Share via


Announcing the automated updater of untrustworthy certificates and keys

There are a number of known untrusted certificates and compromised keys that have been issued by standard trusted root certification authorities. To help customers avoid interacting with these untrusted or compromised certificates and keys, an Automatic Updater of revoked certificates is now available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2 computers. Learn more and download the updater through Microsoft KB 2677070.

In the past, customers would have had to make changes to the Untrusted Certificate Store by initiating updates through Windows Update or by using a manual method. For example, the updates published in KB 2718704, which describes an update to move unauthorized certificates to the untrusted store, had to be initiated manually. This new feature provides dynamic updates for revocation information so that Windows clients can be updated with untrusted certificates at most within a day of the information being published (no user interaction required). This new automatic updater will enable Certificate Authorities to report information about their revoked CA certificates to Microsoft and have them publicly untrusted in a much faster manner as compared to propagating this information by using CRLs.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    PSO: See technet.microsoft.com/.../cc751157.aspx - the update mechanism is similar to Root Certificate Update mechanism.

  • Anonymous
    January 01, 2003
    Michael Melling and MarkE: Yes, Microsoft employees did test that that updater works. You will not see new "untrusted" certificates when this update is working. What happens is the thumbprints of the untrusted certificates go into a list of untrusted certificates, a certificate trust list (CTL). With Windows 8 you would be able to actually see a CTL with a bunch of untrusted signatures inside the Untrusted Certificates node. I asked the PM in charge of this feature and he said the way to see this working on previous Windows OS versions is to enable CAPI2 logging. So, don't expect to see this displayed in the Untrusted Certificates store on versions prior to Windows 8.

  • Anonymous
    January 01, 2003
    Paul Lynch: The SharePoint issue was discussed today in a meeting I attended. This is a support issue and should be posted on the Security forum social.technet.microsoft.com/.../threads. It seems like you may have already contacted support. The issue is certainly being looked into, but the problem is not quite clear. If you actually solve the issue by rolling back the update, that would be interesting. If you start a thread on the security forum, please, let me know (post back here). I will alert some internal people and watch the thread for useful information to share here. However, I don't want to turn this blog into a support forum. So, I will be deleting this comment and your comment in the future and just providing a summary of the information or link to more.

  • Anonymous
    January 01, 2003
    How does this interact with the DisableRootAutoUpdate system policy? We we still be able to get updates to untrusted certificate lists if we have disabled automatic root download?

  • Anonymous
    June 13, 2012
    The KB article is extremely difficult to view; IE timeouts and crashes take place when attempting to view this particular article.

  • Anonymous
    June 13, 2012
    Will a similar streamlined update procedure be made for Windows Mobile 6.5, WP7 and WP7.5?  My carrier has still declined to release the Jan 2012 update 7.10.8107.79.

  • Anonymous
    June 13, 2012
    The comment has been removed

  • Anonymous
    June 20, 2012
    We are seeing an issue with Sharepoint 2010 servers which have had KB 2677070 applied and where the servers have no internet access. With the update applied the Claims To Windows Token service (c2wts) will not start. The only solution is either to roll back KB 2677070 or to allow the servers to connect to the URL's mentioned in the KB article.

  • Anonymous
    June 24, 2012
    Hi Kurt, Thanks for looking into these questions with the relevant teams. The information that you have provided is exactly what I was looking for. Thank you again for following up about this. For your information, I have located the answer to one of my questions at the following link: blogs.technet.com/.../june-2012-security-bulletin-q-a.aspx


Q: KB2677070 doesn't support XP. Will KB931125 still be updated through the end of XP support? A: The Trusted Root Certificate updates (KB931125) will continue to be available to Windows XP through its normal product lifecycle.

This answers my question about Windows XP i.e. if it is still to receive certificate revocation updates manually. This will not affect me since 2 of my computers use Windows 7 Ultimate 64 bit SP1 and another uses Windows Vista Ultimate 64 bit SP2.

  • Anonymous
    July 04, 2012
    Hi Kurt, is there any more info on this KB2677070? My problem is: I work in the IT Department of a very large company and I would very much like to see this KB in action. So my first step was adding twor proxy exceptions for: http:// ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedstl.cab http:// ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab I installed the KB2677070 on some testlab machines and before I start reverase engineering I want to find out how this works. Any info on this? Is it triggered through task scheduler, is there any conflict with us using SCCM 2007 and SCCM 2012 in a test environment? I searched through TechNet but I all got was of course this PKI blog (I like it!) and the KB article itself and the rest is the whole pile of problems this article is engaging on different plattforms. Any help would be appreciated! Thanks and greetings from Germany PSO

  • Anonymous
    July 10, 2012
    Can this automatic updater of revoked certificates cause my clients to reboot after they're updated with untrusted certificates? Like KB2718704 you noted above did?

  • Anonymous
    July 16, 2012
    PSO: Have you suceeded in testing KB267070?  I have been checking my "Untrusted Certificates" store over the last few days and have noticed no new certificates.  I would very much like to understand how this process works.

  • Anonymous
    August 23, 2012
    Kurt:  What does the client do once this updater is installed?  I have it installed on 1,500 systems but the certificates recently untrusted from KB2728973 are not listed in the certificates mmc or the regkey  SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates.  How can I validate this is working properly? Mark

  • Anonymous
    March 03, 2014
    Hi Kurt,

    Sorry to rake up this old topic, but I was interested in knowing if there have been changes to the updater now?

    The reason I ask is because I have a few installations at my disposal - Windows 2012 Standard, Win 2k8 SP2 and Windows 7 SP1. I manually installed KB2916652 on Windows 2012 and let the auto updater run on all the other machines. Unlike what you say, I found the registry key being created in all of the occasions at HKLMSOFTWAREMicrosoftSystemCertificatesDisallowedCertificates5CE339465F41A1E423149F65544095404DE6EBE2

    So my question is - are the registry keys generated or not? I can see they are, but you say otherwise. If they are not, how do I check my other machines to see if they have this KB installed or not?

    I had originally written to MS support at http://social.technet.microsoft.com/Forums/windowsserver/en-US/7179c53d-c696-4a39-b355-24fa45a4d8d8/verify-kb2916652-on-windows-2012?forum=winserver8gen#7179c53d-c696-4a39-b355-24fa45a4d8d8. But I failed to receive a favourable reply. Hence my question.

    Thanks,
    - M.

  • Anonymous
    September 02, 2014
    Metahuman:

    Kurt has passed away in 2013 ( http://social.technet.microsoft.com/Forums/windowsserver/en-US/1fd27c30-2b87-4129-b8f4-99854b0a71fb/ad-cs-or-pki-content-comments-or-questions?forum=winserversecurity ) , so dont expect reply here.

  • Anonymous
    June 18, 2015
    Information for people who are lazy:

    http://www.itsupportforum.net/topic/ctldl-windowsupdate-com-proxy/

    Basically there was an update to the url list to download the Certificate Trust List, which tells your PC what certificates can be trusted.

  • Anonymous
    January 04, 2017
    Hi, Is there a 2677070 update available for Windows Embedded Standard 7?

  • Anonymous
    January 04, 2017
    Is this update available for Windows Embedded Standard 7?