Setting up a new Windows 10 Army Computer

Tags Army ROTC

Background:  Army computers utilize certificates from a CAC card to access secure Army websites.  All computers set up for ArmyROTC will need to be set up as follows.  

  1. The computer will first need to be imaged by the CSS Imaging group.  New systems can be imaged from the service request located here.
  2. Install and configure the Certificate Installation Program (Installroot 5.2).  This should be available on \\warehouse\css\army installs\ or online at 
  3. Install ActivClient 7.1.  This installation should be available at \\warehouse\css\army installs\.  
  4. Once Installroot and ActiveClient have been installed we will need to configure browsers to access certificates from the CAC card and on army sites.  
    1.  Open Internet Explorer (IE).  Make certain that the page you are having issues accessing is NOT already open in any tabs or another IE browser. 
    2.  Select the gear (or click the Alt+T) keys on your keyboard.  
    3. Select Internet Options after clicking the "gear"
    4. Check the "Delete browsing history on exit" (box) then click "Delete".
    5. Check the top 4 boxes and leave the rest unchecked, then click "Delete". 
    6. Click settings.

    7. Change the disk space to use to 50, then click OK.  (Please note, this is a personally recommended size.  Making it smaller will make your browser look for an updated page more often.  If it is too large, you will end up storing older sites on your computer.)  

    8. Click the Security tab, Trusted sites (Green checkmark ), then Sites button.

    9. Remove all websites that end in .mil from the Websites: (box) by clickingthe listed website, selecting Remove, then clicking Close. 

      1. NOTE:  As of April 13, 2017, if you need the ability tosend and recieve encrypted e-mail in OWA, you'll need to add a version of your webmail URL to the website box.  Additional information is located here:  (Setting up win10smime for army machines

      2. NOTE: Some people will argue that AKO shouldbe in trusted sites.  It WAS needed with IE 6 & 7, however if using IE 8, 9, 10, or 11, AKO users will be recycled tothe AKO home page.  So IE 8, 9, 10, and 11 users should REMOVE it.  

    10. Click the Content (tab), Certificates (button).  Then Click "Clear SSL state".  

    11. Then click the Certificates button.

    12. Most people will see 3 DOD certificates (2 with E-mail and 1 without) under Personal (tab) Issued by (column).  Personnel with 2 CACs willsee a 4th certificate once their PIV is activated on their card.  Ensure that all Certificates have expiration dates in the future.  

    13. Click on the Intermediate Certification Authorities (tab).  First, you must verify thatyou have DOD CA-31 through DOD SW CA-58 under the Issued to (column).  If you do not, you will want to go back and reinstall certificates again using the DOD InstallRoot 5.2 Program.  

    14. There are several bad certs that ill need to be removed from the Intermediate Certification Authorities (tab) if found:  

    15. Click back to Internet Options and click the "Connections" (tab)-> LAN settings (button).  Make sure none of these boxes are checked, and then click OK.  

    16. Click the Internet Options Advanced (tab), scroll to the bottom of the list, then make sure that nly TLS 1.0, 1.1, & 1.2 are checked.  The SSLs should NOT be checked.  NOTE:  Some computers refuse to leave TLS 1.0 checked and SSL 2.0 unchecked.  If this happens, click the "Reset" button.  

    17. Uncheck the "Enable Enhanced Protection Mode*" checkbox.  This is sometimes needed tosign evaluations on EES (Army's OER/NCOER system).  To try this option, click on Tools->Internet Options->Advanced (tab).  Note:  Running enhanced protection mode* helps prevent attackers from installing software or modifying system settings if they manage to run expoit code.  it is an extra layer of protection that locks down parts of your system that your browser ordinarily doesn't need to use.  Unfortunately, it blocks access and functionality on some DOD websites like HRC's EES.  

    18. STOP HERE and see if the user is able to access army websites as required.  

    19. If the previous adjustments did not work, select Reset at the bottom of the Advanced (tab), AND go back to certificates to remove personal certificates.  People with 2 CACs may see up to 8 certs after they have activatd their PIV certificates.  Note: Removing certs and your CAC, then reinserting your CAC is a way to test if your reader and middleware are working properly.  You will receive a message stating that you cannot decrypt data encrypted using the certificates.  Click Yes.  

    20. Your certificates should automatically be available towindows when you remove and reinsert your CAC into the reader, however Windows 10 native users will not see an activClient icon.  Additionally ActiveClient 7.1.x.x. does not have the function of making certificates available to windows so the oly option is to remove the card and reinsert it to make the certificates available to windows again.  

    21. Reset the optimization cache in ActiveClient 7.1.0.x

      1. Open ActiveClient. 

      2. Click Tools->Advanced->Reset optimization cache

    22. When checking your e-mail on windows 10, make sure you are selecting the correct certificate.  Select more choices to see additional certificates.  



Was this helpful?
0 reviews


Article ID: 60541
Thu 8/16/18 10:43 AM