Monroe Posted January 8, 2024 Posted January 8, 2024 Still mostly a Windows XP user but in September 2023 I decided to get a used ThinkPad Windows 7 notebook. I had mentioned this in another Windows 7 topic after starting to have banking and a few other website problems. After over three months I think I now have good understanding and feel for Windows 7. I finally got my good 'factory' or 'restore' DVD made with my settings and everything to my liking the first week of December. So I'm good to go if I should mess a few things up and need a repair job. I have this one question about Windows 7 Root Certificates and Revoked Certificates since the official MS updates stopped in Jan 2020. With Windows XP we are lucky to have the Certs updater provided for many years now by heinoganda. So what about Windows 7 now in 2023 /2024? I did some searching around over the last two months but really found nothing about updating Windows 7 certs. I would think this would be like Windows XP ... they would need updating also in Windows 7? ... right? thanks ...
mina7601 Posted January 9, 2024 Posted January 9, 2024 Well, at the moment, browsing with Chrome still works and doesn't throw any certificate errors, but yes, I see no reason to not update root and revoked certificates.
D.Draker Posted January 9, 2024 Posted January 9, 2024 9 hours ago, Monroe said: what about Windows 7 It supposed to fetch them automatically. The cert store hasn't changed between Vista and 11. "An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2" https://support.microsoft.com/en-us/topic/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista-windows-server-2008-windows-7-and-windows-server-2008-r2-117bc163-d9e0-63ad-5a79-e61f38be8b77 6
D.Draker Posted January 9, 2024 Posted January 9, 2024 And this is for the trusted certs. "Automatic certificate trust list update" https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-trust 6
Monroe Posted January 9, 2024 Author Posted January 9, 2024 10 hours ago, D.Draker said: It supposed to fetch them automatically. The cert store hasn't changed between Vista and 11. "An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2" https://support.microsoft.com/en-us/topic/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista-windows-server-2008-windows-7-and-windows-server-2008-r2-117bc163-d9e0-63ad-5a79-e61f38be8b77 D.Draker ... thanks a lot for this information. I guess I am a little confused about MS not supplying anymore Windows 7 updates / support after Jan 2020 and Jan 2023 but they are still helping out with trusted and untrusted certificates. Since late October I have been checking for any Windows 7 updates and it always says "There are no updates available." or "Windows 7 is up to date". I'm on my Win XP computer now but will check out the links you supplied later today. Again thanks for the reply and help. ...
Nomen Posted January 20, 2024 Posted January 20, 2024 My understanding of this certificate mechanism is fuzzy. Does a browser (any browser?) running under Win-7 (or any Win version) query a Microsoft certificate database each/every time the browser is pointed to a site to get an answer back if the site/domain is trusted? Or, is this a static update of some sort? Something that gets downloaded only once and does not mean your computer/browser is always in contact with MS with regard to these certs?
superleiw Posted April 24, 2024 Posted April 24, 2024 On Windows Vista and higher there should be no need to manually update those certificates anymore. Like Draker said, the behaviour on these OS since Vista is the same ; Windows checks for Trusted CTL once a week and the Untrusted CTL every day through Windows Update using the automatic daily update mechanism (CTL updater) ! Disabling WU may prevent those certificates from being updated ( I haven't tested it myself so can't confirm) To modify this behaviour (at your own risk) it's possible to change the following registry keys : Enable or disable the Windows AutoUpdate of the trusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "DisableRootAutoUpdate"=dword:00000000 0 to enable or 1 to disable. This key is not present by default. Without a key present, the default is enabled. Enable or disable the Windows AutoUpdate of the untrusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "EnableDisallowedCertAutoUpdate"=dword:00000001 1 to enable or 0 to disable. This key is not present by default. Without a key present, the default is enabled.
NotHereToPlayGames Posted April 24, 2024 Posted April 24, 2024 4 minutes ago, superleiw said: Disabling WU may prevent those certificates from being updated ( I haven't tested it myself so can't confirm) Enable or disable the Windows AutoUpdate of the trusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "DisableRootAutoUpdate"=dword:00000000 0 to enable or 1 to disable. This key is not present by default. Without a key present, the default is enabled. Enable or disable the Windows AutoUpdate of the untrusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "EnableDisallowedCertAutoUpdate"=dword:00000001 1 to enable or 0 to disable. This key is not present by default. Without a key present, the default is enabled. Thanks. I personally disable WU and will also now be disabling these CTL updates. "My computer, my preference."
lll888 Posted July 5, 2024 Posted July 5, 2024 there are forums where people are working on utilities that update certificates for win 7 or xp, just search for them
superleiw Posted July 17, 2024 Posted July 17, 2024 Indeed, if you want to manually update those certificates on W7 or higher it's possible to use alternative tools. The rootsupd.exe (and the updroots.exe inside of it) are outdated and should not be used (except for XP & Vista) In fact, they break the "Microsoft Root Certificate Authority" root certificate on modern systems (at least Windows 10 1803+). An alternative to use on W7 and higher would be Root Certificate Updater available here (GUI or Powershell Script) : https://github.com/asheroto/Root-Certificate-Updater https://www.powershellgallery.com/packages/UpdateRootCertificates/2.0.0 This tool was originally developed to manually update the root certificates on Windows 10, Server 2012/2016/2019. It seems to also work on W7/8/8.1 if WMF 5.1 is installed.
lll888 Posted July 18, 2024 Posted July 18, 2024 (edited) but that's not all you found. removed the standard task scheduler installed Atomic Alarm Clock for myself and added a batch file to it so that it would update certificates on a schedule Edited July 18, 2024 by lll888
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now