question

Huskin1-3610 avatar image
0 Votes"
Huskin1-3610 asked Huskin1-3610 commented

Unified Write Filter - Machine certificate exclusions - missing store keyset

Dear

We're using a mix of Windows 10 Enterprise 2016 LTSB and Windows 10 Enterprise 2019 LTSC clients with the Unified Write Filter enabled.

Users are using these devices in the office and at home. From home they use an SSL VPN to connect to the corporate network. Our VPN-solution does a host check to verify if certain prerequisites are met before it establishes a connection. One of these checks is the availability and validity of a machine certificate stored in the machines personal store (My). This is also the only store that we need to exclude from UWF. The (AD-issued) certificate is automatically renewed every so often when a user boots the device in the corporate network.

To ensure that the renewal is not lost after a system reboot with the Unified Write Filter enabled, we have implemented the following file and registry UWF-exclusions:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
C:\ProgramData\Microsoft\Crypto

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates
HKLM\SOFTWARE\Microsoft\SystemCertificates

These exclusions were offered to us by Dell Wyse support. Using these exclusions the certificate is successfully remembered after a system reboot but after a few days the certificate become invalid again and using "certutil -store my" I can see that the certificate has the error "Missing stored keyset".

It seems like I'm missing an exclusion for the private key.

Only way to rectify the issue is to tell the user to come to the office, connect to the corporate network disable the write filter, remove the certificate, reboot (or gpupdate /force) to get a new certificate and re-enable the write filter.

Our team does not have access to the VPN-solution and no changes will be implemented to circumvent the certificate check.

I took a look at this very comprehensive explanation on where everything is stored but I fail to see the problem with my exclusions aside from the fact that the exclusion "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" is maybe arbitrary as its parent folder "C:\ProgramData\Microsoft\Crypto" is already excluded.


Does anyone have any idea?



windows-10-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The article mentions other registry and locations that you have not excluded. Have you added those to see if that resolves the issue?

0 Votes 0 ·

@Sean-Liming as far as I can tell those are the only exclusions relates to the machine personal store.

User store related exclusions are out of scope and they cannot be set dynamically as the use of system environment variables such as %userprofile% or %username% is not supported by UWF. Only absolute paths are.

0 Votes 0 ·

1 Answer

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered Huskin1-3610 commented

Hello @Huskin1-3610,

Thank you so much for posting here.

Frankly speaking, I am not professional with UWF. As suggested, we could try to add other registry and locations mentioned in the article to the UWF exclusions.
Sincerely hope other engineers could share their knowledge or experience here.

As for the issue of "Missing stored keyset", I did some research about this. This can be confirmed by running the following two command:

certutil -v -store my
certutil -v -verifykeys

As stated, we could see "missing stored keyset" in the outputs.

certutil -v -store my will tell you furhter if the CA keys are stored in software based csp/ksp or on HSM. For software based keys, you can identify physical location of the key in the file system (for example, Key Container = te-ae36bd7e-931d-4aae-b4a8-893df16651c1). The key is usually stored in C:\ProgramData\Microsoft\Crypto\Keys.

I am trying my best to get more information for your reference. But it seems that no useful information about our issue could be found.

Your understanding and support are greatly appreciated.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HannahXiong-MSFT thank you for your reply.

I will make time tomorrow to perform some tests and will revert back.

0 Votes 0 ·