Skip to main content

Windows - 'Failed to store certificate' error

  • Updated

Symptoms

A Windows device is unable to register a passkey for a user with Registration failed. message and returns an error:

HandleUrl(Register(PRofileManagement(PutCert("Host error: failed to store certificate"))))

Root Cause

The ownership of the %AppData%\Roaming\Microsoft\SystemCertificates\My\Certificates folder is not set for the user or has been unassigned.

The ownership of the folder can be changed or unassigned by upgrading the operating system. For example, Windows 10 to Windows 11 or by doing a system repair/restore on the operating system. Essentially, Microsoft's feature updates can cause this.

Diagnosis

The ownership can be checked by navigating to %AppData%\Roaming\Microsoft\SystemCertificates\My\Certificates and ensuring the "SystemCertificates" folder and the subsequent folders are owned by the user that is attempting to create the passkey.

To check the ownership of the folder, open the properties of the folder and select the Security tab:

Open the Advanced option; it will show the ownership of the folder:

PowerShell Command

The verification of the folder's owner can be done using a PowerShell command:

(Get-Acl 'C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates').Owner

Solution

Setting the current user as the folder owner will solve the issue.

This can be changed by selecting the Change link, typing in the username in the object name text box, and clicking the Check Names button. If the user was resolved to the correct user, save the changes by clicking the OK button.

PowerShell Command

The ownership can be assigned using a PowerShell command:

icacls.exe "C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates" /setowner "<domain>\<user>" /T /C /Q > $null

 

Related articles

Comments

1 comment

Date Votes
  • Dzmitry Savitski

    A way to check this using PowerShell:

    $CurrentPath = 'C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates'
    while ((Split-Path -Path $CurrentPath -Leaf) -ne 'Microsoft') {
        $Acl = Get-Acl -Path $CurrentPath
        $Owner = $Acl.Owner
        Write-Output "$CurrentPath - $Owner"
        $CurrentPath = Split-Path -Path $CurrentPath -Parent
    }

    Fix acl, if needed:

    $FolderPath = 'C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates'
    $Owner = '<domain>\<user>'
    & icacls.exe "$FolderPath" /setowner "$Owner" /T /C /Q > $null
    Write-Output "Ownership of $FolderPath has been changed to $Owner."

     

    1

Please sign in to leave a comment.