Brett-5843 avatar image
0 Votes"
Brett-5843 asked Brett-5843 commented

Certificates applying to Windows 10 in an "isolated" environment

I have followed the steps for updating trusted root certificates via GPO in an isolated environment from (using the second way with a file share and registry key entries.) I can see the registry entries getting dropped on the Windows 10 client for my RootDirURL as well as new registry keys being created under HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate for DisallowedCertEncodedCtl, DisallowedCertLastSyncTime and PinRulesEncodedCtl and PinRulesLastSyncTime.

This was done in an effort to get the DisallowedCerts working as our network team was blocking access to the autoupdate of these cert lists and this was preventing clients from downloading apps from the Microsoft Store (clients are domain joined, network team blocks Windows update sites). And, this solution works in allowing our clients to install MS Store apps, however, I have a question as to why I do not see any of these new certificates being added to the Certificates folder under Trusted Root Certification Authorities or the Certificates folder under the Untrusted Certificates?

The web article does not read as though it will only be updating the certificate lists with this second method, but maybe that is all adding the RootDirURL registry entry and the "Certutil -syncWithWU -f <fileshare>" files will do. If I execute the first method which downloads the sst and executes some Powershell commands, I see the new certificates when in the Certificates MMC. I verified the computer in question can access the fileshare containing the Certificates by manually importing one from the network share I created for this GPO.

Thanks in advance for any feedback.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Brett-5843 commented

Hi there,

This issue might occur because the website certificate has multiple trusted certification paths on the web server.

If the certificate is a root CA certificate, it is contained in Trusted Root Certification Authorities. If the certificate is an intermediate CA certificate, it is contained in Intermediate Certification Authorities.

The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

'Certificates' folder missing under 'Personal'

--If the reply is helpful, please Upvote and Accept it as an answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, Limitless. I can see why that folder is not being created as I'm not getting any of the new certificates in my Trusted Root Certificates folder either. I should be going from 40 to over 400 in that folder if the second method from the article was actually importing them. I am just trying to determine why method 1 (imports all of them) and method 2 (imports nothing) do not behave the same way. Method 2 is fixing my issue with downloading apps from the Microsoft Store because it finds the file on my network share that was clearly showing blocked in Wireshark when attempting to get it from the Internet, but I would like the benefit of having the new Root Certs and Dissallowed Certs really being installed on the clients too. I am also going to post in the comments section of the article and see if the author can clear things up for me. I will probably just use both methods to get the best of both worlds (a functioning MS Store and updated certs).

0 Votes 0 ·