in the near future?

1 Vote 1 ·

Hi Roy,

many thanks for sharing - highly appreciate!

Is there an Microsoft Bug ID or ticket number we can refer to? Premier support seems not to be aware of the issue yet.


Thanks,
Dietmar

0 Votes 0 ·
Rahul-1188 avatar image
0 Votes"
Rahul-1188 answered Rahul-1188 edited

Yes, i also confirm this issue has impacted around 300+ machines in my environment, Certificates are missing post 1909 upgrade on top of Oct month patch. Additionally SAP app is broken and we have to reinstall it to fix the login issue.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaysonGabler-0593 avatar image
0 Votes"
JaysonGabler-0593 answered

This has just happened to me. I applied the 20H2 feature update and after the reboot, the laptop showed the "no internet" symbol in system tray. At first, I thought the WLAN driver was incompatible with 20H2 but I checked Device Manager and it was still there. Then I noticed the wireless networks were still "available", but when I tried to connect to the usual one, I got an error about needing a certificate.

So finally I checked the local machine certs, and lo and behold, all the certs in the Personal store had disappeared!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SuStevenS-6167 avatar image
0 Votes"
SuStevenS-6167 answered DarrellShand-0188 commented

Is there any news update? I also encountered the same problem; there is no solution at present, please help!!

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,


Please refer to my previous reply to roll back and upgrade again with target OS installed 2020 9B / 10B package or later.


Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

Thanks for your reply.
Is there a solution for upgrading to 1909 under the status of 1809?
Because the computer has been upgraded to 1909, the client certificate will be removed. The IP cannot be obtained (My company has ISE wired authentication), and IT personnel need to deal with the computers one by one.

Is there a solution that does not require rollback? (Such as installing other PATCH or adjusting the machine code in advance)
Thank you for your assistance!

0 Votes 0 ·

Hi,

In the existing status, It is strongly recommended to rollback. If there is no actions was performed in those 10 days, Windows.old file will be removed and will causing not able to roll back. So at least, change default roll back day with DISM command line.

We have not heard any patch about it. Also as I know it is not available to adjust the machine code.

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
Show more comments
RK0561-4468 avatar image
0 Votes"
RK0561-4468 answered JoyQiao-MSFT edited

I can also can confirm the issue.

Windows 10 Enterprise x64 Edition, we are updating from 1809 to 1909 using the SCCM Upgrade Task Sequence.

Clients with the "2020-10 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4577668)" will fail if connected with VPN (wireless) during the update to 1909.

Computer Personal Certificates Store is empty, all certificates are missing, certificate chain broken.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

you can fix this my updating the WIM used to upgrade with the October CU.

0 Votes 0 ·
DYG-5848 avatar image DYG-5848 GarethEdwards-0838 ·

Exactly, I got an answer from Microsoft, the product team is still working on it but they don't know what is the exact KB that fix this issue yet but it seems that if you upgrade your WIM solves the issue (or if you enable the dynamic updates)

0 Votes 0 ·

Thanks,

we are injecting the 1909 October CU into the 1909 Upgrade package using SCCM scheduled updates feature, hope this will solve the problem

0 Votes 0 ·

Update:

  • Downloaded the Windows 10, version 1909 (updated Sept 2020) 64-bit ISO file from Microsoft MVLS

  • Injected the 2020-10 Servicing Stack Update for Windows 10 Version 1909 for x64-based Systems (KB4577670)

  • Injected the 2020-10 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4577671)

  • Windows 10 1809 with "2020-10 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4577668)" installed could be successfully upgraded to 1909 now, wired and wireless, all certificates available, no upgrade issue so far. We are continue to test.



0 Votes 0 ·

Could I ask you a question based on your experience?
If 1809 installs KB4577668 before upgrading to 1909, can the certificates loss problem be solved after upgrading to 1909?
Thank you for your assistance!

0 Votes 0 ·
Show more comments
donmartino77 avatar image
1 Vote"
donmartino77 answered JoyQiao-MSFT commented

And what about the customers who distribute the IPU via servicing in MEMCM? Currently there is no possibility to update the Servicing Image.

· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dynamic Updates is not a solution. Because not only Windows updates but also drivers are installed. There is no possibility to configure this in detail. Furthermore, it is not always possible to download GB of data for patches in addition.

Rollback is also not an option for the customer if he makes an IPU from 1709 to 1909. 1709 is end of support.

0 Votes 0 ·

It may not be an ideal solution, but it is an available option.

0 Votes 0 ·
Show more comments

Hi @donmartino77

I have update another solution for those who using CM in their environment, please check it and try on your side.

