Certificates Missing After Upgrading from Windows 10 Version 1809 to Newer Feature Update

by Timothy Higbie
Desktop & Applications Architect

Microsoft has acknowledged that Windows 10 Cumulative Updates from September 2020 and later contain a bug that can cause all certificates to be deleted from a PC during the upgrade from version 1809 to a newer Feature Update. This can lead not only to a failed upgrade but connection problems for users working via VPN since they will no longer have valid certificates.

It occurs when you attempt to upgrade a PC which has already received the September 2020 or later Cumulative Update by using an update package which does not also contain that Cumulative Update. The workaround that Microsoft suggests is to update your upgrade installation package with the latest Cumulative Patch.

Microsoft recommends the following procedure to update your upgrade package:

  • In Microsoft Endpoint Configuration Manager use Scheduled Updates to deploy the latest Cumulative Patch to your upgrade package. This will initiate offline servicing and update the install.wim file with the latest patch.
  • Download the latest Windows 10 ISO dated October 2020 or later. Use the files from this ISO to replace the outdated files in your package source directory and be sure to update Distribution Points.
  • In the Upgrade Operating System task select the option to Dynamically update Windows Setup with Windows Update.
    • If you are not blocking access to Microsoft Update, then select the sub option to Override Policy and use default Microsoft Update.
    • If you are blocking access to Microsoft Update, then do not select the Override Policy option. This will cause the task sequence to attempt to get the update from the WSUS server (not the MECM distribution point).  In this case the dynamic update package must be manually imported into the WSUS from the Microsoft Update Catalog.  When doing so search for the term “Dynamic Update for Windows 10…” and select the latest package.
  • You can also simply apply the dynamic update manually to the Upgrade Operating System Package:
    • In the Microsoft Update Catalog website download the latest “Dynamic Update for Windows 10 …”
    • Extract the contents of the cab file
    • Copy the contents of the cab file to the source directory of the Upgrade Operating System Package, overwriting any file
    • Update Distribution Points.

As of November 2020, this issue has still not been corrected so please be sure to patch your upgrade packages if you will be doing any Feature Updates!

If you would like more information or assistance from our industry-leading team of Microsoft Windows Desktop experts to plan and execute the upgrade, please contact us at service@helient.com.