Windows 10 Root Certificate Update



Microsoft has resolved a known issue leading to missing system and user certificates after updating managed Windows 10 systems using outdated installation media.

Root Certificate updates must be controlled in the enterprise to ensure a proper validation chain is maintained. This setting prevents root certificates from being updated automatically from the Microsoft site. Turn off Automatic Root Certificates Update. This policy setting specifies whether to automatically update root certificates using the Windows Update website. Typically, a certificate is used when you use a secure website or when you send and receive secure email. With Windows 10 we will continue to work hard to provide you with safer experiences you expect from Windows, keeping you in control and helping you do great things. How to determine your digital certificates. If you are unsure of how to determine the root of your digital certificates, I have included some guidance, by browser, below. As part of a public key infrastructure (PKI) trust management procedure, some administrators may decide to remove trusted root certificates from a Windows-based domain, a Windows-based server, or a Windows-based client. However, the root certificates that are listed in the Necessary and trusted root certificates section in this article are. To add certificates to the Trusted Root Certification Authorities store for a local computer, from the WinX Menu in Windows 10/8.1, open Run box, type mmc, and hit Enter to open the Microsoft.

The lost Windows 10 certificates issue impacts client (Windows 10 1903 or later) and server (Windows Server 1903 or later) platforms in managed environments.

It occurs on devices upgraded using outdated bundles via update management tools (e.g., Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager), physical media, or ISO images.

Computers updated via Windows Update or Windows Update for Business are not affected as they always receive the latest feature updates.

The certificates related to this issue include:

Root Cert Update Windows 10

  • Certificates in user, personal, machine, and Root CA stores
  • Azure Active Directory Domain Join (AADJ) state and scenarios that rely on AADJ
  • Access to EFS encrypted files

Issue resolved, 20H2 refreshed media coming soon

The lost Windows 10 certificates issue is now resolved 'when using the latest feature update bundles that were released November 9, 2020, for Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager' according to Microsoft.

Windows 10 root certificate update offline

'For information on verifying you're using the latest feature update bundles, see How to address feature update refreshes in your environment.

Windows 10 Root Certificate Updates

'If you are using or creating custom media, you will need to include an update released October 13, 2020 or later.'

Refreshed media to address this issue is not yet available for Windows 10 20H2 on Volume Licensing Service Center (VLSC) and Visual Studio Subscriptions (VSS, formerly MSDN Subscriptions), Microsoft says it will be made available during the following weeks.

Workaround available

Microsoft also provides a workaround for environments where the feature update bundles released earlier this month cannot be immediately deployed.

To do that you will have to go to a previous Windows 10 version using instructions available on the Recovery options support document.

Windows 10 Root Certificate Update

'The uninstall window might be 10 or 30 days depending on the configuration of your environment and the version you’re updating to,' Redmond says.

'You will then need to update to the later version of Windows 10 after the issue is resolved in your environment.'

Windows 10 Root Certificate Update

You can also increase the number of days you can go back to choose a previous system version using the following DISM command (make sure you do this before the default uninstall window lapses):

You can choose any time interval between 2 or 60 days. If it's lower or above this range, the number of days will be automatically set to 10 days.

Related Articles: