Windows 10 Root Certificate Update

Posted By admin On 23/08/21
-->

Symptoms

You experience connectivity issues on a Microsoft Endpoint Configuration Manager service connection point role. When these issues occur, you experience either of the following symptoms:

  • During uploads or syncs to Configuration Manager cloud services, you receive the following status message IDs that indicate a communications failure: Deadly boss mods download mackbclever.

    • 9605: DMP_UPLOADER_UPLOAD_FAILED
    • 9607: DMP_UPLOADER_UPLOAD_EXCEPTION
  • The following error entry is logged in the Configuration Manager logs:

    • Failed to check and load service signing certificate. System.ArgumentException: Fail to build chain
Root

Root Certificate updates must be controlled in the enterprise to ensure a proper validation chain is maintained. This setting prevents root certificates from being updated automatically from the Microsoft site. Windows 10 Update Root Certificate free download - Windows 95 Y2K Update, Facebook for Windows 10, PDF Reader for Windows 10, and many more programs. All Activity; Home; MDT, SMS, SCCM, Current Branch &Technical Preview; Configuration Manager 2012; SCCM - Software Updates Client Root Certificate Updates.

Cause

This issue can occur if any of the following conditions are true:

  • The automatic root certificate mechanism is disabled.
  • The DigiCert Global Root G2 root certificate isn’t installed.
  • The intermediate certificates aren’t installed in the Intermediate Certification Authorities store.
  • Your environment allows outbound calls to only specific Certificate Revocation List (CRL) downloads or Online Certificate Status Protocol (OCSP) verification locations.

Resolution

Install the latest root certificates. The root certificates may not automatically install if you’re running a disconnected environment, or if the necessary internet endpoints are blocked.

Disconnected environments

Update trusted root certificates and disallowed Certificate Trust Lists (CTLs) within disconnected environments.

Within disconnected environments, administrators must set up either a file share or a web server to host the files internally. Group Policy settings are also updated so that the clients and servers use the internal file share or web server instead of the internet location.

Systems that are running within disconnected environments have to have the new roots added to the Trusted Root Certification Authorities store, and have the intermediates added to the Intermediate Certification Authorities store.

You can consider your environment to be disconnected if either of the following conditions is true:

  • Direct access to Windows Update is blocked.
  • The auto update mechanism for both trusted and untrusted CTLs is disabled.

For information about how to facilitate the distribution of trusted or untrusted certificates for disconnected environments, see Configure Trusted Roots and Disallowed Certificates.

Internet endpoints

If you have an environment in which rules are set to allow outbound calls to only specific Certificate Revocation List (CRL) downloads, or Online Certificate Status Protocol (OCSP) verification locations, you must allow the following CRL and OCSP URLs:

  • http://crl3.digicert.com
  • http://crl4.digicert.com
  • http://ocsp.digicert.com
  • http://www.d-trust.net
  • http://root-c3-ca2-2009.ocsp.d-trust.net
  • http://ctldl.windowsupdate.com
  • https://mscrl.microsoft.com
  • https://crl.microsoft.com
  • https://oneocsp.microsoft.com
  • http://ocsp.msocsp.com

More Information

Microsoft maintains the list of root certificates that are distributed by the Windows Root Certificate Program, on the program website.

For more information about the Windows Root Certificate Program and the list of certification authorities (CAs) who are members, see Release notes - Microsoft Trusted Root Certificate Program.

Root certificate update mechanisms are available in different versions of Windows. This includes the automatic root update mechanisms.

For more information about how to update the root certificate list in different versions of Windows, see Configure Trusted Roots and Disallowed Certificates.

By default, the automatic root update mechanism is enabled in different versions of Windows. However, if this mechanism is disabled, and the service connection point server doesn’t have the DigiCert Global Root G2 root certificate installed, connectivity issues with Configuration Manager cloud services may occur. The Configuration Manager on premises hierarchy may no longer be able to access the Microsoft Configuration Manager cloud services and other such resources.

For more information, see Azure TLS certificate changes and Azure IoT TLS: Changes are coming.

Next steps

Windows 7 Certificate Update

For additional information about connectivity requirements and troubleshooting for Configuration Manager, see the following items: