Long Arrow Right External Link angle-right Search Times Spinner angle-left

Unverified Certificates

When ThreatLocker checks to see if code is signed, we check the certificate against the root CAs installed on your computer to verify that it was signed by a trusted source. If the certificate was not signed by a trusted source, the certificate will show in red and show as unverified. 


Windows will automatically update the root CAs from Microsoft. If your computer has not run Windows Update in some time, or in some circumstances when you patch using an RMM tool, the root CAs are not updated as part of the patches being installed. This can mean that a certificate is not shown as verified even if it is a valid certificate. There is no automatic way to download the root CAs other than running Windows Update on the computer.

You can manually update the root CAs by transferring them from another computer by Exporting them from one computer and Importing them to the other computer.




Certutil can also be used to download a list of root CAs from Windows Update. If you plan to use Certutil, you will need to temporarily allow it for the endpoint in which you want to use it on because Certutil has policy set to deny it explicitly in ThreatLocker.  

Run Command Prompt as an Administrator. Use the command: certutil -generateSSTFromWU roots.sst  

This will download a full list of root CAs that are currently available.

Remember to secure the Certutil policy so it will not continue to be permitted.