Micro Focus Expert
Micro Focus Expert
745 views

Windows may lose ZCM CA Trust after WIndows 1909/2004 Upgrade (Potential MS Defect Alert)

This post is a lot of conjecture, but I have received a report that there is a new Windows 10 1909 (or 2004) OS upgrade issue that may impact ZCM.

In short, it appears that if a Windows 10 PC with the October 2020 Rollup Patches (or other very recent patches) Upgrades to 1909 or 2004 via an IPU (In Place Upgrade), then all of the previous certificate trusts are lost.  Patching the Upgrade Media prevents the issue.   Again, this is not a ZCM specific issue, but simply impacts ZCM since it relies upon Certificate trusts.

While the resolution appears to be updating the upgrade media, I did provide some alternate solutions as well to attempt to mitigate the issue while root cause was confirmed.

  • Deploy the ZCM Internal CA via Domain GPOs.  The advantage to this solution is that any currently broken devices, even unknowingly broken devices, would most likely self-heal once the updated GPO is applied.
  • Create a Force Run Bundle that has a SYSTEM Requirement for HKLM\Software\Microsoft\ROOT\Certificates\{RANDOM ID#} that matches your ZCM CA to be missing.  (See Attached Picture)
    • If this value does not exist, it will apply the REG BLOB to restore the lost cert.
    • This bundle should self-heal any device were Cert Trust is lost at a point in time AFTER the bundle is deployed.  The bundle will still operate after trust is lost because the device will be operating in Disconnected mode which can still run previously assigned bundles.
    • This will NOT remediate any currently broken devices, since they cannot get the assignment.
  • Update the Windows 1909 Upgrade Files to restore missing cert trusts during the post upgrade tasks.
    • Export HKLM\Software\Microsoft\ROOT\Certificates\ locally prior to upgrade and Import local export of HKLM\Software\Microsoft\ROOT\Certificates\ post upgrade.
      • This will help ensure ALL ROOT certs are retained since Non-ZCM certs can be impacted.
    • Create a REG Export of HKLM\Software\Microsoft\ROOT\Certificates\{RANDOM ID#} and import this as part of the post upgrade tasks.
    • Run ‘certutil.exe -addstore Root “\\patch\ca.der” ‘ post upgrade.  This would require a copy of the DER to be local or UNC accessible to restore the trust.

At this point, this post is based on significant supposition but the potential impact of the reported certificate issues around upgrading Windows 10 PCs with the October rollup were significant enough I wanted to alert folks quickly.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
3 Replies
Micro Focus Expert
Micro Focus Expert

Note: Here are some steps for slipstreaming Windows updates into your Windows 10 upgrade media.

https://www.winhelponline.com/blog/slipstream-windows-10-integrate-updates-setup-media-iso/

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Micro Focus Expert
Micro Focus Expert

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Craig, thank you so much for continuing to post helpful and useful information like this that impacts us customers. We ran into this issue today during our Feature Upgrade 1909>2004 testing and were at a complete loss initially in determining where to start with troubleshooting and what was failing. I'd love to see this in a KB somewhere because the Forums ended up being my last stop after checking all other resources, fortunately it was worthwhile. 🙂

Thanks again,
Luke

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.