none
how works the windows 10 get root certificate update RRS feed

  • Question

  • I am deploying windows 10 Pro in our company.

    The computers are behind a Firewall.

    Users can access the internet over a proxy (with user / password authentication).

    We have the problem that the win10 PCs don't get the Root Certificates updates...

    Do we need to Open the firewall? Or would it be enough if make an exeption on the proxy that users do not need to authenticate for some URLs?

    Witch URL are accessed when win10 update the Root Certificates? I have found "ctldl.windowsupdate.com" but there are diferent IPs behind...

    I tried to look at the http://arnavsharma.net/windows-server/updating-ctls-in-disconnected-environments-in-windows post.

    The KB2813430 update is necessary for offline deployment. But the KB2813430 is only for W8, W7, Vista available, but not W10!!

    Any solution?

    • Edited by olivierdsm2 Thursday, March 24, 2016 2:32 PM
    Thursday, March 24, 2016 9:47 AM

Answers

  • I found out why the GPO didn't worked.

    The Servicedesk didn't moved the Computer to the correct OU.

    After moving the PC to the OU where it should be, GPO is applying... So i can confirm that Certificates with domain server 2008 R2 GPO is working (as workaround)

    But it still not work with the offline deployment. If microsoft read this post, it would be nice to know if a patch for win10 will come?

    Tuesday, March 29, 2016 8:35 AM

All replies

  • Anybody?
    Thursday, March 24, 2016 4:06 PM
  • Hi,

    I see the link you mentioned in your post, its method is exact, even though clients use Windows 10 system, this way is worth trying.

    However, as you said, kb 2813430 is aimed at Windows 7 and 8, we don’t need to install it on Windows 10 clients.

    From our experience, clients access the Windows Update site by using the automatic update mechanism to update this CTL.

    If the computers in your network are configured in a domain environment and they are unable to use the automatic update mechanism or download CTLs, you could implement a GPO in AD DS to configure those computers to obtain the CTL updates from an alternate location

    There is a link introduces how to Configure Trusted Roots and Disallowed Certificates on server, please have a look.

    https://technet.microsoft.com/en-us/library/dn265983.aspx?f=255&MSPPError=-2147217396

    Besides, about how to Managing trusted root certificates for a domain, we can get guide from here.

    https://technet.microsoft.com/en-us/library/cc754841.aspx?f=255&MSPPError=-2147217396#BKMK_managedomain

    Best regards,

    Teemo Tang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, March 25, 2016 7:20 AM
    Moderator
  • Thank you for your Answer.

    We are in a domain. The windows 7 clients receive the certificates with GPO method.

    Our problem is that the GPO is not working on the windows 10 clients. The domain controllers are windows 2008 r2 server. Is it supported? I can t find any statement from microsoft.

    And i tried the offline certificate deployment but it didn t worked. I suppose we need a patch wich doesn t exist...

    Monday, March 28, 2016 1:42 PM
  • I found out why the GPO didn't worked.

    The Servicedesk didn't moved the Computer to the correct OU.

    After moving the PC to the OU where it should be, GPO is applying... So i can confirm that Certificates with domain server 2008 R2 GPO is working (as workaround)

    But it still not work with the offline deployment. If microsoft read this post, it would be nice to know if a patch for win10 will come?

    Tuesday, March 29, 2016 8:35 AM
  • Hi,

    Very well, I am glad to hear that you have found out a workaround, please deploy CTL updates by your own method in advance.

    About offline deployment, indeed, there is no resources are aimed at Windows 10 machines, I will feedback this situation to Microsoft.

    Meanwhile, you could also feedback demand through Windows 10 built-in Windows Feedback app, maybe Microsoft will release a solution for Windows 10 machines in future.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 30, 2016 1:21 AM
    Moderator