none
Windows 10 Build 1803 unable to request Enterprise CA computer certificates

    General discussion

  • Hi,

    I've also just created a case for this: 118050918152001

    Since the new build (1803) was installed on previous Windows 10 1709 machines, we are unable to request Certificates from our Enterprise Certificate Authority.
    A user on the same system is able to do so, however as the local computer, we cannot request new certificates. The MMC.exe shows no templates available, all are access denied.

    I've cross checked on complete separate fresh installed (from iso) machines, installing a server 2016 domain controller, promoting it to a new forest and domain, installing and creating a CA and joining a Windows 10 build 1709 machine in it. This 1709 machine was correctly able to request a new Machine certificate, no problems.
    Then upgrading the 1709 machine to 1803, I am no longer able to request a new computer certificate. Problem is as described above.
    Also tested to install a fresh copy of windows 10 build 1803 and joining it to the new domain, same issues.

    There are a number of things we have tried, however, no apparent errors in the application or system logs on the client or the CA. No errors/warnings on the CA.. Also, no communication between de client and the CA server when the mmc snapin is determining which templates are available (which is to be expected, because the information is stored in the CertificateTemplateCache key in the registry on the client itself).

    My guess is that there is a bug in the determination on ACLs on the templates and the SID/security identifier of the local system/ad computer account...

    Haven't found anyone posting the same issues, but I think the problem will be widespread and duly noticed as I was able to confirm the issues in a clean testing environment...

    Anyone with any insights?

    -Bart

    Wednesday, May 09, 2018 1:14 PM

All replies

  • We have the exact same issue. We have an older CA, so it's interesting that even a Server 2016 CA did not make any difference.

    -ji

    Wednesday, May 09, 2018 1:32 PM
  • We are in the same boat. Problem just arises and we haven't had a time to investigate it. We saw some freaking errors in event log related to DCOM and Windows.SecurityCenter.WscBrokerManager - but I'm not sure is it related or not.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

    Wednesday, May 09, 2018 2:09 PM
  • We've looked into the DCOM errors as well. Resolved them but to no avail..


    Just to clarify, the mmc shows no templates available, when you tick the box for "Show all templates", you see that "You cannot request a certificate at this time because no certificate types are available" and all templates have the error: "You do not have permission to request this type of certificate".

    Already looked into by two engineers from Microsoft, tried various amounts of security settings, even giving everyone full control on the CA and the templates but it still doesn't work as it did previously... (and should).

    • Edited by BartvdO Thursday, May 10, 2018 9:08 PM extra info
    Wednesday, May 09, 2018 2:20 PM
  • Thanks for the heads-up! Another observation is that user certificates can successfully be requested, the culprit is computer certificates.

    Hope to see some development in this case, as it is a bit of a pain for us not being able to get the computer certificates...

    Friday, May 11, 2018 6:55 AM
  • Yes, we saw that as well, to me that indicates that the underlying code for requesting certificates and communication to the CA is ok, just that it has something to do with the computer-credentials or the way they are used in determining the ACLs on the templates...

    It has gone very quiet since yesterday from MS support. So.... I'm guessing they reproduced the problem (very easy in my view) and are hard at work on a fix atm, very curious!

    Friday, May 11, 2018 11:30 PM
  • We have the same issue. Getting Certificate from GPO Works fine. But using certreq.exe fails With  0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE), and MMC show no templates. Our CA is Windows Server 2016.
    • Edited by mdahling Saturday, May 12, 2018 10:24 AM
    Saturday, May 12, 2018 10:23 AM
  • Same issue. As a temporary workaround we were able to export the certs from 1709 build and import into 1803

    its a pain but better this than nothing.

    Monday, May 14, 2018 3:41 PM
  • I've also started implementing a workaround, as MS Support is really letting me down at the moment. They aren't responding to my inquiries on the lab-testing or the current state of the case. All the did was ask if I installed all updates on the systems.... and no answers!

    So, I've made a copy of the Computer/Machine template and modified it in such a way that we are able to supply the subject name in the request. Made one machine able to request these certificates and of course added admin approval. Now I can create a computer certificate by requesting one from the new Template and filling in the custom CN and subject alt name (don't forget the alt name, else it won't work!), also don't forget to tick the "Make private key exportable" option!
    Export the cert+key and import it on the pc that needs the computer cert. Voila... works for now...

    This is actually a relatively quick and easy fix, although I will admit, not so pretty. If you want to use this workaround to, please be aware of the security implications and be vigilant on the security settings and admin approval of this new template..

    Hope this helps!


