Powershell: Force full update of Root CA store

By default, Windows comes only with a small set of Root CA’s in the trusted Root CA store. These are enough to get you started, but as soon as you visit a website that uses HTTPS and the Root CA that has issued the certificate is not in your trusted Root CA list, the Root CA certificate is downloaded from Windows Update.

Generally, this is a good solution, as long as your clients can reach Windows Update to start with and they aren’t non-persistent VDI clients.

Currently, we are noticing that Internet Explorer sometimes hangs for a few seconds and then continues. At the same time, an event is logged ( CAPI2 4097 ) telling you that the Root CA has been updated. Again, this works fine on persitent VDI’s, laptops, desktops and servers. On a non-persistent VDI however, this process is repeated for every CA on every session for every user. Not so nice.

Currently, we are still testing what yields the best results. I’ve written the script below, which creates a directory on the C:\ disk, downloads all root CA’s from Windows Update into this directory and then imports every .crt in the Root CA store, then removes the directory. I’ve imported this script into RES Workspace and is being run during logon. As it’s run in the background there is no noticable delay in logon time, and after logon, about 380 CA’s (we have some internal and private CA’s added as well) are visible in the certificate manager.

You could consider adding this as a step in your SCCM task sequence or however you create your VDI image, so it’s not performed during logon. However, this means that CA’s that are added later will have to be downloaded on demand, and also CA’s that are revoked or updated after you’ve made your image will have to be updated on demand as well.

md C:\Certs
certutil -syncwithWU C:\Certs
$files = Get-ChildItem -Path 'C:\certs\*' -Include '*.crt'
Foreach ($file in $files) {
$importfile = "$file"
certutil -addstore -f Root "$importfile"
write-host $importfile
rd c:\certs -Recurse

Update: Oh yea! As you can see, i’m using Certutil to import the certificates. That’s because my current customer is still running Windows 7. When you’re on Windows 8/2012 and higher, you should ofcourse use the PS commandlet “Import-Certificate”, together with the appropriate config ofcourse.