Windows 10 version 1511 TLS Server certificate validation optimization only supports computer-disallowed certificates


In Windows 10 (version 1511 or later), Windows clients no longer recognize certificates in the current user’s disallowed certificate store as revoked. Therefore, Windows clients can successfully navigate to websites that were previously inaccessible.


Windows introduced an optimization in version 1511 to move SSL Server certificate validation into lsass.exe. This optimization does not check the current user's disallowed certificate store for SSL Server certificates.


To resolve this issue, add root certificates to the local computer’s disallowed certificate store. This prevents Windows clients from successfully navigating to websites that are protected by certificates that chain to the certificate in the computer’s disallowed certificate store.