Install certificates required for Visual Studio offline installation

Visual Studio is primarily designed to be installed on an internet-connected machine, since many components are updated regularly. However, with some extra steps, it's possible to deploy Visual Studio in an environment where a working internet connection is unavailable.

The Visual Studio setup engine installs only content that is trusted. It does this by checking Authenticode signatures of the content being downloaded and verifying that all content is trusted before installing it. This keeps your environment safe from attacks where the download location is compromised.

Visual Studio setup therefore requires that several standard Microsoft root and intermediate certificates are installed and up-to-date on a user's machine. If the machine has been kept up to date with Windows Update, signing certificates usually are up to date. If the machine is connected to the internet, during installation Visual Studio may refresh certificates as necessary to verify file signatures. If the machine is offline, the certificates must be refreshed another way.

There are three options for installing or updating certificates in an offline environment.

When you create a network layout or a local offline cache, the necessary certificates are downloaded to the Certificates folder. You can manually install the certificates by right-clicking each of the certificate files, selecting Install Certificate, and then clicking through the Certificate Manager wizard. If asked for a password, leave it blank.

For enterprises with offline machines that do not have the latest root certificates, an administrator can use the instructions on the Configure Trusted Roots and Disallowed Certificates page to update them.

If you are scripting the deployment of Visual Studio in an offline environment to client workstations, you should follow these steps:

1. Copy the Certificate Manager Tool (certmgr.exe) to the network layout or local cache installation location. Certmgr.exe is not included as part of Windows itself, but is available as part of the Windows SDK.

2. Create a batch file with the following commands:

   certmgr.exe -add [layout path]\certificates\manifestRootCertificate.cer -n "Microsoft Root Certificate Authority 2011" -s -r LocalMachine root
   
   certmgr.exe -add [layout path]\certificates\manifestCounterSignRootCertificate.cer -n "Microsoft Root Certificate Authority 2010" -s -r LocalMachine root
   
   certmgr.exe -add [layout path]\certificates\vs_installer_opc.RootCertificate.cer -n "Microsoft Root Certificate Authority 2010" -s -r LocalMachine root
   

   Alternatively, create a batch file that uses certutil.exe, which ships with Windows, with the following commands:

   certutil.exe -addstore -f "Root" "[layout path]\certificates\manifestRootCertificate.cer"
   
   certutil.exe -addstore -f "Root" "[layout path]\certificates\manifestCounterSignRootCertificate.cer"
   
   certutil.exe -addstore -f "Root" "[layout path]\certificates\vs_installer_opc.RootCertificate.cer"
   

3. Deploy the batch file to the client. This command should be run from an elevated process.

• manifestRootCertificate.cer contains:
  • Root certificate: Microsoft Root Certificate Authority 2011
• manifestCounterSignRootCertificate.cer and vs_installer_opc.RootCertificate.cer contain:
  • Root certificate: Microsoft Root Certificate Authority 2010

The Visual Studio Installer requires only the root certificates to be installed on the system. All of these certificates are required for Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.

When a signature is verified in an online environment, Windows APIs are used to download and add the certificates to the system. Verification that the certificate is trusted and allowed via administrative settings occurs during this process. This verification process cannot occur in most offline environments. Installing the certificates manually allows enterprise administrators to ensure the certificates are trusted and meet the security policy of their organization.

One way to check on the installing system is to follow these steps:

1. Run mmc.exe.
   a. Click File, and then select Add/Remove Snap-in.
   b. Double-click Certificates, select Computer account, and then click Next.
   c. Select Local computer, and then click Finish.
   d. Expand Certificates (Local Computer).
   e. Expand Trusted Root Certification Authorities, and then select Certificates.
   

   • Check this list for the necessary root certificates.
     

   f. Expand Intermediate Certification Authorities, and then select Certificates.
   

   • Check this list for the required intermediate certificates.
     

2. Click File, and then select Add/Remove Snap-in.
   a. Double-click Certificates, select My user account, and then click Finish.
   b. Expand Certificates – Current User.
   c. Expand Intermediate Certification Authorities, and then select Certificates.
   

   • Check this list for the required intermediate certificates.
     

If the certificates names were not in the Issued To columns, they must be installed. If an intermediate certificate was only in the Current User Intermediate Certificate store, then it is available only to the user that is logged in. You might need to install it for other users.

After you install the certificates on the client machine, then you are ready to install Visual Studio from the local layout, or deploy Visual Studio from the network layout share to the client machine.

Sometimes, things can go wrong. If your Visual Studio installation fails, see Troubleshoot Visual Studio installation and upgrade issues for step-by-step guidance.

Here are a few more support options:

• Use the installation chat (English only) support option for installation-related issues.
• Report product issues to us by using the Report a Problem tool that appears both in the Visual Studio Installer and in the Visual Studio IDE. If you're an IT Administrator and don't have Visual Studio installed, you can submit IT Admin feedback.
• Suggest a feature, track product issues, and find answers in the Visual Studio Developer Community.

• Create a network installation of Visual Studio
• Create an offline installation of Visual Studio
• Visual Studio administrator guide
• Use command-line parameters to install Visual Studio