Dear
We're using a mix of Windows 10 Enterprise 2016 LTSB and Windows 10 Enterprise 2019 LTSC clients with the Unified Write Filter enabled.
Users are using these devices in the office and at home. From home they use an SSL VPN to connect to the corporate network. Our VPN-solution does a host check to verify if certain prerequisites are met before it establishes a connection. One of these checks is the availability and validity of a machine certificate stored in the machines personal store (My). This is also the only store that we need to exclude from UWF. The (AD-issued) certificate is automatically renewed every so often when a user boots the device in the corporate network.
To ensure that the renewal is not lost after a system reboot with the Unified Write Filter enabled, we have implemented the following file and registry UWF-exclusions:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
C:\ProgramData\Microsoft\CryptoHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates
HKLM\SOFTWARE\Microsoft\SystemCertificates
These exclusions were offered to us by Dell Wyse support. Using these exclusions the certificate is successfully remembered after a system reboot but after a few days the certificate become invalid again and using "certutil -store my" I can see that the certificate has the error "Missing stored keyset".
It seems like I'm missing an exclusion for the private key.
Only way to rectify the issue is to tell the user to come to the office, connect to the corporate network disable the write filter, remove the certificate, reboot (or gpupdate /force) to get a new certificate and re-enable the write filter.
Our team does not have access to the VPN-solution and no changes will be implemented to circumvent the certificate check.
I took a look at this very comprehensive explanation on where everything is stored but I fail to see the problem with my exclusions aside from the fact that the exclusion "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" is maybe arbitrary as its parent folder "C:\ProgramData\Microsoft\Crypto" is already excluded.
Does anyone have any idea?