Inspired by this thread viewtopic.php?f=6&t=9006 (and as suggested in older threads [1] and [2]) I suggest to add a feature to download and install MS Root CAs before any update or feature is installed on the clients. Missing root certificates prevent the installation of certain updates and software like .NET Framework when a client system is completely offline Some Windows Update prerequisite updates might contain the MS Root CAs (like the new ones for w61), but others might not. That's why I think adding certificates is the better and more flexible way.
I'm not sure whether or not MS would complain when WOU shipped the certificates, but to make sure they don't I suggest to download them instead. This should be easy to implement as well. The certificates' download URLs can be found in the MS PKI repository. Downloading can be done the usual way (wget, aria2). The import on the clients can be done via certutil.exe, like this:
- Code: Select all
for /F %%F IN ('dir /b wsusoffline\client\certs\*.crt') DO (
%SystemRoot%\system32\certutil.exe -addstore Root "%%~F"
)
- Code: Select all
for /F "tokens=1,2 delims=," %%F IN (wsusoffline\certs\list.txt) DO (
if exist "wsusoffline\certs\%%~F" %SystemRoot%\system32\certutil.exe -addstore %%G "wsusoffline\client\certs\%%~F"
)
- Code: Select all
MicRooCerAut2011_2011_03_22.crt,Root
MicRooCerAut_2010-06-23.crt,Root
somecert.crt,AuthRoot
someothercert.crt,TrustedPeople
_____
The mechanism could even be expanded to download the current certificates which would then be independent from the URLs in MS's PKI repo, but could also add unwanted certificates to the store, depending on the implementation. Different ways to download and install the certificates can be found in the article Updating List of Trusted Root Certificates in Windows 10 / 7. The download would be done by certutil.exe or wget/aria2, depending on the method.
Regards
Dalai