diff --git a/cmd/fleetctl/api.go b/cmd/fleetctl/api.go
index 6e9a1fe2771c..6be71ba546c9 100644
--- a/cmd/fleetctl/api.go
+++ b/cmd/fleetctl/api.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"runtime"
 
 	"github.com/fleetdm/fleet/server/service"
 	"github.com/pkg/errors"
@@ -27,6 +28,10 @@ func unauthenticatedClientFromCLI(c *cli.Context) (*service.Client, error) {
 		return nil, errors.New("set the Fleet API address with: fleetctl config set --address https://localhost:8080")
 	}
 
+	if runtime.GOOS == "windows" && cc.RootCA == "" && !cc.TLSSkipVerify {
+		return nil, errors.New("Windows clients must configure rootca (secure) or tls-skip-verify (insecure)")
+	}
+
 	fleet, err := service.NewClient(cc.Address, cc.TLSSkipVerify, cc.RootCA, cc.URLPrefix)
 	if err != nil {
 		return nil, errors.Wrap(err, "error creating Fleet API client handler")
diff --git a/cmd/fleetctl/config.go b/cmd/fleetctl/config.go
index 49f631e3240f..00e76d23a5c3 100644
--- a/cmd/fleetctl/config.go
+++ b/cmd/fleetctl/config.go
@@ -8,7 +8,6 @@ import (
 	"strconv"
 
 	"github.com/ghodss/yaml"
-	"github.com/kolide/kit/env"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 )
@@ -31,9 +30,14 @@ type Context struct {
 }
 
 func configFlag() cli.Flag {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		homeDir = "~"
+	}
+	defaultConfigPath := filepath.Join(homeDir, ".fleet", "config")
 	return cli.StringFlag{
 		Name:   "config",
-		Value:  fmt.Sprintf("%s/.fleet/config", env.String("HOME", "~/")),
+		Value:  defaultConfigPath,
 		EnvVar: "CONFIG",
 		Usage:  "Path to the Fleet config file",
 	}
diff --git a/server/service/client.go b/server/service/client.go
index 8b91142b9d5c..c2bfbdd96377 100644
--- a/server/service/client.go
+++ b/server/service/client.go
@@ -38,25 +38,24 @@ func NewClient(addr string, insecureSkipVerify bool, rootCA, urlPrefix string) (
 		return nil, errors.Wrap(err, "parsing URL")
 	}
 
-	rootCAPool, err := x509.SystemCertPool()
-	if err != nil {
-		return nil, errors.Wrap(err, "loading system cert pool")
-	}
-
+	rootCAPool := x509.NewCertPool()
 	if rootCA != "" {
-		// set up empty cert pool
-		rootCAPool = x509.NewCertPool()
-
 		// read in the root cert file specified in the context
 		certs, err := ioutil.ReadFile(rootCA)
 		if err != nil {
 			return nil, errors.Wrap(err, "reading root CA")
 		}
 
-		// add certs to new cert pool
+		// add certs to pool
 		if ok := rootCAPool.AppendCertsFromPEM(certs); !ok {
 			return nil, errors.Wrap(err, "adding root CA")
 		}
+	} else if !insecureSkipVerify {
+		// Use only the system certs (doesn't work on Windows)
+		rootCAPool, err = x509.SystemCertPool()
+		if err != nil {
+			return nil, errors.Wrap(err, "loading system cert pool")
+		}
 	}
 
 	httpClient := &http.Client{