An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows

Summary

This software update provides the following improvements for Windows:
  • Enables administrators to configure domain-joined computers to use the auto update feature for both trusted and disallowed Certificate Trust Lists (CTLs). The computers can use the auto update feature without accessing the Windows Update site.
  • Enables administrators to configure domain-joined computers to independently select trusted and disallowed CTLs by using the auto update feature.

  • Enables administrators to examine the set of the root certification authorities (CAs) in the Microsoft Root Certificate Program.
For more information about these changes and improvements, go to the following Microsoft webpage:

Knowledge prerequisites

This KB article is intended for public key infrastructure (PKI) administrators who have a basic knowledge of Group Policy, third-party root updates, untrusted certificates, and disallowed lists. This KB article is also intended for PKI administrators who can edit simple ADM/ADMX files to deploy policies by using the Group Policy Update utility. For more information about how to use ADMX files, see the Managing Group Policy ADMX Files Step-by-Step Guide.

Background

The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. For information about the members list in the Windows Root Certificate Program, go to the following Microsoft website:
Trusted root certificates can be distributed by using the following method:


  • Clients can download or update trusted root certificates by using the auto update mechanism. The list of trusted root certificates is stored in a Certificate Trust List (trusted CTL) on Windows Update servers.
For more information about how root certificates are distributed, go to the following Microsoft website:
Untrusted root certificates (certificates that are publicly known to be fraudulent) can be distributed by using the following method:


  • Clients can download or update untrusted root certificates by using the auto update mechanism. The list of untrusted roots certificates is stored in a CTL (untrusted CTL) on Windows update servers. For more information about automatically downloading untrusted root certificates, go to the following Microsoft website:
Note The auto update mechanism for trusted and untrusted root certificates is the same. You can disable the auto update mechanism for both kinds of certificates by using the same registry setting. For more information, see Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet.

If you manage your own set of trusted root certificates, you should disable the auto update mechanism for the trusted CTL.

Known issues

Before you install this software update, you may encounter one of the following issues when you manage certificates:
  • To update trusted or untrusted root certificates in a disconnected environment, you have to use the IEXPRESS packages that are described in the "Background" section in this KB article. However, you have to manually install the IEXPRESS packages. Additionally, although we try to have packages available at the same time as CTL distribution, some delay may occur with the IEXPRESS packages.

    Note A disconnected environment is an environment in which the following conditions are true:
    • Direct access to Windows Update is blocked.
    • The auto update mechanism for both trusted and untrusted CTLs is disabled.
  • You cannot individually disable the auto update mechanism for trusted and untrusted CTLs. More specifically, you can only disable the auto update mechanism for both trusted and untrusted CTLs.

    Note We recommend that administrators who manage their own list of trusted root certificates disable the Automatic Update service for trusted CTLs. However, we do not recommend that administrators disable the Automatic Update service for untrusted CTLs.
  • There is no mechanism for users who manage their own list of trusted root certificates to easily view root certificates in the root program and decide which certificate to trust.

Resolution

This new software update includes the following fixes that fix the issues that are described in the "Problems description" section of this KB article.
  • This software update adds the following features in Windows that enable you to use the auto update mechanism in disconnected environments:
    1. A new registry setting: The registry setting enables you to change the URL location for downloading trusted and untrusted CTLs from Windows Update to a shared location in an organization. Both FILE and HTTP schemas are supported in this registry setting. For more information about this registry setting, see the Registry Keys section in this KB article.

      Note If you change the URL location to a local shared folder, you must synchronize the local shared folder together with the Windows Update folder.
    2. A new set of options in the Certutil tool: These options give you more methods for synchronizing folders. For more information about these options, see the New Verbs in Certutil section in this KB article.
  • This software update decouples the auto update mechanism for trusted and untrusted CTLs. For example, after you apply the update, you can use a registry key to only disable the auto update mechanism for trusted root certificates. For more information about the registry keys, see the Registry Keys section in this KB article.
  • This software update introduces a new tool that administrators can use to view the set of trusted root certificates in the Microsoft Root Certificate Program. This tool is for administrators who manage the set of trusted root certificates for an enterprise environment. An administrator can use this tool to select the set of trusted root certificates, export them to a serialized certificate store, and distribute them by using Group Policy. For more information, see the New Verbs in Certutil section in this KB article.

Update information

The following files are available for download from the Microsoft Download Center:


For all supported x86-based versions of Windows Vista

Download Download the package now.

For all supported x64-based versions of Windows Vista

Download Download the package now.

For all supported x86-based versions Windows Server 2008

Download Download the package now.

For all supported x64-based versions of Windows Server 2008

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008

Download Download the package now.

For all supported x86-based versions of Windows 7

Download Download the package now.

For all supported x64-based versions of Windows 7

Download Download the package now.

For all supported x86-based versions of Windows Embedded Standard 7

Download Download the package now.

For all supported x64-based versions of Windows Embedded Standard 7 for x64-based Systems

Download Download the package now.

For all supported x64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported x86-based versions of Windows 8

Download Download the package now.

For all supported x64-based versions of Windows 8

Download Download the package now.

For all supported versions of Windows Server 2012

Download Download the package now.
Release Date: June 11, 2011

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces hotfix 2661254.



File hash information

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows Vista and Windows Server 2008 file information
Windows 7 and Windows Server 2008 R2 file information
Windows 8 and Windows Server 2012 file information

Technical references for the changes

New verbs in Certutil

SyncWithWU
This verb is used to synchronize a destination directory with the Windows Update site. The following is the syntax of the verb:
CertUtil [Options] -syncWithWU  DestinationDir 

Note DestinationDir is the folder that the files are copied to. When you run the command, the following files are downloaded from Windows Update:
  • Authrootstl.cab: Contains the CTL of third-party root certificates.
  • Disallowedcertstl.cab: Contains the CTL of disallowed certificates.
  • Disallowedcert.sst: Contains the Disallowed certificates.
  • Thumbprint.crt: Third-party root certificates.
For example, you can synchronize a destination directory with the Windows Update site by running the following command:
CertUtil -syncWithWU \\computername\sharename\DestinationDir 
GenerateSSTFromWU
This verb is used to generate .sst files from the Windows Update site. The following is the syntax of the verb:
CertUtil [Options] -generateSSTFromWU SSTFile 
Note SSTFile is the name of the .sst file that is created. The generated .sst file contains the third-party root certificates that are downloaded from Windows Update.

For example, you can generate .sst files from the Windows Update site by running the following command:
CertUtil –generateSSTFromWU Rootstore.sst 

Registry Keys

The following registry keys are introduced in this update:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate Set this registry key to 1 to disable auto updates for trusted CTLs.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdateSet the registry to 1 to enable auto updates for disallowed CTLs.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrlThis registry key configures share paths to retrieve CTLs.
Properties

Article ID: 2813430 - Last Review: Oct 23, 2014 - Revision: 1

Feedback