-->
Windows 10 Update Root Certificates Feature Isn't Enabled
On Tuesday, August 25th, 2020, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.
In Internet Explorer, click Tools, and then click Internet Options. On the Security tab, click the Trusted Sites icon. Click Sites and then add these website addresses one at a time to the list: You can only add one address at a time and you must click Add after each one. ConfigMgr simply 'pushes' Windows Updates. I don't think the root cert updates are part of any actual Windows Updates so this won't do it for you. As noted, I don't think they are part of a specific update which is all WSUS and thus ConfigMgr can deploy. The Windows Updates ones. The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows.Usually, a client computer polls root certificate updates one time a week. After you apply this update, the client computer can receive urgent root certificate updates within 24 hours. Windows 10 has built-in certificates and automatically updates them. However, you can still manually add more root certificates to Windows 10 from certificate authorities (CAs). There are numerous certificate issuing authorities, with Comodo and Symantec among the best known. How can I add Windows 10 root certificates manually?
This release will NotBefore the following roots (CA Root Certificate SHA-1 Thumbprint):
- China Financial Certification Authority (CFCA) China Financial CA EABDA240440ABBD694930A01D09764C6C2D77966
- LuxTrust LuxTrust Global Root 2 1E0E56190AD18B2598B20444FF668A0417995F3F
This release will NotBefore the Code Signing EKU to the following roots: Cancan college st paul mo.
- China Financial Certification Authority (CFCA) CFCA EV ROOT E2B8294B5584AB6B58C290466CAC3FB8398F8483
- Chunghwa Telecom Chunghwa Telecom Co., Ltd. - ePKI Root Certification Authority 67650DF17E8E7E5B8240A4F4564BCFE23D69C6F0
- Chunghwa Telecom ePKI Root Certification Authority - G2 D99B104298594763F0B9A927B79269CB47DD158B
- DigiCert Symantec Enterprise Mobile Root for Microsoft 92B46C76E13054E104F230517E6E504D43AB10B5
- Government of Brazil, Instituto Nacional de Tecnologia da Informação (ITI) Autoridade Certificadora Raiz Brasileira v2 A9822E6C6933C63C148C2DCAA44A5CF1AAD2C42E
- Government of India, Ministry of Communications & Information Technology, Controller of Certifying Authorities (CCA) CCA India 2015 SPL 3BC6DCE00307BD676041EBD85970C62F8FDA5109
- Izenpe S.A. Izenpe.com 30779E9315022E94856A3FF8BCF815B082F9AEFD
- Korea Information Security Agency (KISA) KISA RootCA 1 027268293E5F5D17AAA4B3C3E6361E1F92575EAA
- NetLock Ltd. NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado 016897E1A0B8F2C3B134665C20A727B7A158E28F
- SI-TRUST SI-TRUST Root 3A4979B40FA841488200B582FBEEB63AAB9919AE
This release will Disallow the OCSP EKU to the following roots:
- Chunghwa Telecom Chunghwa Telecom Co., Ltd. - ePKI Root Certification Authority 67650DF17E8E7E5B8240A4F4564BCFE23D69C6F0
- DigiCert Baltimore CyberTrust Root D4DE20D05E66FC53FE1A50882C78DB2852CAE474
- Government of Spain, Dirección General de la Policía ? Ministerio del Interior ? España. AC R AIZ DNIE B38FECEC0B148AA686C3D00F01ECC8848E8085EB
- Korea Information Security Agency (KISA) KISA RootCA 1 027268293E5F5D17AAA4B3C3E6361E1F92575EAA
- SI-TRUST SI-TRUST Root 3A4979B40FA841488200B582FBEEB63AAB9919AE
This release will NotBefore the EFS EKU to the following roots:
- Austrian Society for Data Protection (Arge Daten) (GlobalTrust) GLOBALTRUST 342CD9D3062DA48C346965297F081EBC2EF68FDC
- China Financial Certification Authority (CFCA) CFCA EV ROOT E2B8294B5584AB6B58C290466CAC3FB8398F8483
- Chunghwa Telecom Chunghwa Telecom Co., Ltd. - ePKI Root Certification Authority 67650DF17E8E7E5B8240A4F4564BCFE23D69C6F0
- Chunghwa Telecom ePKI Root Certification Authority - G2 D99B104298594763F0B9A927B79269CB47DD158B
- Entrust AffirmTrust Premium D8A6332CE0036FB185F6634F7D6A066526322827
- Entrust AffirmTrust Commercial F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7
- Entrust Entrust Root Certification Authority B31EB1B740E36C8402DADC37D44DF5D4674952F9
- Entrust AffirmTrust Premium ECC B8236B002F1D16865301556C11A437CAEBFFC3BB
- Entrust Entrust.net Certification Authority (2048) 503006091D97D4F5AE39F7CBE7927D7D652D3431
- Entrust Entrust Root Certification Authority - G2 8CF427FD790C3AD166068DE81E57EFBB932272D4
- Entrust AffirmTrust Networking 293621028B20ED02F566C532D1D6ED909F45002F
- Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) GDCA TrustAUTH R5 ROOT 0F36385B811A25C39B314E83CAE9346670CC74B4
- Government of Brazil, Instituto Nacional de Tecnologia da Informação (ITI) Autoridade Certificadora Raiz Brasileira v2 A9822E6C6933C63C148C2DCAA44A5CF1AAD2C42E
- Government of India, Ministry of Communications & Information Technology, Controller of Certifying Authorities (CCA) CCA India 2015 SPL 3BC6DCE00307BD676041EBD85970C62F8FDA5109
