Unified Write Filter - Machine certificate exclusions - missing store keyset

Question

Dear

We're using a mix of Windows 10 Enterprise 2016 LTSB and Windows 10 Enterprise 2019 LTSC clients with the Unified Write Filter enabled.

Users are using these devices in the office and at home. From home they use an SSL VPN to connect to the corporate network. Our VPN-solution does a host check to verify if certain prerequisites are met before it establishes a connection. One of these checks is the availability and validity of a machine certificate stored in the machines personal store (My). This is also the only store that we need to exclude from UWF. The (AD-issued) certificate is automatically renewed every so often when a user boots the device in the corporate network.

To ensure that the renewal is not lost after a system reboot with the Unified Write Filter enabled, we have implemented the following file and registry UWF-exclusions:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
C:\ProgramData\Microsoft\Crypto

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates
HKLM\SOFTWARE\Microsoft\SystemCertificates

These exclusions were offered to us by Dell Wyse support. Using these exclusions the certificate is successfully remembered after a system reboot but after a few days the certificate become invalid again and using "certutil -store my" I can see that the certificate has the error "Missing stored keyset".

It seems like I'm missing an exclusion for the private key.

Only way to rectify the issue is to tell the user to come to the office, connect to the corporate network disable the write filter, remove the certificate, reboot (or gpupdate /force) to get a new certificate and re-enable the write filter.

Our team does not have access to the VPN-solution and no changes will be implemented to circumvent the certificate check.

I took a look at this very comprehensive explanation on where everything is stored but I fail to see the problem with my exclusions aside from the fact that the exclusion "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" is maybe arbitrary as its parent folder "C:\ProgramData\Microsoft\Crypto" is already excluded.

Does anyone have any idea?

Answer 1

Hello @Huskin1 ,

Thank you so much for posting here.

Frankly speaking, I am not professional with UWF. As suggested, we could try to add other registry and locations mentioned in the article to the UWF exclusions.
Sincerely hope other engineers could share their knowledge or experience here.

As for the issue of "Missing stored keyset", I did some research about this. This can be confirmed by running the following two command:

certutil -v -store my
certutil -v -verifykeys

As stated, we could see "missing stored keyset" in the outputs.

certutil -v -store my will tell you furhter if the CA keys are stored in software based csp/ksp or on HSM. For software based keys, you can identify physical location of the key in the file system (for example, Key Container = te-ae36bd7e-931d-4aae-b4a8-893df16651c1). The key is usually stored in C:\ProgramData\Microsoft\Crypto\Keys.

I am trying my best to get more information for your reference. But it seems that no useful information about our issue could be found.

Your understanding and support are greatly appreciated.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.