Windows 10 Build 1809 - IE11 Untrusted Certificate Problem

MattF40

New Member
Hi

We use a web proxy that inspects SSL traffic so we distribute the vendors Trusted Root Certificate Authority Certificate via group policy to the client machines to prevent errors and certificate warnings.

This has been working perfectly until i tried to apply the same Nlite modifications to a build of Windows 10 Enterprise 1809, the certificate is still added as usual and if you browse using Edge rather than IE11 then everything works - sites are trusted using the Vendor CA Cert, no warnings or anything - so im at a loss as to why the same certificate isn't working in IE11.

If i install Windows 10 1809 from the Microsoft ISO then it works perfectly but from the Nlite modified ISO it doesen't.

Its not a hugely modified image either, the customizations are largely, adding drivers, modifying privacy setting an unattended install etc..

Can anyone help? I redid the whole image from scratch hoping it would fix it but alas not.

Using Nlite V1.7.3 6761 64bit

Matt
 
Hi Matt,

If I understand correctly, the issue is just that the IE11 is not seeing your certificate, while Edge does.

While some privacy option might be tied to it, Microsoft did change some SSL handling lately, which could be tied to this.
Make sure to test both ISOs updated to the latest cumulative update, or no update at all in both, whatever is the policy in your company.
But then be careful if Windows Update updated one of them.

If you already had both of the tests equal in that regard, then attach, or better for privacy, send me your preset to test (support at ntlite com), with instructions how to verify the issue, for example a website that you go to confirm, if it's not any HTTPS.
If you use a command to add the certificate to the machine, that would also be useful in replicating the exact scenario.

Thanks.
 
Hi Matt,

If I understand correctly, the issue is just that the IE11 is not seeing your certificate, while Edge does.

While some privacy option might be tied to it, Microsoft did change some SSL handling lately, which could be tied to this.
Make sure to test both ISOs updated to the latest cumulative update, or no update at all in both, whatever is the policy in your company.
But then be careful if Windows Update updated one of them.

If you already had both of the tests equal in that regard, then attach, or better for privacy, send me your preset to test (support at ntlite com), with instructions how to verify the issue, for example a website that you go to confirm, if it's not any HTTPS.
If you use a command to add the certificate to the machine, that would also be useful in replicating the exact scenario.

Thanks.

Hi Nuhi

Yes that's basically it, IE11 can actually see the root certificate but doesn't trust it (it affects any HTTPS website) while Edge sees and trusts it. IE 11 also display a warning about the Certificate Revocation not being available too.

This happens on any Win 10 1809 Nlite modified install, either fully updated or fresh.

As a test I deleted the Group Policy deployed root certificate concerned and then re-imported it manually which actually resolves the problem - I don't know if that helps diagnose anything?

The certificate is installed by importing the root certificate to the following section of Group Policy and applying the policy to the relevant OU

Computer Configuration > Policies >Windows Settings >Security Settings >Public Key Policies/Trusted Root Certification Authorities

I will get the preset over to you tomorrow.

Matt
 
Hi,

I finally found this thread. We also use NTLite (1.80.7115) to build our images, in this case with Windows 10 LTSC 1809.

We also have exactly the initial poster's problem: Our internal certificate authority as well as some self-signed certificates will be assigned by a GPO. This worked for many years with varoius operating systems (XP, 7, W10 LTSB 1607) without any problems.

But now, with the first computers beeing rolled out with Windows 10 1809, IE 11 no longer recognizes trusted certificate authorities added by GPO.

When I manually install the same certificate (same fingerprint) into the same certificate store, it works, regardless, whether I remove the certificate added by the GPO in before, or not.

This seems to be a weird side effect of the NTLite image used for the installation.

Are there any updates on this topic?

Kind Regards,
Wolfgang
 
Hi,

I finally found this thread. We also use NTLite (1.80.7115) to build our images, in this case with Windows 10 LTSC 1809.

We also have exactly the initial poster's problem: Our internal certificate authority as well as some self-signed certificates will be assigned by a GPO. This worked for many years with varoius operating systems (XP, 7, W10 LTSB 1607) without any problems.

But now, with the first computers beeing rolled out with Windows 10 1809, IE 11 no longer recognizes trusted certificate authorities added by GPO.

When I manually install the same certificate (same fingerprint) into the same certificate store, it works, regardless, whether I remove the certificate added by the GPO in before, or not.

This seems to be a weird side effect of the NTLite image used for the installation.

Are there any updates on this topic?

Kind Regards,
Wolfgang
Nothing from me i'm afraid, i just resorted to manually adding the cert as we only have about 60pc's in total.
 
Have you meanwhile found another solution? As we do have the same problem with Outlook in Domain and autodiscover.
Outlook promts with "the security certificate presented by this website was not issued by a trusted certificate authority"
I tried many different images, even only with unattended setup, but it still happens.
 
Back
Top