Fixed: How to Resolve Windows Certificate Enrollment Errors After Recent Updates
If you’re an IT administrator who has recently encountered frustrating certificate enrollment or renewal failures on Windows devices, you are not alone. A recent issue has been causing significant disruptions, but a solution is now available. This guide breaks down the problem, its cause, and the essential steps you need to take to resolve it.
Understanding the Problem: Error 0x80070057
Following the April 2024 Windows security updates, many system administrators began reporting failures when attempting to enroll or renew digital certificates. The issue primarily manifests with a specific error message: “The parameter is incorrect,” often accompanied by the error code 0x80070057 (E_INVALIDARG).
This problem affects a wide range of Windows versions, including:
- Windows Server 2022, 2019, and 2016
- Windows 11 (versions 21H2, 22H2, 23H2)
- Windows 10
The error typically occurs when the Certificate Authority (CA) that signs the certificates is running an older version of Windows Server (such as Server 2008 R2) or is a non-Windows based CA. This incompatibility introduced by the recent security updates is the root cause of the enrollment failures.
The Solution: Emergency Out-of-Band Updates
In response to these widespread issues, Microsoft has released emergency out-of-band (OOB) updates to correct the certificate enrollment bug. It is crucial to understand that these fixes will not be delivered automatically through Windows Update. You must manually download and install the appropriate update for your affected systems from the Microsoft Update Catalog.
These updates are cumulative, meaning they include all previous security fixes, so you do not need to uninstall the April update before applying this new patch.
Actionable Steps: How to Fix the Certificate Error
To restore normal certificate enrollment functionality, follow these steps for each of your affected Windows machines, from servers to client endpoints.
Identify Your Windows Version: Determine the exact version and build of the operating system experiencing the error. You can find this by typing
winverin the Start Menu or Run command.Visit the Microsoft Update Catalog: Navigate to the official Microsoft Update Catalog website. This is the central repository for all Windows updates.
Download the Correct OOB Update: Search for and download the specific update package that corresponds to your operating system. Key updates to look for include:
- Windows Server 2022: KB5037422
- Windows 11 22H2/23H2: KB5037853
- Windows 11 21H2: KB5037423
- Windows Server 2019: KB5037425
- Windows 10 (multiple versions): Check the catalog for the corresponding KB number for your specific build.
Install the Update and Reboot: Run the downloaded update package on the affected machine. A system reboot will be required to complete the installation and apply the fix.
Why This Matters for Your Security
Digital certificates are a cornerstone of modern IT security. They are essential for securing communications, authenticating users and devices, and ensuring data integrity through protocols like HTTPS, VPNs, and secure Wi-Fi. When certificate enrollment fails, it can disrupt critical business operations and create potential security vulnerabilities.
Proactively applying this fix is a vital security step. It ensures your Public Key Infrastructure (PKI) remains functional and that all endpoints can successfully renew their certificates, preventing service outages and maintaining a strong security posture. We recommend administrators prioritize the deployment of these OOB updates across their environments to mitigate any further impact.
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bug-behind-windows-certificate-enrollment-errors/
