News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

  • 1000003: Manually install the latest Microsoft root certs

    Posted on woody Comment on the AskWoody Lounge

    Home Forums Knowledge Base 1000003: Manually install the latest Microsoft root certs

    Tagged: 

    This topic contains 15 replies, has 9 voices, and was last updated by

     EP 4 weeks ago.

    • Author
      Posts
    • February 4, 2017 at 5:38 pm #89555 Reply

      woody
      Da Boss

      AKB1000003: Manually install the latest Microsoft root certs

      By VulturEMaN

      Published 4 Feb 2017 rev 1.0

      1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and save in c:\temp\

       2. Extract the files using the command c:\temp\rootsupd.exe /c /t:C:\temp\extroot

       3. from an elevated prompt run the following commands in this order:

       cd C:\temp\extroot\

       updroots.exe authroots.sst

       updroots.exe updroots.sst

       updroots.exe -l roots.sst

       updroots.exe -d delroots.sst

       

    • July 8, 2017 at 1:30 pm #123850 Reply

      anonymous

      The link in step 1 does not work. It comes back with a 404 File or directory not found error: “The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.” What is the correct links? Thanks.

      • July 8, 2017 at 3:47 pm #123868 Reply

        PKCano
        Da Boss

        I will post when I have an answer.

      • July 8, 2017 at 7:28 pm #123884 Reply

        PKCano
        Da Boss

        The link is now valid.

        1 user thanked author for this post.
        satrow
        • July 8, 2017 at 7:50 pm #123889 Reply

          anonymous

          Thank you very much!

        • July 8, 2017 at 7:52 pm #123892 Reply

          Kirsty
          Da Boss

          Sadly, the hyperlinking change didn’t affect the 404 page not found error when trying to access rootsupd.exe. Even checking on search engines didn’t find a link that is currently working.

          • July 8, 2017 at 7:55 pm #123894 Reply

            satrow
            AskWoody MVP

            It works fine for me, try refreshing the page with Ctrl held down and then try again?

            • July 8, 2017 at 7:58 pm #123897 Reply

              Kirsty
              Da Boss

              No, that isn’t helping either… is there any chance it could be geo-blocked or some other oddity?

            • July 8, 2017 at 8:22 pm #123906 Reply

              satrow
              AskWoody MVP

              Not if you’re getting a 404, I don’t think, doesn’t read like a routing issue either, strange. The URL doesn’t have any odd chars, spaces or anything?

              Try a middle-click or right-click > open in new tab… ?

              EDIT: it’s Shift + Refresh/Reload, sorry = forced refresh (reloads all the data for the page, instead of a normal refresh which would only reload the changed data, the rest it would load from disk cache).

              • This reply was modified 1 year, 10 months ago by
                 satrow.
            • July 8, 2017 at 10:32 pm #123913 Reply

              Kirsty
              Da Boss

              Thanks, but giving it a bit of time let it “heal itself” without anything else needed – it’s working fine now. Just one of those things, I guess 😉

              1 user thanked author for this post.
              satrow
          • July 8, 2017 at 8:24 pm #123907 Reply

            PKCano
            Da Boss

            I’m using Firefox 54.0.1 with AdBloc Plus, Disconnect and NoScript on a Mac, and it works OK for me. Maybe clean the cache and try again?

            1 user thanked author for this post.
            satrow
    • November 17, 2017 at 9:19 am #146050 Reply

      Rydan
      AskWoody Lounger

      As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
      You could get the trusted and untrusted sst files and import those.
      (there are different options)

      Below I assume you have a C:\Temp (or make a location of your choice)

      Open a command Prompt; Run as Administrator
      untrusted:
      Run: certutil -syncwithwu  c:\Temp
      It should say something like: added xxx files, updated xxx files / certutil completed successfully
      Check to see if disallowedcert.sst is created
      trusted:
      Run: certutil -generateSSTFromWU c:\Temp\authroot.sst
      It should say something like: updates sst file / certutil completed successfully
      (try again on memory error = uncommon)

      make 2 powershell scripts:
      1. discert.ps1
      [reflection.assembly]::LoadWithPartialName(“System.Security”)
      $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
      $certs.import(“c:\temp\authroot.sst”)
      $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “AuthRoot”, LocalMachine
      $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
      $store.AddRange($certs)
      2. authcert.ps1
      [reflection.assembly]::LoadWithPartialName(“System.Security”)
      $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
      $certs.import(“c:\temp\disallowedcert.sst”)
      $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “Disallowed”, LocalMachine
      $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
      $store.AddRange($certs)

      place those 2 scripts in C:\Temp
      Open a powershell command prompt as administrator (or start powershell in same prompt)
      Run: .\discert.ps1
      Run: .\authcert.ps1

