![]() |
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
1000003: Manually install the latest Microsoft root certs
Home › Forums › Knowledge Base › 1000003: Manually install the latest Microsoft root certs
Tagged: root cert update
- This topic has 15 replies, 9 voices, and was last updated 1 year, 11 months ago.
Viewing 4 reply threads-
AuthorPosts
-
-
February 4, 2017 at 5:38 pm #89555
woody
ManagerAKB1000003: Manually install the latest Microsoft root certs
By VulturEMaN
Published 4 Feb 2017 rev 1.0
1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and save in c:\temp\
2. Extract the files using the command c:\temp\rootsupd.exe /c /t:C:\temp\extroot
3. from an elevated prompt run the following commands in this order:
cd C:\temp\extroot\
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
-
July 8, 2017 at 1:30 pm #123850
anonymous
Guest-
July 8, 2017 at 3:47 pm #123868
-
July 8, 2017 at 7:28 pm #123884
-
July 8, 2017 at 7:50 pm #123889
-
July 8, 2017 at 7:52 pm #123892
Kirsty
Manager-
July 8, 2017 at 7:55 pm #123894
satrow
AskWoody MVP-
July 8, 2017 at 7:58 pm #123897
-
July 8, 2017 at 8:22 pm #123906
satrow
AskWoody MVPNot if you’re getting a 404, I don’t think, doesn’t read like a routing issue either, strange. The URL doesn’t have any odd chars, spaces or anything?
Try a middle-click or right-click > open in new tab… ?
EDIT: it’s Shift + Refresh/Reload, sorry = forced refresh (reloads all the data for the page, instead of a normal refresh which would only reload the changed data, the rest it would load from disk cache).
-
July 8, 2017 at 10:32 pm #123913
-
-
July 8, 2017 at 8:24 pm #123907
-
-
-
-
November 17, 2017 at 9:19 am #146050
Rydan
AskWoody LoungerAs rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
You could get the trusted and untrusted sst files and import those.
(there are different options)…
Below I assume you have a C:\Temp (or make a location of your choice)
Open a command Prompt; Run as Administrator
untrusted:
Run: certutil -syncwithwu c:\Temp
It should say something like: added xxx files, updated xxx files / certutil completed successfully
Check to see if disallowedcert.sst is created
trusted:
Run: certutil -generateSSTFromWU c:\Temp\authroot.sst
It should say something like: updates sst file / certutil completed successfully
(try again on memory error = uncommon)make 2 powershell scripts:
1. discert.ps1
[reflection.assembly]::LoadWithPartialName(“System.Security”)
$certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
$certs.import(“c:\temp\authroot.sst”)
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “AuthRoot”, LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
$store.AddRange($certs)
2. authcert.ps1
[reflection.assembly]::LoadWithPartialName(“System.Security”)
$certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
$certs.import(“c:\temp\disallowedcert.sst”)
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “Disallowed”, LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
$store.AddRange($certs)place those 2 scripts in C:\Temp
Open a powershell command prompt as administrator (or start powershell in same prompt)
Run: .\discert.ps1
Run: .\authcert.ps1Check:
Open MMC.exe
Click ctrl+M
Add the Certificates mmc and select Computer account
Check if the changes that Microsoft provided are added to the Untrusted Certificates folder, Third Party Root Certificates Authorities folder
List:
https://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspxRef.
https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
https://social.technet.microsoft.com/wiki/contents/articles/33315.microsoft-trusted-root-certificate-program-portal.aspx
https://technet.microsoft.com/library/dn265983.aspx
https://blogs.technet.microsoft.com/vishalagarwal/2009/08/13/adding-certificates-for-a-serialized-store-sst-file-to-an-actual-physical-store/ -
April 23, 2019 at 5:22 am #829250
owdrtn
AskWoody LoungerAs rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
You could get the trusted and untrusted sst files and import those.
(there are different options)Awesome find @Rydan.. works flawless, thanks !
Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.Thumbs up !!
-
April 23, 2019 at 8:21 am #838468
owdrtn
AskWoody Lounger@Rydan
However, i’m not sure to understand why not simply download the two cab file “authrootstl.cab” & “disallowedcertstl.cab” @
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab & http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabThen just extract the two stl files from those and install both stl files using either:
the right-click context menu"Install CTL"
or certutil:certutil -addstore -f root authroot.stl disallowedcert.stl
?Also, how one would goes updating the “Trusted Publisher” & the “Intermediate CA” stores ? are those not relevent/applicable to update as well ?
-
-
April 23, 2019 at 8:32 am #839039
access-mdb
AskWoody MVP-
April 23, 2019 at 11:54 am #847155
-
-
-
AuthorPosts
Viewing 4 reply threads -
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search Newsletters
Search Forums
Recent Replies
Alex5723 on How can I locate Bitlocker key in OEM refurb HP laptop?
2 minutes agoMicrofix on Make Windows 10 look and work like Windows 7
14 minutes agoAlex5723 on April Patch Tuesday out – Exchange once again
36 minutes agoMrGreen365 on Importing multiple XML files into Excel
1 hour, 21 minutes agoAlex5723 on Upgrade Firefox…recommendations please.