    • Edited by BartvdO Tuesday, May 15, 2018 11:00 AM typo
    Tuesday, May 15, 2018 10:59 AM
  • We're having the same issue. Since 1803 we can't access the template at all, even with full permissions for both the requesting user and the machine. 
    Wednesday, May 16, 2018 8:25 AM
  • Have you tried to use GPO to enroll Computer certificates? That's Works for us with 1803. Only certreq.exe and mmc fails.
    Wednesday, May 16, 2018 10:16 AM
  • Basically - Windows 10 1803 is broken regarding this issue. Like thousand issues before. I see that there are some workarounds available. It's depressing how many bugs are included in every feature update.I'm very dissapointed. Starting from Windows 10 our IT dept. are overloaded to find bugs, fix bugs, find a workarounds and so on. MS is claiming that Windows 10 is best OS ever.. from my point of view it's worst ever.
    Sorry, this post wont help nobody I just had to write it...

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

    Thursday, May 17, 2018 7:58 AM
  • Thanks M$! Great service! It seems you don't have any test departments at all.
    Thursday, May 17, 2018 8:50 AM
  • The only one way to get the Computer certificate is to use another computer with non-1803 Windows 10 (better Windows Server), export and import on destination Computer.

    You have to change the Computer Template:

    • Edited by Anahaym Friday, May 18, 2018 11:59 AM
    Friday, May 18, 2018 9:47 AM
  • We use GPO to enroll the WiFi certificates and this is broken as well.

    However for some strange reason if I login with a user, then restart the PC it gets the certificate. If I just restart without having logged in first, nothing happens.

    I havent been able to figure out why it is so, since it is a Computer Policy and the User part in is is disabled.

    But the fact remains, when a User profile is created it will work next time policies are run.(Restart or gpupdate /force) In no login you can restart the PC 10 times and it still wont work.

    Hope this helps someone with more knowledge than I have.

    Tuesday, May 22, 2018 7:48 AM
  • Case Update:

    Microsoft contacted me yesterday, explaining it is indeed a bug and other customers are also affected.
    They also identified a workaround: Enabling Credential Guard on the Windows 10 1803 box...
    Now that may sound as something you might already want and use, the implications are not for the ill prepared... It has quite some hardware and software pre-requisites to be able to activate it... And this has to be done to every system that experiences this problem.

    I've tested on one system with Credential Guard and can confirm it indeed resolves the issue for that one system.. however I do believe that my workaround with the custom computer cert template in my previous reply is an easier one from the admin point of view...
    I've also replied that to the support tech on this case, hopefully other customers can also benefit from this workaround...

    All we can now do is hope that they find the problem and quickly release a fix for it.. I've asked to be able to beta-test the fix... Let's see what comes up....

    Tuesday, May 22, 2018 10:51 AM
  • Great news, hope they get around to release the fix soon :)
    Wednesday, May 23, 2018 7:03 AM
  • We experience the same issue. We have 802.1x enabled to connect to LAN and WLAN. Every release a new present. Definitive a showstopper for us. WaaS could be Windows as a Surpise!
    Wednesday, May 23, 2018 10:05 AM
  • Case Update:


    All we can now do is hope that they find the problem and quickly release a fix for it.. I've asked to be able to beta-test the fix... Let's see what comes up....

    Well, MS support closed the ticket. They cannot do anything more at this time. They say it is a know issue, they won't even go so far as calling it a bug any longer.

    To quote: "Currently the issue is understood and a request to the windows servicing division has been sent.
    This is a complex issue and this may take some time to process
    "

    So, no KB, no hotfix, nothing... Only two solutions I know of, or rather, work arounds, are the custom template or enabling Credential Guard...

    Hopefully they won't introduce this nice 'feature' in Windows Server 2016 soon... That would certainly stir things up....

    I'll keep a look out on the progress as far as I can.. Don't expect anything from MS support at this point...

    Thursday, May 24, 2018 8:11 AM
  • The workaround from MS Works for us. During imaging of Computers, we enable Virtualization Technology (VTx) in BIOS, and activate credential guard in Registry by setting:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "LsaCfgFlags"=dword:00000002

    Now we can request certificate With certreq.exe og with MMC, so imaging over Wi-Fi with 801.X Works!!!

    Friday, May 25, 2018 9:00 AM
  • Unfortunately, this workaround only works with Win10 Enterprise, but Win 10 Pro does not have a credential guard!
    Are there any other suggestions?
    Tuesday, May 29, 2018 6:56 AM
  • Indeed that is not available... The only workaround I can think of is the custom CA template. It's a bit more work to set it up and it's (a lot) harder to automate... But it works for all editions of Windows 10...
    Tuesday, May 29, 2018 9:45 AM
  • Hi! i tried this same fix, but the resulting certificates seem to be issued by the supplied CN... same as a self-signed certificate...

