12 Replies Latest reply on Mar 29, 2018 2:25 PM by jaysmith

    Microsoft Root Certificate Updates

    RobLent Specialist

      We use LDMS for our patching which means that our workstations and servers do not have direct access to the Internet.

       

      Web browsing is handled via a proxy also.

       

      Patching is working fine and is great but we have now noticed that the Trusted Root Certificate store is not updated on our workstations and servers as they do not have the necessary access to the internet to download these.

       

      When we were using WSUS this was done automatically so is LDMS patching able to download the trusted Root Certificate updates and push them out also?

        • 1. Re: Microsoft Root Certificate Updates
          jaysmith SupportEmployee

          Could you provide some more detail about what certificates should be downloaded and updated?  LDMS certificates are managed by the software itself and don't require access to the internet.  I suspect you are talking about different certificates however. 

          • 2. Re: Microsoft Root Certificate Updates
            RobLent Specialist

            Yes.  This is the Trusted Root Certificates held in all Windows operating systems and indeed others.

            This is updated via Windows Update normally and also the certificate revocation list.  This was handled by WQSUS previously as we do not allow our PC's to have direct access to the Microsoft Update servers.

            As we now use LANDesk for patching these certificate stores are not getting updated and with the recent issues around certain certificates having been compromised we are having to manually update the Trusted Root Store and the revocation list.

            Hope that helps explain a little more.

            • 3. Re: Microsoft Root Certificate Updates
              jaysmith SupportEmployee

              Hey Rob,

               

              Thanks for the clarification.  LANDesk doesn't have a native function to update the CTL.  Generally, we would assume access to Windows Update servers is allowed, thus allowing CTLs to update, even though LANDesk is controlling the service itself. 

               

              I do think it makes sense to investigate adding this ability natively.  I will discuss this with our patching team to see what options we have.  If we can't add it as patch content, then we can look at coding a fix.  I suggest submitting this an an enhancement request here:

               

               

              Enhancement Requests

               

              In the meantime, you can trigger CTL updates using certutil.  This could be scripted and turned into a distribution package, or into a custom patch definition so that it's updated during patching. 

               

              I'll let you know what I find out after speaking with our patch content folks. 

              1 of 1 people found this helpful
              • 4. Re: Microsoft Root Certificate Updates
                RobLent Specialist

                Thanks for the reply Jay.

                 

                I will certainly enter an enhancement request as you suggest.

                 

                I am aware of the certutil method and indeed am using this currently but as you can imagine when the are over 1000 devices to update it is time consuming.

                 

                It would be great if LDMS could handle this as part of the patching process.  Our organisation is a financial one and we restrict access to as much as we can to ensure security of our systems.

                 

                Thanks again for the reply.

                • 5. Re: Microsoft Root Certificate Updates
                  phoffmann SupportEmployee

                  We used to be able to - Microsoft used to release trusted root certs as part of their regular patch content (5-10 years ago - XP era for sure).

                   

                  They've changed their process a bunch of years ago though - so it's not something that can be done in that way, sadly.

                  • 6. Re: Microsoft Root Certificate Updates
                    jaysmith SupportEmployee

                    I'm having conversations with our patch team over this issue.  Based on the info in this KB:

                     

                    https://support.microsoft.com/en-us/kb/2813430

                     

                     

                    I think we can create a definition to detect of the registry keys are set, and even to set the keys if needed.  We may also be able to use a definition to download the CTLs and Cert updates.  I will update when I know more, but based on my initial research it should be possible. 

                    • 7. Re: Microsoft Root Certificate Updates
                      RobLent Specialist

                      I have seen that article.

                       

                      That would be excellent if this could be done.  I have tried some of the MS solutions for disconnected networks without much success at the moment.

                       

                      If this could be done as a definition it would be great.  Thanks for looking into this.

                      • 8. Re: Microsoft Root Certificate Updates
                        phoffmann SupportEmployee

                        Interesting find. *IF* Microsoft do the CTL's as "patches" again, then - yeah - we definitely can host it again as such.

                         

                        However, I'm a bit suspicious. Reasons follow...

                         

                        1. The "root" page in question ( TechNet Configure Trusted Roots and Disallowed Certificates  ) has last been updated in 2013. Not a good sign .
                        2. I've recently (well - last year) run into a root certificate issue that ended up with the following community doc - Possible console "freeze" / slowdown related to root certificates - the fact that ".NET itself" wants to go out & talk to Microsoft.com directly for updated root certs makes me question that Microsoft has in fact decided to return to distribute CTL's via "regular patches".

                         

                        ... it'd be nice if they did ... but for whatever their reasoning, I suspect that they're still in "nah - we'll update directly, thanks"-mode. Awkward as that can be for some of us ...

                        • 9. Re: Microsoft Root Certificate Updates
                          jaysmith SupportEmployee

                          Most definitely our content teams will have to rely on Microsoft releasing accurate and timely data.  If Microsoft doesn't make it available LANDesk won't be able to provide it.  I have received word that our content team is going to release definitions based on what is currently available.  Once that comes out we will have to see how well it works. 

                          • 10. Re: Microsoft Root Certificate Updates
                            RobLent Specialist

                            Thanks for the update.

                             

                            Lets hope MS do their job then.

                            • 11. Re: Microsoft Root Certificate Updates
                              ThomasCollignon Apprentice

                              Hi,

                              Can you have an update about this?

                              This article can help your Content Teams...: http://woshub.com/updating-trusted-root-certificates-in-windows-10/

                               

                              Regards,

                              Thomas.

                              • 12. Re: Microsoft Root Certificate Updates
                                jaysmith SupportEmployee

                                Hi Thomas,

                                 

                                Because Microsoft is not releasing root cert updates as vulnerability or patch content, we can't publish the updates as content either.  However, the process outlined in your document could be scripted and deployed without too much trouble as a distribution package or custom patch definition.  The tricky part would be manually downloading the new cert .sst file periodically, and determining what certs contained within actually need to be updated on all your devices.  If it's possible to just push out all the certs and let the certmgr decide what needs updated, that would be easy.  But I'm concerned about the possibility of duplicate certs appearing. 

                                 

                                What it comes down to is this - If you can determine a working process (using that doc or whatever else works) that lets you download current certs and revocation lists, as well as deploy these lists using a utility, then we can build that process into Ivanti.  We can absolutely help you build the process into Ivanti and deploy it once you determine the process that works.  We can't unfortunately develop the process for you, unless you'd be interested in engaging Professional Services. 

                                1 of 1 people found this helpful