- Government of India, Ministry of Communications & Information Technology, Controller of Certifying Authorities (CCA) CCA India 2014 A2B86B5A68D92819D9CE5DD6D7969A4968E11991
- IdenTrust Services, LLC IdenTrust Public Sector Root CA 1 BA29416077983FF4F3EFF231053B2EEA6D4D45FD
- IdenTrust Services, LLC DST Root CA X3 DAC9024F54D8F6DF94935FB1732638CA6AD77C13
- OISTE OISTE WISeKey Global Root GC CA E011845E34DEBE8881B99CF61626D1961FC3B931
- SI-TRUST SI-TRUST Root 3A4979B40FA841488200B582FBEEB63AAB9919AE
This release will NotBefore the IP Security EKUs to the following roots:
- Austrian Society for Data Protection (Arge Daten) (GlobalTrust) GLOBALTRUST 342CD9D3062DA48C346965297F081EBC2EF68FDC
- China Financial Certification Authority (CFCA) CFCA EV ROOT E2B8294B5584AB6B58C290466CAC3FB8398F8483
- Chunghwa Telecom Chunghwa Telecom Co., Ltd. - ePKI Root Certification Authority 67650DF17E8E7E5B8240A4F4564BCFE23D69C6F0
- Entrust AffirmTrust Premium D8A6332CE0036FB185F6634F7D6A066526322827
- Entrust AffirmTrust Commercial F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7
- Entrust Entrust Root Certification Authority B31EB1B740E36C8402DADC37D44DF5D4674952F9
- Entrust AffirmTrust Premium ECC B8236B002F1D16865301556C11A437CAEBFFC3BB
- Entrust Entrust.net Certification Authority (2048) 503006091D97D4F5AE39F7CBE7927D7D652D3431
- Entrust Entrust Root Certification Authority - G2 8CF427FD790C3AD166068DE81E57EFBB932272D4
- Entrust AffirmTrust Networking 293621028B20ED02F566C532D1D6ED909F45002F
- Government of Brazil, Instituto Nacional de Tecnologia da Informação (ITI) Autoridade Certificadora Raiz Brasileira v2 A9822E6C6933C63C148C2DCAA44A5CF1AAD2C42E
- Izenpe S.A. Izenpe.com 30779E9315022E94856A3FF8BCF815B082F9AEFD
This release will add to the following roots:
- Government of Brazil, Instituto Nacional de Tecnologia da Informação (ITI) Autoridade Certificadora Raiz Brasileira v10 6C155ED7271A904A0DC040F0C857FF53BF6DB290
Note
- Windows 10 allows us to stop trusting roots or EKU's using the 'NotBefore' or 'Disable' properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.
- The NotBefore and Disable dates are set for the first day of the release month.
- The update package will be available for download and testing at: https://aka.ms/CTLDownload
- Signatures on the Certificate Trust Lists (CTLs) for the Microsoft Trusted Root Program changed from dual-signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. For more information, please visit: https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus
The Microsoft Trusted Root Certificate Program releases changes to our Root Store on a monthly cadence, except for December. The public can expect the following cadence for releases:
- Additions and non-deprecating modifications will be completed any month
- Certificate Authority (CA)-initiated and CA-confirmed deprecations will occur on even numbered months
- Microsoft-initiated deprecations will occur in February and August releases
If you are a certificate user who has active certificates chaining up to a deprecating root, please reach out to your CA to understand how changes may impact your certificates.Update packages will be available for download and testing at https://aka.ms/CTLDownload
Please note, the changes listed are accurate at the time of posting but are subject to change.
A list of Root Store participants, updated monthly, can be found here: https://aka.ms/trustcertpartners.
2020
Month | Date of Release | Release Notes |
---|---|---|
October | October 27 | Deployment Notice Posted October 27 |
September | September 29 | Deployment Notice Posted September 29 |
September | September 3 | Deployment Notice Posted September 3 |
August | August 25 | Deployment Notice Posted August 18 |
July | July 28 | Deployment Notice Posted July 27 |
June | June 30 | Deployment Notice Posted June 9 |
May | May 19 | Deployment Notice Posted May 19 |
April | April 28 | Deployment Notice Posted April 21 |
April | Notice Posted April 1 | |
March | March 24th | Deployment Notice Posted March 18 |
February | February 25th | Deployment Notice Posted February 3 |
January | January 28 | Deployment Notice Posted January 22 |
2019
Month | Date of Release | Release Notes |
---|---|---|
October | November 5 | Deployment Notice Posted October 11 |
August | August 14 | Deployment Notice Posted August 14 |
August | August 27 | Deployment Notice Posted August 2 |
July | July 10 | Deployment Notice Posted July 11 |
July | July 30 | Deployment Notice Posted July 2 |
June | July 2 | Deployment Notice Posted June 5 |
May | May 28 | Deployment Notice Posted May 1 |
April | April 30 | Deployment Notice Posted April 15 |
March | March 26 | Deployment Notice Posted March 6 |
February | March 5 | Deployment Notice Posted February 19 |
January | January 29 | Deployment Notice Posted January 23 |
2018
Windows 10 Root Certificate Update Download
2018 and earlier coming soon