question

WalshLiam-3007 avatar image
7 Votes"
WalshLiam-3007 asked Michael-5041 answered

Windows 10 ,Feature Update to 1909, Certificates missing after

Any one seen this issue ,only occurring in about the last week. It maybe a wider issues globally. Not sure what triggered it.
Basically in the last few days some updates from 1809 to 1909, after completed, the local laptop certs are missing. Which is a problem for all our home users on VPN! (i.e. with covid still around)

windows-10-generalwindows-10-setup
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WalshLiam-3007 avatar image
0 Votes"
WalshLiam-3007 answered NicklasLagerblad-3014 commented

So, apart from all the workarounds, there's no real fix yet?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NOELRPG45 avatar image
0 Votes"
NOELRPG45 answered

no fix yet until MS releases updated or refreshed installation media according to these MS articles 4577671 & 4573911

https://support.microsoft.com/help/4577671/
https://support.microsoft.com/help/4579311/

look at the "known issues" sections of those articles that mention about System and user certificates being lost.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoyQiao-MSFT avatar image
0 Votes"
JoyQiao-MSFT answered

Hi All,

Known issue text for the certificate removal issue has been published on Windows 10, version 20H2 and Windows Server, version 20H2 and also has been update in Windows Update KBs for 2020 9C through 2020 10c for the 1903/1909 and 20h1/20h2 releases of Windows 10. Here is a link for quick review: https://support.microsoft.com/en-us/help/4580364

@ChrisG-7865 I noticed you shared created script for this issue, but any manual or scripted solution must take into account / include the Root (ROOT) and Intermediate (CA) stores in the recovery to avoid cert Chaining/Validation issues. I am afraid that scripts don’t appear to consider Root (ROOT) Rot and Intermediate CA stores located in the following registry hives.

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SuStevenS-6167 avatar image
0 Votes"
SuStevenS-6167 answered

The results of my environment test are as follows: The certificate disappeared from 1809 to 1909, and it was tested to be affected by the patch KB4577668. Remove the patch from 1809 and upgrade to 1909 and it will work normally.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JJ-6415 avatar image
0 Votes"
JJ-6415 answered JJ-6415 commented

We have also seen this issue when upgrading from 1803 to 1909 using the Windows 10 update through SCCM.
We are not deploying via an update package or task sequence due to the current situation with everyone working from home - using the update directly via SCCM, we can specify that the content comes directly from Microsoft which doesn't impact out bandwidth from our datacentre.

@JoyQiao-MSFT can you confirm that Microsoft are aware of this issue and are working on a solution - I can see from the details of KB4577671 (for 1903 and 1909) https://support.microsoft.com/en-gb/help/4577671 that the known issue is documented when upgrading from 1809, but not from 1803.
The script provided by @ChrisG-7865 works for fixing the issue after the upgrade, but a fixed update would obviously be a better solution.37234-capture.png



capture.png (15.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Yes, Microsoft has aware of this issue and released those public article to refer to this issue. As we know, we have not heard this issue occur from 1803. And official article also refer to it from 1809. If you have any update about 1803, please reply to us.

Bests,

0 Votes 0 ·

Hi @JoyQiao-MSFT,

I can confirm that we have seen this same issue upgrading form 1803 to 1909.

Thanks

0 Votes 0 ·
donmartino77 avatar image
0 Votes"
donmartino77 answered CGAGGIA-3748 published

For all users who use the servicing in MEMCM: Yesterday Microsoft has updated the Servicing Image in WSUS. So the problem with the IPU via Servicing does not occur anymore. This applies to the images 1909, 2004, 20H2.

38676-image.png

So, download the image again and deploy it! But I could not test it yet.



image.png (6.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Has Microsoft confirmed that this image contains the fix?

0 Votes 0 ·
ReneLippens-6629 avatar image
0 Votes"
ReneLippens-6629 answered

we were already in the process of preparing 1700 devices to upgrade from 1809 to 1909 via SCCM task sequence.... the 1700 clients already downloaded the upgrade-image (dating from April 2020 because we started piloting the first devices around that time of the year) into their ccmcache folder and we disabled the actual upgrade task sequence once reading these internet-posts about certificates being lost.
We could refresh the installation image (which is used in the upgrade task sequence) to the latest one released by MS (version 2004, 20H2) but that would mean all 1700 clients need to download this newer image file (again 4,5 GBs to be downloaded).

Is there another smoother way to upgrade from 1809 to 1909? For example: does the cumulative update from November 2020 for 1809 contain the needed fix so the certificates don't get lost when upgrading from 1809 to 1909?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrandeAlessio-5623 avatar image
0 Votes"
GrandeAlessio-5623 answered ConstantinLorenz-0008 commented

hi guys, I was reading this post, I upgraded my first PC from 1809 to 1909 com sccm a week ago in test environment. I don't have any problems. what should i check ??? thanks for the replies.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Check you certificate Store with the mmc.



System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. Devices will only be impacted if they have already installed any Latest cumulative update (LCU) released September 16, 2020 or later and then proceed to update to a later version of Windows 10 from media or an installation source which does not have an LCU released October 13, 2020 or later integrated. This primarily happens when managed devices are updated using outdated bundles or media through an update management tool such as Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager. This might also happen when using outdated physical media or ISO images that do not have the latest updates integrated.

0 Votes 0 ·
$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered

We had a case opened at Microsoft for this issue and they confirmed that it has been adressed with the new release of the Feature Update Packages in the SCCM Servicing Node on November 11. I see that the Feature updates in my existing deployment are superseded and new ones are available now.
Now we have deployed the new Feature Update Package to a test device and it did not loose the Certificates after the update. So the issue seems to be fixed for the case of SCCM-Servicing Update.

For all other cases, I cannot tell you if the November Cumulative Update for 1809 has fixed the issue for the case where one deploys an outdated 1909 Image for example with a task sequence to an up-to-date 1809 client.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StefanP2931 avatar image
0 Votes"
StefanP2931 answered

I have tested the Feature Upgrade from 1809 to 1909 with new image on two computers for now in our environment.
Both still have their certificates left - seems to be working/fixed.

Will update here, as soon as I got a few more tests done.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.