Bests,

0 Votes 0 ·
JoyQiao-MSFT avatar image
0 Votes"
JoyQiao-MSFT answered ConstantinLorenz-0008 edited

Hi,

Config Manager customers that currently use or can switch to Task Sequence workflow can use the following steps to add 2020 10B updates to target OS image:

Below are the solutions for certs not migrating during an in-place upgrade when using ConfigMgr:

1) Use Scheduled Updates in ConfigMgr to add in the required updates to the Operating System Upgrade Package. This is basically offline servicing and updates install.wim in the Operating System Upgrade Package with the updates. This currently is the most straightforward solution which should work in all environments.

2) Download the latest Windows 10 ISO dated October 2020 or newer. Use the files from this ISO to replace the files from the current Operating System Upgrade Package by deleting all content from the source directory of the Operating System Upgrade Package and then replacing with the contents from the ISO. After updating the content update DPs.

3) At the Upgrade Operating System task, select the option Dynamically update Windows Setup with Windows Update and the sub-option Override policy and use default Microsoft Update. This technically is the easiest solution but requires that clients have access to the public Microsoft Update site. If you block access to the public Microsoft Update site this may not be a viable option for you

4) If you do not have access to the public Microsoft Update site, at the Upgrade Operating System task, select the option Dynamically update Windows Setup with Windows Update but do not select the option sub-option Override policy and use default Microsoft Update.

This will attempt to grab the dynamic update from the local WSUS server. This gets a bit trickier since the update needs to be approved and downloaded on the WSUS server itself. Notice, it means the WSUS server and not the ConfigMgr SUP/DPs. Windows Setup has no concept of ConfigMgr so it will only try to go to the WSUS server. This means content is downloaded from the WSUS server and not from DPs. For environments that have only one or a few WSUS server, this means ALL clients will go to that WSUS server and download content from that WSUS server. This might possibly overload the WSUS server. Additionally the dynamic updates will need to be manually imported into WSUS from the Microsoft Update Catalog site.

5) You can manually apply the dynamic update directly to the Upgrade Operating System Package:

a) Download the dynamic update from the Microsoft Catalog site

b) Extract the contents of the cab

c) Copy the contents from the cab into the source directory for the Upgrade Operating System Package, overwriting any files

d) Update DPs for the Operating System Upgrade Package

For options 4 & 5 when searching for the applicable dynamic update at the Microsoft Update Catalog site, search for the term Dynamic Update for Windows 10 Version 2004 and select the update dated 2020-10 or newer.

Related links:

Microsoft Update Catalog

Apply Software updates to an image

Manage OS upgrade packages with Configuration Manager

Create a task sequence to upgrade an OS in Configuration Manager

Upgrade Operating System

Dynamically update Windows Setup with Windows Update

Override policy and use default Microsoft Update

Import updates from the Microsoft Update Catalog

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do we have a date for when an "October or later" Windows 10 1909 x64 Enterprise ISO will be available on the Microsoft Volume Licensing Service Center as I can't see one on there at the moment?

0 Votes 0 ·

Hi,

As I know, Windows 10 1909 have already integrated 2020 10B updates on VLSC.

We could run command line below to check the details of offline system image version (replace with your path):

dism /Get-WimInfo /WimFile:F:\sources\install.wim /index:1

Or if you have esd format image file

dism /Get-WimInfo /WimFile:F:\sources\install.esd /index:1

36628-capture.png

Check the image version is bigger(new) than 18362.1110, or should be 18362.1171.

0 Votes 0 ·
capture.png (27.1 KiB)

Hi, I'm not sure how that is possible as the 1909 ISO was updated in September i.e. before the October patches were released.

36815-image.png


0 Votes 0 ·
image.png (5.0 KiB)

What about the feature updates KB3012973 for Windows 10 2004, how do we get it updated or do you re release this update?





36326-ohne-titel-18.png


0 Votes 0 ·
ohne-titel-18.png (62.7 KiB)

The screenshot is from the Servicing TAB in SCCM / MEMCM. No Task Sequence or WIM involved here.....

https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/manage-windows-as-a-service
https://systemcenterdudes.com/sccm-windows-10-servicing-plans/



36839-image.png


1 Vote 1 ·
image.png (151.9 KiB)
JoyQiao-MSFT avatar image JoyQiao-MSFT ConstantinLorenz-0008 ·

Hi,

May I know where did you created this capture? From VLSC or other website?

0 Votes 0 ·
Andr-7781 avatar image Andr-7781 ConstantinLorenz-0008 ·

Hi,

thanks to your post i checked out my upgrades and figured out where my and maybe your the problem is. Since October the recommended version for semi-annal channel is no longer 2004 but 20H2.

https://docs.microsoft.com/de-de/windows/release-information/

So for the upgrade to work we need the latest build, so it is no longer 2004 but 20h2 that we need.

36758-grafik.png



0 Votes 0 ·
grafik.png (21.9 KiB)