      Check:
      Open MMC.exe
      Click ctrl+M
      Add the Certificates mmc and select Computer account
      Check if the changes that Microsoft provided are added to the Untrusted Certificates folder, Third Party Root Certificates Authorities folder
      List:
      https://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx

      Ref.
      https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
      https://social.technet.microsoft.com/wiki/contents/articles/33315.microsoft-trusted-root-certificate-program-portal.aspx
      https://technet.microsoft.com/library/dn265983.aspx
      https://blogs.technet.microsoft.com/vishalagarwal/2009/08/13/adding-certificates-for-a-serialized-store-sst-file-to-an-actual-physical-store/

      1 user thanked author for this post.
      owdrtn
    • April 23, 2019 at 5:22 am #829250 Reply

      owdrtn
      AskWoody Lounger
      Rydan wrote:

      As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
      You could get the trusted and untrusted sst files and import those.
      (there are different options)

      Awesome find @rydan.. works flawless, thanks !
      Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.

      Thumbs up !!

      • This reply was modified 4 weeks, 1 day ago by
         owdrtn.
    • April 23, 2019 at 8:32 am #839039 Reply

      access-mdb
      AskWoody MVP

      As this thread was started in July 2017, how relevant is it now?

      • April 23, 2019 at 11:54 am #847155 Reply

        EP
        AskWoody_MVP

        only owdrtn may answer that question

        the rootsupd.exe link from MS is now dead – always produce a 404 error message; I’ll get an archived version of the link from archive.org/web

    • Author
      Posts

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: 1000003: Manually install the latest Microsoft root certs

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.

Recent Replies

May 2019
M T W T F S S
« Apr    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Forums

Topics

AskWoody blog
7089
AskWoody Central
166
Suggestions about improvi
116
Tips for using the Lounge
33
Getting started
9
Outside the box
2916
Rants
74
Fun Stuff
2792
Learn to code
7
Travel
4
Rumors and what-ifs
28
The Junk Drawer
6
AskWoody support
143353
Windows
32270
Windows 10
3390
Questions: Win10
2961
Windows 10 beta builds
57
Windows 10 cumulative upd
12
Windows 10 version 1511 -
2
Windows 10 version 1703 -
33
Windows 10 version 1709 -
46
Windows 10 version 1607 -
5
Windows 10 version 1803 -
80
Windows 10 version 1809 -
84
Windows 8.1
2340
Questions: Win 8.1 (and W
2312
Windows 8.1 (and Win 8) p
18
Windows 7
7294
Questions: Windows 7
7082
Windows 7 patches
146
Win7 beyond End-of-life
4
Windows Vista, XP and ear
15338
Questions: Vista, XP back
15328
Questions: Windows Mobile
275
Microsoft Office by versi
148
Questions: Microsoft Offi
32
Office 365 and Click-to-R
46
Office 2010 and earlier f
20
Office 2016 for PC
13
Office 2013 for PC
8
Office 2019 for PC
3
PC hardware
4722
Questions: Microsoft Surf
9
Questions: What hardware
12
Questions: How to trouble
4178
Questions - Maintenance a
487
Connected home / Internet
38
Questions: Amazon Echo/Al
4
Questions: Google Home
2
Questions: Microsoft Inte
2
Questions: Other home/IoT
16
Other platforms - for Win
725
Linux for Windows wonks
108
macOS for Windows wonks
59
iOS for Windows wonks
14
Android for Windows wonks
15
Chromebooks and ChromeOS
18
Questions: Browsers and d
10683
Updates for browsers, app
40
Internet Explorer and Edg
3668
Other browsers
2056
Other desktop and Microso
4823
Productivity software by
94766
MS Word and word processi
17748
MS Excel and spreadsheet
22503
MS Access and database he
26151
MS PowerPoint and present
1827
MS Outlook and email prog
14511
Graphics and Multimedia p
603
Visual Basic for Applicat
6877
Other MS apps
1491
Knowledge Base
37
Tools
101
Code Red - Security/Privacy ad
3543
Developers, developers, develo
2896
Other MS software - .NET,
18
DevOps Lounge
648
Web design and developmen
2227
Admin IT Lounge
1384
WSUS, SCCM, Exchange and
33
Managing updates in organ
3
Application servers - Exc
633
Tech Accessibility
17
Testing Forum
3
Networking - routers, firewall
2035
Social media - Tools, Configur
3
Powered by WordPress
Theme designed by My Mobiles, modifications by PapayaSoft