Install certificates needed for Visual Studio offline installation

Visual Studio is primarily designed for installation from an internet-connected machine, since many components are updated regularly. However, with some extra steps, it's possible to deploy Visual Studio in an environment where a working internet connection is unavailable.+

Install certificates needed for Visual Studio offline installation

The Visual Studio setup engine will only install content that is trusted. It does this by checking Authenticode signatures of the content being downloaded and verifying that all content is trusted before installing it. This keeps your environment safe from attacks where the download location is compromised. Visual Studio setup therefore requires that several standard Microsoft root and intermediate certificates are installed and up to date on a user's machine. If the machine has been kept updated with Windows Update, signing certificates are automatically updated, and during installation Visual Studio will refresh certificates as necessary to verify file signatures. +

For enterprises with offline machines that do not have the latest root certificates, an administrator can use the instructions here to update them. Alternatively, the necessary certificates are downloaded during the creation of a network layout to the certificates folder and can be manually installed by double-clicking the certificate file and then clicking thru the certificate manager wizard. If asked for a password, leave it blank.+

If you are scripting the deployment of Visual Studio in an offline environment to client workstations, you should follow these steps:+

Copy the Certificate Manager Tool (certmgr.exe) to the installation share (for example, \\server\share\vs2017). certmgr.exe is not included as part of Windows itself, but is available as part of the Windows SDK.

Create a batch file with the following commands:

cmdCopy

certmgr.exe -add -c certificates\manifestSignCertificates.p12 -n "Microsoft Code Signing PCA 2011" -s -r LocalMachine CA

certmgr.exe -add -c certificates\manifestSignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root

certmgr.exe -add -c certificates\manifestCounterSignCertificates.p12 -n "Microsoft Time-Stamp PCA 2010" -s -r LocalMachine CA

certmgr.exe -add -c certificates\manifestCounterSignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root

certmgr.exe -add -c certificates\vs_installer_opc.SignCertificates.p12 -n "Microsoft Code Signing PCA" -s -r LocalMachine CA

certmgr.exe -add -c certificates\vs_installer_opc.SignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root

Deploy the batch file to the client. This command should be run from an elevated process.

What are the certificates files in the `certificates` folder?

The three .p12 files in this folder each contain an intermediate certificate and a root certificate. Most systems that are current with Windows Update will have these certificates already installed.+

ManifestSignCertificates.p12 contains:
- Intermediate certificate: Microsoft Code Signing PCA 2011
  - Not required. Improves performance in some scenarios if present.
- Root certificate: Microsoft Root Certificate Authority 2011
  - Required on Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.
ManifestCounterSignCertificates.p12
- Intermediate certificate: Microsoft Time-Stamp PCA 2010
  - Not required. Improves performance in some scenarios if present.
- Root certificate: Microsoft Root Certificate Authority 2010
  - Required for Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.
vs_installer_opc.SignCertificates.p12
- Intermediate certificate: Microsoft Code Signing PCA
  - Required for all systems. Note that systems that with all updates applied from Windows Update may not have this certificate.
- Root certificate: Microsoft Root Certificate Authority
  - Required. This certificate ships with systems running Windows 7 or later.

Why are the certificates from the `certificates` folder not installed automatically?

When a signature is verified in an online environment, Windows APIs are used to download and add the certificates to the system. Verification that the certificate is trusted and allowed via administrative settings occurs during this process. This verification process cannot occur in most offline environments. Installing the certificates manually allows enterprise administrators to ensure the certificates are trusted and meet the security policy of their organization.+

Checking if certificates are already installed

One way to check on the installing system is to follow these steps:+

Run mmc.exe
Click on File and select Add/Remove Snap-in
- Double-click on Certificates, select Computer account and click Next
- Select Local computer, click Finish, and click Ok
- Expand Certificates (Local Computer)
- Expand Trusted Root Certification Authorities and select Certificates
  - Check this list for the necessary root certificates.
- Expand Intermediate Certification Authorities and select Certificates
  - Check this list for the required intermediate certificates.
Click on File and select Add/Remove Snap-in
- Double-click on Certificates, select My user account, click Finish and OK.
- Expand Certificates – Current User
- Expand Intermediate Certification Authorities and select Certificates
  - Check this list for the required intermediate certificates.

