Forum Discussion
sarchio69
Jun 19, 2022Copper Contributor
After Windows 2019 CU KB5012647, enabling IIS automatic rebind of renewed certificates gets an error
Hello everyone,
after installing the KB5012647 cumulative update on a Windows Server 2019 it seems no longer possible to enable the IIS function "automatic rebind of renewed certificates". I get this error:
Error occurred when trying to register automatic rebinding of certificate.
Details: The process creation has been blocked
Any hint ?
Thank you
Riccardo
- MattHamrick
Microsoft
The fix for this issue for WS2019 was released in the November 2022 patch Tuesday release (EDIT: and the fix for WS2022 was released in the October 2022 cycle - the same KIR stuff that follows has to be applied on both as of this writing); however, the fix is behind KIR (Known Issue Rollback) and has to be enabled via Group Policy. In a few months the KIR will be removed and the fix will be enabled by default afterwards.
To enable the fix, you will need to download and install a Group Policy from
https://download.microsoft.com/download/0/4/1/0413f07f-a428-4316-9673-2327c328dc34/Windows%2010%201809%20and%20Windows%20Server%202019%20KB5019966%20221129_22351%20Feature%20Preview.msi.
The below article has information on enabling the GP after it's installed:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback- andrewmcnCopper ContributorI have this issue today and it wasn't helped by the KIR.
- MattHamrick
Microsoft
I've not heard of any others experiencing the issue after applying the KIR post-patch. Make sure you go through the process again to ensure it's applied correctly. Also, I'm not sure when, but I'm sure it will be auto-applied soon.
- Sven_GaoCopper ContributorShare two solutions,
1. Open a cmd with admin privileges, run an MMC, and add the IIS-Console Try the same to enable IIS certificate auto-renew. it works for me
2. The IIS certificate auto-renew is a scheduled task under 'Task scheduler-Microsoft-Windows-CertificateServiceClient'. You can create the scheduled task manually.