![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
151 questions
Hello
- Check Group Policy Settings (Windows Update Behavior)
Windows Update may be inadvertently removing certificates due to certain group policy settings. You can configure Group Policy to prevent this behavior.
Steps to check Group Policy settings:
Press Windows + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
Navigate to:
Computer Configuration -> Administrative Templates -> System -> User Profiles
Look for the policy setting called "Do not delete user profiles on system shutdown". Ensure this is set to Enabled. This will prevent Windows from deleting user profile data, including certificates, during updates or restarts.
Also, check under:
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update
Look for any policies related to updates affecting certificate management, and make sure there aren’t any aggressive cleaning policies in place.
- Ensure the Certificates are Installed in the Correct Store
Certificates for the Common Access Card (CAC) should be installed in the Windows Certificate Store, specifically in the Personal store.
To ensure that certificates are in the right place:
Open Microsoft Management Console (MMC) by pressing Windows + R, typing mmc, and hitting Enter.
In MMC, click File -> Add/Remove Snap-in.
Select Certificates and click Add.
Choose Computer account and then Local computer.
Expand Certificates, and navigate to Personal.
Ensure your CAC certificates are listed here.
If they are being installed into Current User instead of Local Machine, it might be causing them to be wiped upon system updates. Make sure they’re installed in the Local Machine store for persistence.
- Prevent Certificate Removal by Windows Update
Sometimes, Windows may overwrite certain system configurations or certificates during updates. You can try the following workaround:
Registry Edit to Prevent Auto-Removal:
Open Registry Editor (regedit).
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config
Look for any entries that might be forcing Windows to remove or reset certificates and remove or change those values as needed.
Also, check:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Look for any entries like "DisableCertificateRevocationCheck" or similar, which may be causing Windows to reset the certificate store during updates.
- Update or Install the Latest Drivers for Your CAC Reader
Since you’re using a CAC card, it's essential that your CAC reader is up-to-date and fully compatible with Windows 11. A driver issue may lead to certificates not being correctly stored after updates. Here’s how you can ensure compatibility:
Visit the HP support website for your HP Omen 17 and make sure your system is running the latest updates, including firmware, chipset, and CAC reader drivers.
Install the latest smart card drivers. If the drivers provided by HP are outdated, consider downloading and installing the latest ones from the smart card manufacturer (e.g., Gemalto, Identiv, ActivClient).
- Ensure Windows is Configured to Retain Certificates Across Updates
You can also configure Windows 11 to ensure certificates are retained even after updates:
Press Windows + I to open Settings.
Go to Privacy & Security → Windows Security → Device Security.
Under Security processor details, check if the TPM (Trusted Platform Module) and secure boot are enabled. This can sometimes affect how certificates are handled and retained.
I hope the above information is helpful to you.
Best regards
Runjie Zhai