    Any clue as to what I might be doing wrong?

    Tuesday, May 29, 2018 1:32 PM
  • Seeing the same issue. Build and capture with SCCM and image. Newly imaged machine will not get config manager cert or wifi cert both through auto-enroll.

    It looked like the fix was to delete HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache and run "certutil -pulse" but that is not working in a task sequence when run as system. If i enter-pssession to that machine and run it will pick up certs.

    Just adding my observations.

    Wednesday, May 30, 2018 3:46 PM
  • I'd like to Echo this request, as this is now an issue for our company and all future 1803 Roll outs...
    Wednesday, June 06, 2018 8:30 PM
  • We are in the middle of 1803 roll out and noticed the same thing as well… *sigh*

    Implemented a quick and dirty fix to run certutil -pulse as a startup script.

    Restarted a few classrooms and can confirm that the clients got their certficates during reboot, and started working.



    • Edited by Node M Wednesday, June 27, 2018 8:38 AM typo
    Thursday, June 07, 2018 8:11 AM
  • I used certutil -pulse and it solve my problem.

    So here is my step list

    Generate a request with the Following command :

    • certreq -new [RequestInfFile] [RequestFile]

    Send the request to certificate autority

    • certreq -config [CAName] -submit [RequestFile] [CerticateFile]

    Get root certificate from AD

    • CertUitl -pulse

    Import Certificate

    • certreq -machine -accept [CerticateFile]

    • Edited by CNESST_PhilNic Monday, June 11, 2018 3:34 PM Added Step List
    Monday, June 11, 2018 3:06 PM
  • I used certutil -pulse and it solved my problem as well.

    Just did a script that run the command + a restart when I start installing programs in the reinstall sequence.

    Works like a charm, ty. :)

    Monday, June 18, 2018 1:15 PM
  • The only one way to get the Computer certificate is to use another computer with non-1803 Windows 10 (better Windows Server), export and import on destination Computer.

    You have to change the Computer Template:

    I was able to solve this as well for my environment. It is a tiny one, however, so not a lot of work, just 8 servers and 5 clients.  I first made copy of the Computer Template on the CA and set the Subject Name tab to be provided during request and marked the key to be exportable. I then re-issued the template to my CA and restarted the CA Service.

    Then I submitted a new request from a pre 1803 server and selected the custom template. Filled in the details for the certificate subject and enrolled. The certificate can then be exported, including the private key and then be imported on the target machine. 

    This seems to work, the only issue I am left with is that the requests to the CA are not recognizable as such in the Issued Certificate view. That is a nuisance. 

    Will this bug need to be fixed in the CA Service or client OS? Can it be fixed at all???

    Regards, Solino


    Tuesday, June 19, 2018 1:35 PM
  • Hey InspectorDK,

     Curious as to where in the task sequence you have implemented this step. Prior to, or after "Setup Windows and Configuration Manager"?

    I was under the impression that group policies were not applied during task sequence processing, therefore the client would not be aware of enrollment policies. So not understanding how pulse would take effect under that circumstance, as those policies as well appear to be a requirement of using the pulse switch with certutil.

    Thanks,
     BT

    Tuesday, June 19, 2018 4:07 PM
  • We are in the middle 1803 roll out and noticed the same thing as well… *sigh*

    Implemented a quick and dirty fix to run certutil -pulse as a startup script.

    Restarted a few classrooms and can confirm that the clients got their certficates during reboot, and started working.


    Would you mind detailing how you are accomplishing this? I am in the same boat trying to image labs of computers at a time. Need to somehow get certutil -pulse to run on machines after final reboot of task sequence. Thanks for any help.
    Tuesday, June 19, 2018 4:21 PM
  • SirKoon- Look into the SMSTSPostAction variable as one way to run commands post task sequence (Google search on "SMSTSPostAction gpupdate" should return you some useful information. You can assign that variable cmd commands and when the task sequence has released, it will run them. This is a way you can run gpupdate post imaging and it may help with this scenario also.

    The may be working for us.  4 out of 4 computers I just imaged with the fix below could connect to wireless on the login screen (prior to this those 4 out of 4 computers could never connect at the login screen).  Testing more now, but appears to be a workaround.

