When you try to use Copilot in Microsoft 365 apps or on Windows, you may see the error message “WinHTTP Error 12175” followed by “Certificate Revocation Check Failure.” This error prevents Copilot from connecting to Microsoft servers, blocking chat, drafting, and summarization features. The cause is a local system setting that disables or interferes with certificate revocation list CRL checks. This article explains how to fix the error by adjusting Windows registry values, group policies, and network settings so Copilot can authenticate securely.
Key Takeaways: Fixing Copilot WinHTTP Error 12175 Certificate Failure
- Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation: Controls whether Windows checks certificate revocation lists for HTTPS connections.
- Group Policy setting System > Internet Communication Management > Internet Communication settings > Turn off automatic root certificates update: Disabling this policy can block certificate revocation checks.
- Network proxy or firewall rule blocking crl.microsoft.com: If CRL download URLs are blocked, WinHTTP returns error 12175.
Why Copilot Shows Error 12175 Certificate Revocation Check Failure
Copilot communicates with Microsoft servers over HTTPS using Transport Layer Security TLS. As part of the TLS handshake, Windows verifies that the server certificate has not been revoked by checking the certificate revocation list CRL published by the issuing certificate authority. The WinHTTP API that Copilot uses to make these requests returns error 12175 when the CRL check fails. This happens in three common scenarios:
Registry or Group Policy Disables CRL Checking
A registry key or group policy can turn off automatic certificate revocation checking. When this setting is enabled, Windows skips the CRL lookup entirely. Some enterprise security configurations disable CRL checks to reduce network traffic, but this breaks Copilot authentication.
Network Firewall or Proxy Blocks CRL Download URLs
Windows must download the CRL from specific URLs issued by Microsoft’s certificate authorities. The primary CRL distribution point is crl.microsoft.com. If a company firewall, proxy, or DNS filter blocks this domain, the CRL download fails and WinHTTP returns error 12175.
Corrupted Certificate Store or Missing Intermediate Certificates
If the local machine’s certificate store has a corrupted root or intermediate certificate, the revocation check cannot complete. This can happen after a failed Windows update or manual certificate cleanup.
Steps to Fix Copilot WinHTTP Error 12175 Certificate Revocation Check Failure
Follow these steps in order. After each step, restart Copilot and test the connection. Do not skip steps unless you have confirmed the specific cause on your system.
Step 1: Enable Certificate Revocation Checking via Registry
- Open Registry Editor
Press Windows key + R, type regedit, and press Enter. Click Yes if prompted by User Account Control. - Navigate to the Internet Settings key
Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings. If the CertificateRevocation subkey does not exist, skip to the next step. - Set the CertificateRevocation DWORD value
Double-click CertificateRevocation in the right pane. Change the value data to 1. This enables CRL checking. If the value does not exist, right-click an empty area, select New > DWORD 32-bit, name it CertificateRevocation, and set its value to 1. - Close Registry Editor and restart the machine
Changes take effect after a reboot. Open Copilot and test the connection.
Step 2: Verify Group Policy for Automatic Root Certificate Update
- Open Local Group Policy Editor
Press Windows key + R, type gpedit.msc, and press Enter. This tool is available on Windows 11 Pro, Enterprise, and Education editions. Windows 11 Home users skip to Step 3. - Navigate to the Internet Communication policy
Go to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings. - Locate the setting Turn off automatic root certificates update
Double-click this policy. If it is set to Enabled, change it to Not Configured or Disabled. Click OK. - Run gpupdate to apply changes
Open Command Prompt as administrator and type gpupdate /force. Press Enter. Restart Copilot and test.
Step 3: Allow CRL Download URLs Through Firewall and Proxy
- Identify the CRL distribution points used by Microsoft
The primary URLs are crl.microsoft.com, mscrl.microsoft.com, and www.download.windowsupdate.com. Your network admin must allow outbound HTTPS traffic to these domains and all subdomains. - Check proxy settings in Internet Options
Open Control Panel > Internet Options > Connections tab > LAN settings. If a proxy server is configured, verify it does not block CRL URLs. Ask your IT team to add an allow rule for the CRL domains. - Test CRL download manually
Open a web browser and navigate to http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl. If the download fails, the URL is blocked. Work with your network team to unblock it.
Step 4: Repair the Certificate Store
- Open an elevated Command Prompt
Press Windows key + X, select Terminal Admin or Command Prompt Admin. - Run the certlm command to manage local machine certificates
Type certlm.msc and press Enter. This opens the Certificate Manager for the local machine. - Expand Trusted Root Certification Authorities and Certificates
Look for any certificate with a red X or an error status. Right-click and select Delete. Do not delete certificates you are unsure about. - Run Windows Update to reinstall missing root certificates
Open Settings > Windows Update > Check for updates. Install all available updates. This restores the Microsoft root certificates that Copilot relies on.
If Copilot Still Has Issues After the Main Fix
Copilot Error 12175 Persists After Registry and Policy Changes
If the error continues, the problem may be a third-party security software suite that intercepts HTTPS traffic. Antivirus programs like Norton, McAfee, or Bitdefender sometimes perform their own certificate revocation checks and block the Windows CRL check. Temporarily disable the HTTPS scanning feature in your security software. If the error disappears, add an exception for Microsoft CRL URLs.
WinHTTP Error 12175 Only in Copilot but Not in Other Apps
Copilot uses WinHTTP while most browsers use WinINet. WinHTTP has its own proxy settings separate from Internet Options. Verify the WinHTTP proxy configuration by running the command netsh winhttp show proxy in an elevated Command Prompt. If a proxy is set, run netsh winhttp reset proxy to clear it. Restart the machine and test Copilot again.
Error 12175 Occurs After a Windows Update
A recent Windows update may have changed the default CRL checking behavior. Check the update history in Settings > Windows Update > Update history. If a security update was installed within the last 48 hours, uninstall it temporarily. To uninstall, go to Settings > Windows Update > Update history > Uninstall updates, select the update, and click Uninstall. Reboot and test Copilot. If the error disappears, report the issue to Microsoft via the Feedback Hub.
| Item | Registry Method | Group Policy Method |
|---|---|---|
| Scope | Single machine | Multiple machines in domain |
| OS Edition | All Windows 10 and 11 editions | Windows 11 Pro, Enterprise, Education |
| Reboot Required | Yes | Yes after gpupdate /force |
| Risk Level | Low if existing value is backed up | Low if only this policy is changed |
You now have a clear set of steps to resolve the WinHTTP error 12175 certificate revocation check failure in Copilot. Start with the registry fix and CRL URL whitelisting, as those account for the majority of cases. If the error remains, inspect your security software and WinHTTP proxy settings. For ongoing prevention, ensure that your Windows certificate store stays updated through regular Windows updates and that your network allows outbound HTTPS traffic to Microsoft CRL domains.