This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Any one seen this issue ,only occurring in about the last week. It maybe a wider issues globally. Not sure what triggered it.
Basically in the last few days some updates from 1809 to 1909, after completed, the local laptop certs are missing. Which is a problem for all our home users on VPN! (i.e. with covid still around)
Yes same issue for us too. Not limited to 1909 feature update, also the same for 20h2 pre-release.
We have updated several previously to bother is versions but this week updates result in devices missing certificates.
Rolled back and removed the October cu. Then went forward again. Certificates all in place. I've repeated this to prove. So looks like the October cu changes the is before update in some way that causes the certificates to be removed during the feature upgrade.
And what about the customers who distribute the IPU via servicing in MEMCM? Currently there is no possibility to update the Servicing Image.
Enable Dynamic Updates during servicing to include the latest CU and other updates.
https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings#bkmk_du
Dynamic Updates is not a solution. Because not only Windows updates but also drivers are installed. There is no possibility to configure this in detail. Furthermore, it is not always possible to download GB of data for patches in addition.
Rollback is also not an option for the customer if he makes an IPU from 1709 to 1909. 1709 is end of support.
It may not be an ideal solution, but it is an available option.
I would find a better solution if you could update the ESD files for servicing manually. Just like it is possible for upgrade images. The ESD files for servicing have the patch status of the release date of the corresponding Windows 10 version.
Microsoft has recently updated the Windows Setup Engine 2 times, which meant that you had to download the Feature Update Package for Servicing again. Why not update the ESD file?
For example: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16908
I have update another solution for those who using CM in their environment, please check it and try on your side.
Bests,
VLSC media for RS5, 19H2 and 20H1 already include 2020 10B updates. We could update image by downloading again from VLSC to replace previous target image.
This is useless when I use the servicing function in MEMCM.
The solution with the WSUS Server and Dynamic Update is not possible if the user works from the home office and needs to get the IPU. During the IPU from the home office the WSUS Server is not available.
Currently, most users at the customer's site are working from their home office because of Covid-19.
As I know, if clients use VPN or IBCM there is no difference when they work at home or at office. WSUS server is available when use VPN or IBCM .
Hi,
Thank you for coming Microsoft Q&A forum!
Does the issue only occur on Windows home system or your environment only have Windows 10 home system?
What the existing system build? Please run "winver" to check on several devices.
Bests,
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Windows 10 Enterprise Edition x64. Updating from 1809 to 1909. The issue happens after the 1909 update completes. We have been updating computers since May 2020, and have only seen this issue in the last week.
It looks like some other people have seen it: https://www.reddit.com/r/SCCM/comments/jfyqs2/certificate_issues_after_os_upgrade/
Our Help Desk just started reporting this same issue which started on Tuesday (10/20/2020). We are upgrading our Windows 10 Enterprise 1809 systems to 1909. Prior to Tuesday we stopped the upgrade for 3 weeks because of our finance quarter-end. We upgraded over 8,000 systems without this issue back then. Since Tuesday, we have done ~2,000 systems for this week and have thousands more the following week. The only major change I can think of is Patch Tuesday happened.
Yes, we think its related to the October windows patches. Would be great to get an acknowledgement, and fix from MS.
we also face the same issue and there is a workaround of deleting the vpn connection from the NCPA.CPL and rerun the package fix or else connect to corporate network to get the new certs downloaded.
Hi All,
I understand you are stuck in a trouble caused by this issue which is caused as target system version (without 2020 9B / 10B package) is lower than existing system version (with 2020 9B / 10B package) . Here is a workaround which could help us get out of it. Please try on your side.
First, we need to rollback to previous OS. Then re-launch the in-place upgrade to a target OS with dynamic updates enabled OR in-place upgrade to an OS image that contains 2020 9B / 10B package or later.
Admins may be successful initiating an OS rollback remotely within the 10 days. The default value is 10 days, we also could configure it through DISM command line (run as admin) as below.
DISM /Online /Set-OSUninstallWindow /Value:<days>
Tip: If value passes anything <2 or >60, the default value of 10 will be set.
Then roll back with the command line DISM /Online /Initiate-OSUninstall [/NoRestart|/Quiet]
For more information about this command tool, please refer to DOCS: DISM operating system uninstall command-line options
Important: OEMs shouldn't use this setting in imaging or manufacturing scenarios. This setting is for IT administrators.
Windows gives a user the ability to uninstall and roll back to a previous version of Windows.
For adding update package into ISO image, we could use DISM tool with add-package parameter.
More details about it, please refer to: To add packages to an offline image by using DISM
Or we could configure image through SCCM.
At last, Thanks for all your patience and continued use for Microsoft products.
Bests,
Joy
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Roy,
many thanks for sharing - highly appreciate!
Is there an Microsoft Bug ID or ticket number we can refer to? Premier support seems not to be aware of the issue yet.
Thanks,
Dietmar
The registry method works great, here is a quick Powershell script that accomplishes those steps:
$hivefile = "C:\Windows.old\WINDOWS\System32\config\SOFTWARE"
$regfile = "C:\Temp\RegTests\RegFileTest.reg"
REG LOAD "HKLM\SOFTWARE_TEMP" $hivefile
REG EXPORT "HKLM\SOFTWARE_TEMP\Microsoft\SystemCertificates\MY\Certificates" $regfile
REG UNLOAD "HKLM\SOFTWARE_TEMP"
((Get-Content -path $regfile -Raw) -replace "SOFTWARE_TEMP", "SOFTWARE") | Set-Content -Path $regfile
REG IMPORT $regfile
Yes, the registry method works great post-mortem and can save user's life which might otherwise be unable to connect via VPN.
The issue can be avoided by uninstalling the October 2020 cumupatch before starting the Windows 10 upgrade. A poor workaround, but at least it works.
Really curious if there is already a bug ID at Microsoft. Premier support is still investigating our logs although this seems to be a known issue.
Hi,
Thank you for all your feedback about your action result and experience.
Please mark useful reply as answer, or vote useful reply which to help other customers to search for result more quickly.
Bests,
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi JoyQiao
Thanks for this explanation, I appreciate to have this piece of info, but still need further support to fix it in the following szenario:
We're luckily just in the test phase to upgrade 1809 to 1909 using SCCM and we experience the same Certificate-issue (since patch Tuesday) when we deploy the 'Feature Update to Windows 19 (business editions), version 1909, en-us x64' package (Article ID 3012973) from the 'Software Servicing' feature, in order to get our 1809 clients up to 1909. If I understand your answer right, means that the above servicing package is also outdated and should be patched to 2020 9B / 10B at least. Will there be an updated version of this package released by Microsoft in the near future?
You’ve clearly been busy :)
From what I’ve read, it happens if the Operating System patch level is greater than the Servicing WIM.
I see IPU 1909->20H2 looses machine certs.