    1) Delete this key somewhere in the task sequence (don't know for sure if this is needed, but I have added this for now based on someone's suggestion above): HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

    2) Add a "Set Task Sequence Variable" task where Task Sequence Variable = SMSTSPostAction and Value = cmd /c gpupdate /force && certutil -pulse && shutdown /r /f /t 5

    After the task sequence finishes, you will be at the login screen for a little bit while GPUpdate runs then certutil -pulse will go fast then restart in 5 seconds.  I think the restart time could be 0.  I just currently have it set for 5 seconds.  Setting SMSTSPostAction could be set anywhere in the task sequence.  I am setting it as the last task.


    • Edited by MelanieQu Saturday, July 21, 2018 2:16 PM Removing last Restart Computer task caused SMSTSPostAction not to run for me so removed text that said I was doing that.
    Thursday, June 21, 2018 4:05 PM
  • SirKoon- Look into the SMSTSPostAction variable as one way to run commands post task sequence (Google search on "SMSTSPostAction gpupdate" should return you some useful information. You can assign that variable cmd commands and when the task sequence has released, it will run them. This is a way you can run gpupdate post imaging and it may help with this scenario also.

    The may be working for us.  4 out of 4 computers I just imaged with the fix below could connect to wireless on the login screen (prior to this those 4 out of 4 computers could never connect at the login screen).  Testing more now, but appears to be a workaround.

    1) Delete this key somewhere in the task sequence (don't know for sure if this is needed, but I have added this for now based on someone's suggestion above): HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

    2) Add a "Set Task Sequence Variable" task where Task Sequence Variable = SMSTSPostAction and Value = cmd /c gpupdate /force && certutil -pulse && shutdown /r /f /t 5

    After the task sequence finishes, you will be at the login screen for a little bit while GPUpdate runs then certutil -pulse will go fast then restart in 5 seconds.  I think the restart time could be 0.  I just currently have it set for 5 seconds.  Setting SMSTSPostAction could be set anywhere in the task sequence.  I am setting it as the last task and removing the normal Restart Computer last task.

    Thank you very much for chiming in, that seems to be working after my first test! I was already initiating a reboot with the SMSTSPostaction to get gpupdate to run; wasn't aware you could run multiple commands. FWIW, I did not need to delete the reg key.

    Cheers!

    Thursday, June 21, 2018 9:57 PM
  • MelanieQu,

    Since I only had ONE computer that had updated to 1803 (bypassing my WSUS and all other GPOs, go figure), I tried just the command cmd /c gpupdate /force && certutil -pulse && shutdown on admin CMD and it worked a charm.

    THANKS! 


    • Edited by HammSilv Wednesday, June 27, 2018 7:31 PM
    Wednesday, June 27, 2018 7:30 PM
  • Melanie,
     This worked great, thanks for the detailed fix. I too avoided the registry change and all is well.
    Thursday, June 28, 2018 5:15 PM
  • Hi, but this mean it only works on Windows 10 Enterprise?

    What is with Windows 10 Pro?

    Thanks

    Friday, June 29, 2018 10:49 AM
  • UPDATED: If you have this issue, please make a support case to Microsoft, so that they know how many customers are affected with this issue. Thanks.

    I had same issue with 1803, for me the LSA registry didn't help.

    Only thing it helped is enable Hyper-V Hypervisior, restart. After that I can see those machine certificate templates.


    Regards,

    Zeng Yinghua (Sandy) (BlogTwitter)

    Please remember to mark the replies as answers if they help.


    Thursday, July 12, 2018 2:57 PM
  • Perfect!  It works pretty well!
    Many thanks Sandy.

    Monday, July 16, 2018 6:33 PM
  • Hi Sandy,

    you are right! It's especially needed for older Windows 10 Versions.

    Official documentation tells us to enable Virtualization Based Security (VBS) for Credential Guard, which relies on Hyper-V Hypervisor.

    Additional information:

    Since Windows Version 1607 this is not necessary anymore.

    Add the virtualization-based security features

    Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.

    https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-the-registry

    best,
    Oliver

    Thursday, July 19, 2018 6:54 AM
  • SMSTSPostAction variable set to do a gpupdate, certutil and restart continues to be a workaround for us for thousands of computers being imaged.  One note though is that above I said that I removed the Restart Computer task that is normally the last task in an OSD task sequence since a restart was happening with the PostAction.  However, if I removed that last restart task, the PostAction would never run in my scenario.  I ended up keeping the last Restart Computer task and then another restart happens as part of the PostAction. I don't know if the PostAction not getting called without the last Restart Computer task is something specific to my task sequence, but I thought I would mention to make sure the PostAction commands are actually happening if you try this as a fix and it doesn't work.

