none
Root authority certificates dissapearing? RRS feed

  • Question

  • Greetings,

    We have deployed a number of Wyse TC devices using Embedded. Devices are built on domain and then a batch file is run to enable autologon using local account and take machine off domain.

    For the most part this is working fine,  But approx 15% of machines given to users come back within a week or so due to certificate errors,  going to a website says that xyz.com is not trusted. Checking root/intermediate certfiicates on these machines shows no external trusted at all,  the only certificates showing will be our on domain CA and Sub Certs.

    Machines are locked down and Windows update is turned off,  I don't think there is an issue with the build because if so then the issue would appear on all machines not just 1 in 7.

    It feels like the certificate store is getting chewed up somehow, but I can't figure out what it is doing.  Anyone got any ideas on stuff to try,  I won't be able to get my hands on a faulty unit until Monday but if there is anything I can check.

    Thanks.

    Friday, May 15, 2020 3:36 PM

Answers

  • We think we found a solution to this.

    1) Make sure that all Trusted root and intermediate that are required are installed to the machine.

    2) Make sure that machine is not domain joined, and you are logged in as Administrator with Write filter disabled.

    3) Run local group policy and set the following.

    1. Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
    2. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.All

    Reboot machine, Enable Write filter, Shut down.

    None of the machines which have had the above done have dropped certificates.  I think it has something to do with the devices being unable to get to Windows update site in some way, possibly looking for revocation list, failing to get to it and killing all the certificates.


    Friday, July 3, 2020 10:43 AM

All replies

  • Since these are Thin Clients, a write filter might be enabled. What Windows OS are you using? Do you know if EWF, FBWF or UWF are enabled?

    Sean Liming - Book Author: Starter Guide Windows 10 IoT Enterprise - www.annabooks.com / www.seanliming.com

    Friday, May 15, 2020 3:58 PM
    Moderator
  • They have FBWF enabled. Machines are locked down before being given to user and I've asked them to make sure that certificates show before handing over. So something has to be happening when users are connecting them to their home networks.

    Friday, May 15, 2020 4:04 PM
  • FBWF - Sounds like this is Windows Embedded Standard 7, is that correct?

    Is this the only corruption that you are seeing?

    Is FBWF disabled at any point in time during setup or operation?

    What write-throughs do they have for FBWF?

    What does the Wyse have to say?


    Sean Liming - Book Author: Starter Guide Windows 10 IoT Enterprise - www.annabooks.com / www.seanliming.com

    Saturday, May 16, 2020 3:52 PM
    Moderator
  • We think we found a solution to this.

    1) Make sure that all Trusted root and intermediate that are required are installed to the machine.

    2) Make sure that machine is not domain joined, and you are logged in as Administrator with Write filter disabled.

    3) Run local group policy and set the following.

    1. Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
    2. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.All

    Reboot machine, Enable Write filter, Shut down.

    None of the machines which have had the above done have dropped certificates.  I think it has something to do with the devices being unable to get to Windows update site in some way, possibly looking for revocation list, failing to get to it and killing all the certificates.


    Friday, July 3, 2020 10:43 AM