If the certificates names were not in the Issued To columns, they will need to be installed. If an intermediate certificate was only in the Current User Intermediate Certificate store, then it is only available to the user that is logged in and could be needed to be installed for other users.+

Install Visual Studio

Having installed the certificates, deployment of Visual Studio can proceed offline without additional special steps, using the instructions here.+

Customizing the network layout

There are several options you can use to customize your network layout. You can create a partial layout that only contains a specific set of language locales, workloads, components, and their recommended or optional dependencies. This may be useful if you know that you are only going to deploy a subset of workloads to client workstations. Common command-line parameters for customizing the layout include:+

--add to specify workload or component IDs. If --add is used, only those workloads and components specified with --add will be downloaded. If --add is not used, all workload and components will be downloaded.
--includeRecommended to include all the recommended components for the specified workload IDs
--includeOptional to include all the recommended and optional components for the specified workload IDs.
--lang to specify language locales.

Here are a few examples of how to create a custom partial layout.+

To download all workloads and components for only one language, run:
vs_enterprise.exe --layout C:\vs2017offline --lang en-US
To download all workloads and components for multiple languages, run:
vs_enterprise.exe --layout C:\vs2017offline --lang en-US de-DE ja-JP
To download one workload for all languages, run
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --includeRecommended
To download two workloads and one optional component for three languages, run:
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --add Microsoft.VisualStudio.Workload.ManagedDesktop --add Component.GitHub.VisualStudio --includeRecommended --lang en-US de-DE ja-JP
To download two workloads and all of their recommended components, run:
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --add Microsoft.VisualStudio.Workload.ManagedDesktop --add Component.GitHub.VisualStudio --includeRecommended
To download two workloads and all of their recommended and optional components, run:
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --add Microsoft.VisualStudio.Workload.ManagedDesktop --add Component.GitHub.VisualStudio --includeOptional

Deploying from a network installation

Administrators may deploy Visual Studio onto client workstations as part of an installation script. Or, users who have administrator rights can run setup directly from the share to install Visual Studio on their machine.+

Users can install by running:
\\server\products\VS2017\vs_enterprise.exe
Administrators can install in an unattended mode by running:
\\server\products\VS2017\vs_enterprise.exe --quiet --wait --norestart

Tip

When executed as part of a batch file, the --wait option ensures that the vs_enterprise.exe process waits until the install is completed before returning a exit code. This is useful where an enterprise administrator wants to perform further actions on the completed install (for example, to apply a product key to a successful installation). where one needs to wait for the install to finish to handle the return code from that install. If you do not use --wait, the vs_enterprise.exe process will exit before the install is complete and it will not return an accurate exit code that represents the state of the install operation.+

Error codes

If you used the --wait parameter, then depending on the result of the operation, the %ERRORLEVEL% environment variable will be set to one of the following values:+

Value	Result
0	Operation completed successfully
3010	Operation completed successfully, but install requires reboot before it can be used
Other	Failure condition occurred - check the logs for more information

Updating a network install layout

As product updates become available, you may want to update the network install layout to incorporate updated packages.+

How to create a layout for a previous Visual Studio 2017 release

Note: The VS 2017 bootstrappers available on http://www.visualstudio.com will download and install the latest VS 2017 release available whenever they are run. If you download a VS bootstrapper today and run it 6 months from now, it will install the VS 2017 release that is available at that later time. If you create a layout, installing VS from that layout will install the specific version of VS that exists in the layout. Even though a newer version may exist online, you will get the version of VS that is in the layout.+

If you need to create a layout for an older version of Visual Studio 2017, you can go to https://my.visualstudio.com to download "fixed" versions of the Visual Studio 2017 bootstrappers for supported versions, which will allow you to create a network install layout for that older version. +

How to get support for your offline installer

If you experience a problem with your offline installation, we want to know about it. The best way to tell us is by using the Report a Problem tool. When you use this tool, you can send us the telemetry and logs we need to help us diagnose and fix the problem.+

We have other support options available, too. For a list of those, see our Talk to us page.+