Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

View products that this article applies to.

INTRODUCTION

An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This updater expands on the existing automatic root update mechanism technology that is found in Windows Vista and in Windows 7 to let certificates that are compromised or are untrusted in some way be specifically flagged as untrusted.

A certificate trust list (CTL) is a predefined list of items that are signed by a trusted entity. All the items in the list are authenticated and approved by a trusted signing entity. This update expands on this existing functionality by adding known untrusted certificates to the untrusted certificate store by using a CTL that contains either their public key or their signature hash. After this update is installed, customers benefit from quick automatic updates of untrusted certificates.

Users who have disconnected systems will not benefit from this feature improvement. These customers will still have to install the root certificate updates when they are made available. Please see the "More Information" section.


As part of this update, the URLs that are used for contacting Windows Update to download the untrusted and trusted CTLs were changed. This could cause problems for enterprises that hardcode these URLs in their firewalls as exceptions.

The following are the new URLs:


http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab


↑ Back to the top

More Information

Users who have disconnected systems can install this update. But those users do not receive a benefit from the update. In fact, installing this update may cause service startup failures immediately after the server is restarted. Services that perform certificate validation tasks during service startup may experience an increased delay while network retrieval of the trusted and untrusted CTLs from Windows Update is tried.

For systems that are running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 and that are using the automatic updater of untrusted certificates (that is, if either KB 2677070 or KB 2813430 is already installed), see the rest of this section and also Microsoft Knowledge Base article 2813430 for more information. Customers do not have to take any action because these systems will be automatically protected.

If the system does not have access to Windows Update, either because the system is not connected to the Internet or because Windows Update is blocked by firewall rules, the network retrieval will time-out before the service can continue its startup procedure. In some cases, this network retrieval time-out may exceed the service startup time-out of 30 seconds. If a service cannot report that startup has completed after 30 seconds, the service control manager (SCM) stops the service.

If you cannot avoid installing this update on disconnected systems, you can disable the network retrieval of the trusted and untrusted CTLs. To do this, you disable automatic root updates by using Group Policy settings. To disable automatic root updates by using policy settings, follow these steps:
  1. Create a Group Policy or change an existing Group Policy in the Local Group Policy Editor.
  2. In the Local Group Policy Editor, double-click Policies under the Computer Configuration node.
  3. Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies.
  4. In the details pane, double-click Certificate Path Validation Settings.
  5. Click the Network Retrieval tab, select Define these policy settings, and then clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
  6. Click OK, and then close the Local Group Policy Editor.
After you make this change, automatic root updates are disabled on those systems to which the policy is applied. We recommend that the policy be applied only to those systems that do not have Internet access or that are prevented from accessing Windows Update because of firewall rules.

If automatic root updates are disabled, Administrators must manually manage root certificates that are trusted by Windows. Trusted root certificates can be distributed to computers that are running Windows by using Group Policy. For more information about how to manage the root certificates that are trusted by Windows, visit the following Microsoft website:

http://technet.microsoft.com/en-us/library/cc754841.aspx
For more information about Windows certificate trust verification, go to the following Microsoft webpages:
Certificate Trust Verification

Certificate Trust List Overview
For more information about the Windows root certificate program, click the following article number to view the article in the Microsoft Knowledge Base:
931125 Windows root certificate program members

Update replacement information

This update replaces the following update:

2603469 System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2

↑ Back to the top

Download information

The following files are available for download from the Microsoft Download Center.

For all supported x86-based versions of Windows Vista

Download Download the Windows6.0-KB2677070-x86.msu package now.

For all supported x64-based versions of Windows Vista

Download Download the Windows6.0-KB2677070-x64.msu package now.

For all supported x86-based versions Windows Server 2008

Download Download the Windows6.0-KB2677070-x86.msu package now.

For all supported x64-based versions of Windows Server 2008

Download Download the Windows6.0-KB2677070-x64 package now.

For all supported IA-64-based versions of Windows Server 2008

Download Download the Windows6.0-KB2677070-ia64.msu package now.

For all supported x86-based versions of Windows 7

Download Download the Windows6.1-KB2677070-x86.msu package now.

For all supported x64-based versions of Windows 7

Download Download the Windows6.1-KB2677070-x64.msu package now.

For all supported x64-based versions of Windows Server 2008 R2

Download Download the Windows6.1-KB2677070-x64.msu package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Download Download the Windows6.1-KB2677070-ia64.msu package now.

Release Date: June 12, 2012

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

↑ Back to the top

File information

For a list of the files that are provided in this update, download the file information for this update 2677070.

↑ Back to the top

Keywords: kbqfe, kbfix, kbexpertiseinter, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2677070
Revision : 6
Created on : 4/16/2020
Published on : 4/16/2020
Exists online : False
Views : 1664