1 hour, 39 minutes agoAlex5723 on iOS/iPadOS and WatchOS Updates
1 hour, 57 minutes agoAlex5723 on macOS Big Sur 11 releases
1 hour, 58 minutes agoCybertooth on Upgrade Firefox…recommendations please.
2 hours, 18 minutes agoPim on April Patch Tuesday out – Exchange once again
2 hours, 48 minutes agoPaul T on Importing multiple XML files into Excel
3 hours, 15 minutes agoPaul T on Mapping a drive
3 hours, 20 minutes agoOscarCP on DuckDuckGo updates its plugin to block Google’s creepy FLoC
4 hours, 2 minutes agoAscaris on DuckDuckGo updates its plugin to block Google’s creepy FLoC
4 hours, 34 minutes agoAscaris on DuckDuckGo updates its plugin to block Google’s creepy FLoC
5 hours, 3 minutes agoCharlie on Tips to protect a Laptop without battery?
5 hours, 14 minutes agoFred on DuckDuckGo updates its plugin to block Google’s creepy FLoC
6 hours, 6 minutes agoHamsa Vicerra on How can I locate Bitlocker key in OEM refurb HP laptop?
7 hours, 12 minutes agoDriftyDonN on MS-DEFCON 2 – Deferring the April Updates
7 hours, 37 minutes agoanonymous on New smartphone? Great! Now don’t charge it past 80%
7 hours, 48 minutes agocastiel on The ides of March
9 hours, 58 minutes agoHamsa Vicerra on How can I locate Bitlocker key in OEM refurb HP laptop?
10 hours, 6 minutes agoMoonshine on 20H2 Printer Queue Icon now missing from Task Bar
10 hours, 36 minutes agoTex265 on 20H2 Printer Queue Icon now missing from Task Bar
10 hours, 51 minutes agoOscarCP on Talli-ho! The hunt for Planet X (or a neighbourig black hole?) is afoot!
10 hours, 52 minutes agoMoonshine on Upgrade Firefox…recommendations please.
10 hours, 54 minutes agoMicrofix on Upgrade Firefox…recommendations please.
11 hours, 12 minutes agoMoonshine on 20H2 Printer Queue Icon now missing from Task Bar
11 hours, 12 minutes agoMicrofix on Tips to protect a Laptop without battery?
11 hours, 23 minutes agoZaphyrus on Tips to protect a Laptop without battery?
11 hours, 29 minutes agoMicrofix on Standalone installer script for Windows 7 ESU, regardless the license
11 hours, 32 minutes ago
Recent Topics
-
Computer suddenly shows in home network as media device
10 hours, 50 minutes ago
-
Windows 10 Insider build 19043.928 (21H1) released to Beta & RP
8 hours, 50 minutes ago
-
20H2 Printer Queue Icon now missing from Task Bar
10 hours, 37 minutes ago
-
Tips to protect a Laptop without battery?
5 hours, 15 minutes ago
-
April Patch Tuesday out – Exchange once again
36 minutes ago
-
Microsoft Account linking to X-Box ID
18 hours, 51 minutes ago
-
iOS : FCC Speed Test
13 hours, 41 minutes ago
-
Power crash when updating
1 day, 4 hours ago
-
USB 3.0 slows down by a factor of 10x when not used
18 hours, 41 minutes ago
-
Upgrade Firefox…recommendations please.
1 hour, 39 minutes ago
-
Two links the get to Outlook online?
20 hours, 14 minutes ago
-
Am I FLoCed? A New Site to Test Google’s Invasive Experiment
1 day, 12 hours ago
-
20H2 and NVMe SSDs
20 hours, 26 minutes ago
-
Why KB2999226 installed today?
19 hours, 2 minutes ago
-
Error 4605 Command is not available
1 day, 16 hours ago
-
legitimate interest
1 day, 23 hours ago
-
How to customize and manage your Microsoft Account
1 day, 7 hours ago
-
New smartphone? Great! Now don’t charge it past 80%
7 hours, 48 minutes ago
-
Check or change Win10’s file-sharing encryption level
2 days, 2 hours ago
-
Freeware Spotlight — Killer
2 days, 2 hours ago
-
Known Issue Rollback
1 day, 6 hours ago
-
Dism RestoreHealth shows two “Versions” and Q re 20H2 “Experience”
2 days, 12 hours ago
-
Firefox SSD capacity usage ?
1 day, 14 hours ago
-
Android : New Wormable Malware Spreads by Creating WhatsApp Auto-Replies
2 days, 18 hours ago
-
KB4092436 – can neither install it or hide it
2 days, 16 hours ago
-
MS-DEFCON 2 – Deferring the April Updates
7 hours, 37 minutes ago
-
Tasks for the weekend – April 10, 2021 – change your Office
17 hours, 28 minutes ago
-
Grandma, what big updates you have!
3 days, 3 hours ago
-
Mapping a drive
3 hours, 21 minutes ago
-
vssvc?
2 days ago
Search for Topics
Recent blog posts
- April Patch Tuesday out – Exchange once again
- How to customize and manage your Microsoft Account
- New smartphone? Great! Now don’t charge it past 80%
- Check or change Win10’s file-sharing encryption level
- Freeware Spotlight — Killer
- Known Issue Rollback
- MS-DEFCON 2 – Deferring the April Updates
- Tasks for the weekend – April 10, 2021 – change your Office
Key Links
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.