Windows 10 version 1511 TLS Server certificate validation optimization only supports computer-disallowed certificates


Symptoms


In Windows 10 (version 1511 or later), Windows clients no longer recognize certificates in the current user’s disallowed certificate store as revoked. Therefore, Windows clients can successfully navigate to websites that were previously inaccessible.

Cause


Windows introduced an optimization in version 1511 to move SSL Server certificate validation into lsass.exe. This optimization does not check the current user's disallowed certificate store for SSL Server certificates.

Resolution


To resolve this issue, add root certificates to the local computer’s disallowed certificate store. This prevents Windows clients from successfully navigating to websites that are protected by certificates that chain to the certificate in the computer’s disallowed certificate store.