    Saturday, July 21, 2018 2:06 PM
  • We have had a similar issue with WiFi which we utilize a machine certificate to grant access to WiFi.  On a 1803 build, this process does not seem to work the same way as it did in 1709.  We have also seen the same issue in 1709 which can be resolved by GPUpdate /force and a reboot.  On 1803, that does not seem to resolve it during the build process.  If a user logs on right after the build on the wired network, then a certificate is deployed.  With 1803 (option presented in this thread to use CertUtil -pulse) seems to have resolved the issue for us.

    It does need the GPUpdate /force as part of the sequence but that is always happening within the build process.  The addition of the CertUtil -pulse has added the success to the build process.

    Thanks to all who have contributed here.

    Cheers.

    Tuesday, July 24, 2018 7:27 PM
  • Sadly, this issue isn't just Win10 1803. I am trying to build out an 1803 based 2016 core server for a project and I require a certificate. I have created a new template and it requires the Subject name to be supplied by the requester (since it will be the external DNS name instead of the internal name the certificate is for). When I try to run the following command:

    Get-Certificate -Template VPNServers -SubjectName "CN=someprocess1.somedomain.com" -DnsName someprocess1.somedomain.com,someprocess.somedomain.com -CertStoreLocation Cert:\LocalMachine\My

    I get the following error:

    Get-Certificate : CertEnroll::CX509Enrollment::Enroll: You do not have permission to request this type of certificate.: The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422 CERTSRV_E_TEMPLATE_DENIED)

    I can't enable Hyper-V because this is a VM running on Hyper-V. I attempted the delete the registry key, gpupdate /force && certutil -pulse && shutdown /r /t 5 and event tried enabling credential guard per the article linked above. None of these are working for me. I am probably going to either Dupe the template and make the Private Key exportable and use that workaround to get the certificate on my server or fall back from 1803 for now. 

    Mind you, all of this is being done from command line/PowerShell or using Windows Admin Center (Honolulu) in the case of the registry keys. WAC for Certificates is not helpful because it is greyed out to request (though it would have probably failed anyway). 

    I hope MS gets a patch for this issue out soon. 

    Charles

    Thursday, August 02, 2018 1:40 PM
  • After you enable nested virtualization you can install Hyper-V feature in VM. ;)

    Сквозь сиреневый дым...

    Friday, August 03, 2018 10:49 AM
  • We have this same issue as well. Unfortunately the work around does not work for us. We are attempting to get this to work on a newly deployed Windows 10 Pro x64 build 1803 image. Does this workaround not work on Professional version of Windows? Does anyone have any other workarounds to suggest for Windows 10 Pro? Thanks in advance.

    • Edited by 64bitfury Monday, August 13, 2018 6:26 PM
    Friday, August 10, 2018 6:22 PM
  • Well, Microsoft contacted me a few weeks ago and said that they were working on a fix.. without an ETA on when it would be available. The support rep also told me that more and more customers are running into this issue, though we weren't the first one to raise their awareness about it...

    Last week  I was contacted again. I was on a holiday at the time, but they said there is a private fix available for testing. I just got back from my holiday and said I am eager to test it!

    Let's see how this goes, I'll update asap...


    • Edited by BartvdO Tuesday, August 14, 2018 11:56 AM
    Tuesday, August 14, 2018 11:55 AM
  • Do you already know if the update worked?

    Developer Paulo Pedro

    Thursday, August 16, 2018 11:37 AM
  • This is how I got it working on Lenovo, HP and DELL laptops:

    1) Start computer, boot to BIOS and enable Intel VTx teknology (all options)

    2) Install Win 10 1803

    3) Install this registry fix:

     

    Windows Registry Editor Version 5.00

     

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

    "LsaCfgFlagsDefault"=dword:00000000

    "LsaCfgFlags"=dword:00000002

     

    4) Add the certificate through MMC, but be beware that you cannot yet connect your PC to your secure network

    5) Restart the computer and enter the BIOS

    6) Disable Intel VTx technology  (all options)

    7) Restart the computer

    8) Login and connect to your secure network

    Regards

    Søren

    Thursday, August 16, 2018 12:55 PM
  • Well, Microsoft contacted me a few weeks ago and said that they were working on a fix.. without an ETA on when it would be available. The support rep also told me that more and more customers are running into this issue, though we weren't the first one to raise their awareness about it...

    Last week  I was contacted again. I was on a holiday at the time, but they said there is a private fix available for testing. I just got back from my holiday and said I am eager to test it!

    Let's see how this goes, I'll update asap...


    Please let us know. Im eager to get this working.
    Thursday, August 16, 2018 2:52 PM
  • I installed this update KB4343909 and it looks like the issue is fixed.
    Thursday, August 16, 2018 7:21 PM